We have the PRTG Server installed on a 2008 R2 in one of our domains [Domain A] and it monitors the whole network. When it checks Active Directory Replication Errors on a different domain [Domain B] with the appropriate credentials, the PRTG monitor will report a successful check but the event viewer in the DC will show a lot of audit failure with Event ID 4625 & 4776 (The computer attempted to validate the credentials for an account) showing the server's computer account from Domain A trying to access the DC in Domain B
Apparently the PRTG monitors the DC with a computer account in addition to user account which causes the audit failure Is there a way to make the PRTG not use the server's computer account while monitoring?
Article Comments
The sensor is running on a remote probe that is not in the same domain as the AD that I am monitoring, they're not even in the same forest
Feb, 2017 - Permalink
Okay, you'll probably need to copy
C:\Program Files (x86)\PRTG Network Monitor\Sensor System\ADSReplFailuresXML.exe
...to
C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML
...and create a EXE/Script (Advanced) sensor with the following parameters:
-c=<IP-or-FQDN-of-your-dc> -n=<replication-neighbour> -u=%windowsdomain\%windowsuser -p=%windowspassword
Make sure that the device has the corresponding Windows credentials configured in its settings. Does that do the trick?
Feb, 2017 - Permalink
I'm sorry but what does your solution do?
Just to be clear the sensor works and I receive good results but when I log on the DC and look in the event viewer there is a lot of 'security audit failure' logs from the remote probe and I want to know how to stop getting these log events
Feb, 2017 - Permalink
This should prevent the sensor to receive any different credentials and may stop those events from being created. If not, you can exclude certain events from being logged.
Feb, 2017 - Permalink
Is the sensor running on a remote probe that monitors the other AD?
Feb, 2017 - Permalink