Troubleshooting the AD Agent
This troubleshooting guide contains advice regarding:
- Verifying Successful Multi DC Agent Operation
- Installer Crash
- Sync has not been Running for a Client
- 2-way password sync enabled but password changes made in AD are not updated in Passportal
- Two credentials with the same Username
If the information below does not aid in resolving the issue, chances are that the symptoms are caused by a different root issue and will need to be investigated. In such instances, please raise a support case.
Verifying Successful Multi DC Agent Operation
To verify that all agents are installed properly, running and communicating, please perform the following tests:
- On both the Primary and Secondary Agent(s)
- Confirm that the Passportal windows service is installed and running.
- Check the Pserv.log for any recorded errors.
Check Password change detection:
- On the Primary DC, change any test user password and then check:
- ADHook.log to see evidence that the test password change was captured.
- InterAgentChannel.log to view a secure connection being established.
- Lastly open the Pserv.log on the Primary DC to view the password being processed.
- Repeat but instead of changing a test user password on the primary agent do so for every Secondary Agent install.
Each log mentioned above is located in %PROGRAMFILES%\n-able\Passportal Agent\Logs
.
Issue: Installer Crash
When performing an installation of the Windows Agent the application crashes when selecting the install target location.
This is likely due to the account currently signed into not having appropriate access to the Install folder location.
To correct this:
- Go to C:\Program Files\ and right click on the Passportal folder and select Properties.
- Go to the Security Tab, then choose Advanced.
- Change the owner to the account you are currently signed into, and select the check-box to replace the owner on the sub-containers and objects.
- Apply these permissions.
- Attempt to install the Windows Agent again, and it should complete successfully this time.
Issue: Sync has not been Running for a Client
You're seeing that sync has not happened for a client in a couple days.
- Connect to the Primary Domain Controller, and launch the Passportal Application.
- Authenticate with your Passportal credentials on the agent, and select the client you are connected to.
- Note the Passportal Sync credentials from Passportal, and paste them into the agent.
- Save and start the agent, and verify that the sync for the client is now showing as recently synced.
Issue: 2-way password sync enabled but password changes made in AD are not updated in Passportal
Below are the areas to check in order to verify that the 2-way sync meets the prerequisites and is installed correctly:
- Redistribute package of Microsoft C++ 2015 Redistributable on the DC:
- Ensure the following .dll file is present: c:\windows\system32\ADPasswordChangeNotifier.dll
- Three Passportal Registry entries:
- system registry entry
- To enforce the notification password, the password complexity setting must be enabled.
If the redistributable is missing, it can be found on Microsoft's site (install both the x86 and x64 versions):
https://www.microsoft.com/en-us/download/details.aspx?id=52685
[HKEY_LOCAL_MACHINE\Software\Passportal\ADAgentAddress] = 127.0.0.1
[HKEY_LOCAL_MACHINE\Software\Passportal\ADAgentPort] = 7771
[HKEY_LOCAL_MACHINE\Software\Passportal\InstalledByAutoUpdate] = False
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages] = “Notification Packages” is a value of type REG_MULTI_SZ, so it may contain multiple DLL names. There should be among them adpasswordchangenotifier
For example:
rassfm
scecli
adpasswordchangenotifier
If all of these prerequisites are in place, activate the Security Policy Audit Log to trace the events to see what might be happening at the operating system level.
To audit the loading of notification packages:
- Click Start > Administrative Tools > Local Security Policy.
- Expand Local Policies, and then select Audit Policy.
- Double-click Audit System Events.
- Tick the Success and Failure check boxes.
Any errors attributed to the 2-way sync notifier will now appear in Event Viewer > Security logs.
Issue: Two credentials with the same Username
This issue has been resolved as of Agent 3.9.3.0. We recommend to update the Agents where necessary to resolve this issue. If you cannot update the Agent the below will assist in dealing with the issue.
If a second credential entry with the same username has appeared in Passportal, the newest credential entry will be marked as Waiting on Connection.
Disable any second credentials that are showing as Waiting on Connection.
Once the duplicate entries have been disabled in the system, please ensure that your Windows Agent is running the latest version. You can see the version of the agent by launching the Passportal Application on the desktop, then check in the bottom left corner.