Jump to content


Photo

"Failed to resolve sid by dc"


  • Please log in to reply
9 replies to this topic

#1 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 15 June 2017 - 07:39 PM

My ALE (v4.1.417.0 running on Server 2012 R2) does not send email alerts for lockouts that happen on Windows machines.  In the 'ALEService' log file, it generates "Failed to resolve sid by dc SERVERNAME". 

 

Four internal DCs are monitored (3 are 2012 R2, 1 is 2008 R2), and they all show Connection as 'OK'.  Also, ALE detects the lockouts, and processes unlocks.  It just doesn't email the notifications for Windows-based lockouts.

 

It does send notifications when a user locks out on a non-domain device via RADIUS.

 

The timing of this coincided with my Netwrix service account being put into a 'Deny Local Logon' policy, while still retaining domain admin permissions.

 

I had since reverted that change, but still no notifications. 

 

SMTP is fine; ALE is running on the SMTP server itself, and uses the same SMTP settings as Auditor, installed on same machine. 

 

Thanks for any assistance in getting my helpful notifications back. 



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 363 posts
  • Gender:Male

Posted 16 June 2017 - 01:19 PM

Hello,

 

Could you go to www.netwrix.com/upload and upload the ALEService.log file referenced above?  In the body of the message for upload just put ATTN: ALE Forums.  Thanks!

 

-Jeff



#3 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 26 June 2017 - 04:34 PM

Flies uploaded now, thank you!  (Sorry, was on vac last week.:) )



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 363 posts
  • Gender:Male

Posted 27 June 2017 - 01:53 PM

Sorry I don't see them but that upload service has changed quite a bit so it can be harder to find them now. :(

 

What is the domain name in the email address that uploaded the files?

 

-Jeff



#5 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 27 June 2017 - 03:29 PM

niagaraparks.com

 

I can forward you the URL that hightail emailed me in its upload confirmation. 

 

Thanks for all efforts!



#6 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 27 June 2017 - 03:39 PM

PS, is it possible to have email notifications of forum posts?



#7 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 363 posts
  • Gender:Male

Posted 28 June 2017 - 01:05 PM

You can follow the forum thread as seen at the top of this page:

 

http://prntscr.com/fp5qk5

 

By the way our alerts for our upload service are working now so just go ahead and re-upload and i will see them.

 

-Jeff



#8 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 06 July 2017 - 07:22 PM

Oh dear.  Ok, I just got back to this.  Also, I now selected to 'Follow this topic'.  (I'm used to thread notifications being on by default at other forums, sorry.)

 

I've now uploaded a new file. 

 

VIEW FILES

 

I just deleted one aleservice.log this week as it reached 30GB.  I don't have a record of the original one that I uploaded.  The current one is only 840KB.  Let's see if it has what we need.

 

Thanks for all help!



#9 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 363 posts
  • Gender:Male

Posted 07 July 2017 - 01:19 PM

Is the server you have ALE on in the niagaraparks.nf domain?  Since there are multiple DCs that cannot be resolved, this is indicative of a lack of a 2 way trust between 2 domains or a dns issue.

 

-Jeff



#10 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 July 2017 - 01:22 PM

Single domain here, and that server is on it.  The server also acts as our central internal SMTP server.  ALE shows all four of our domain controllers with a green checkmark.  Thoughts?

 

Thanks for all efforts and insight!






0 user(s) are reading this topic

0 members, guests, anonymous users