Jump to content


Photo

Connection status of "Invalid query" for one of our DCs


  • Please log in to reply
11 replies to this topic

#1 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 03 November 2016 - 03:05 PM

One of our DCs is now giving me a Connection status of "Invalid query" and not returning any results. It was working fine for a long time, then recently this happened. It's a problem because most of our account lockouts have that DC as the originating lock, so I'm barely getting any lockouts showing up in the list anymore from the other two DCs.

 

I asked our server team, they said that about a month ago the RID Master, PDC Emulator and Infrastructure Master roles were added to that DC, and the Global Catalog was removed. The Netwrix issue might have started at the same time, or it might have been a couple weeks later.

 

What can I have them check/change on the problematic DC?



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 04 November 2016 - 02:14 PM

Visor,

 

Could you zip the Tracing folder found here (by default: C:\Program Files (x86)\NetWrix\Account Lockout Examiner\Tracing) and upload it to www.netwrix.com/upload and put ALE Forums in the subject?  Thanks!

 

-Jeff



#3 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 04 November 2016 - 02:49 PM

Ok, I uploaded it with a subject of "ALE Forums Topic 3199"



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 09 November 2016 - 01:01 AM

Looks like the program is referring to the event logs created earlier, before restart for example, and fails to complete reading the logs. To fix the issue, do the following:

  1. Open Registry Editor: navigate to Start - Run, enter regedit  and click OK.
  2. In the left pane, navigate to HKLM \Software\[Wow6432Node]\NetWrix\Account Lockout Examiner. The step Wow6432Node is only applied to x64 OS. 
  3. In the right pane, double-click readLog, specify 0 in the Value data field and click OK.  
  4. In NetWrix Account Lockout Examiner Console main menu bar, navigate to File - Settings and click OK to apply registry changes.

-Jeff



#5 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 09 November 2016 - 02:48 PM

I made the registry change and went into File > Settings and clicked OK. It said the connection status was OK for a few seconds, and then it went back to "Invalid query". And then back to OK, then back to "Invalid query". And so on.



#6 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 14 November 2016 - 12:25 PM

I would recommend a reboot of the server with ALE installed. And if it does not solve the issue send us the updated log and export of the HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner reg key using the same instructions as earlier.

 

-Jeff



#7 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 14 November 2016 - 08:03 PM

I rebooted my desktop. That's what you meant by "server with ALE installed", right? Still says "Invalid query". I uploaded another copy of Tracing, with the .reg file included inside.

 

Edit: To clarify, I have Account Lockout Examiner installed on my desktop computer. It is not installed on a server.



#8 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 17 November 2016 - 12:34 PM

Desktop OS or Server OS doesn't matter so this shouldn't be a concern.

 

Run Registry Editor: navigate to Start --> Run, type in regedit and click OK.

Navigate to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS).

Create a new DWORD UseWatcher and set its value to 1.

Restart Netwrix Account Lockout Examiner Service via the Services snap-in.

 

Give this a shot?  An odd one for sure.  If that doesn't work then I will have to give you the query so that you can run it manually against the DCs to reproduce the issue outside of ALE which should allow a better chance to find a reason online in technet or something comparable.

 

-Jeff



#9 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 17 November 2016 - 03:32 PM

Now instead of "Invalid query" it says "Exception from HRESULT: 0xFFFFFFFF"



#10 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 05 December 2016 - 06:42 PM

Any update on this? Do you have that query I can try running manually?



#11 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 December 2016 - 05:49 PM

So one of my colleagues is experiencing the same error. I think there's something wrong on the domain controller, not on my workstation. Can you provide a list of settings to check, that I can pass to our server team?



#12 visor

visor

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 09 December 2016 - 03:06 PM

One of our server guys finally noticed errors with group policy on the affected server. He restarted the WMI service, I think, and it seems to be working again. Maybe that will help someone else in the future.






0 user(s) are reading this topic

0 members, guests, anonymous users