One of our DCs is now giving me a Connection status of "Invalid query" and not returning any results. It was working fine for a long time, then recently this happened. It's a problem because most of our account lockouts have that DC as the originating lock, so I'm barely getting any lockouts showing up in the list anymore from the other two DCs.
I asked our server team, they said that about a month ago the RID Master, PDC Emulator and Infrastructure Master roles were added to that DC, and the Global Catalog was removed. The Netwrix issue might have started at the same time, or it might have been a couple weeks later.
What can I have them check/change on the problematic DC?
Could you zip the Tracing folder found here (by default: C:\Program Files (x86)\NetWrix\Account Lockout Examiner\Tracing) and upload it to www.netwrix.com/upload and put ALE Forums in the subject? Thanks!
I made the registry change and went into File > Settings and clicked OK. It said the connection status was OK for a few seconds, and then it went back to "Invalid query". And then back to OK, then back to "Invalid query". And so on.
I would recommend a reboot of the server with ALE installed. And if it does not solve the issue send us the updated log and export of the HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner reg key using the same instructions as earlier.
Desktop OS or Server OS doesn't matter so this shouldn't be a concern.
Run Registry Editor: navigate to Start --> Run, type in regedit and click OK.
Navigate to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS).
Create a new DWORD UseWatcher and set its value to 1.
Restart Netwrix Account Lockout Examiner Service via the Services snap-in.
Give this a shot? An odd one for sure. If that doesn't work then I will have to give you the query so that you can run it manually against the DCs to reproduce the issue outside of ALE which should allow a better chance to find a reason online in technet or something comparable.
So one of my colleagues is experiencing the same error. I think there's something wrong on the domain controller, not on my workstation. Can you provide a list of settings to check, that I can pass to our server team?
One of our server guys finally noticed errors with group policy on the affected server. He restarted the WMI service, I think, and it seems to be working again. Maybe that will help someone else in the future.