Skip to content

AD Tripwires - Troubleshooting

This guide helps resolve common issues encountered during AD Tripwires setup and operation.

Error States

If your AD Tripwire deployment encounters an error, the UI will display error states to help you diagnose and resolve problems.

Domain Index - Error

Domain index showing an error state for a domain.

Domain Show - Error Account Exists

Error when a tripwire account already exists in Active Directory.

Setup Issues

Domain Policy Import Problems

Problem: GPO import fails or settings don't appear correctly after import.

Solution:

  1. Verify the extracted folder contains all required files (gpreport.xml, manifest.xml, Backup.xml)
  2. Ensure you're selecting the correct folder path during import
  3. Check that you have Domain Admin privileges
  4. Try creating a new GPO and importing again

Problem: Scheduled task doesn't appear after GPO application.

Solution:

  1. Force Group Policy update: Run gpupdate /force on domain controllers
  2. Check GPO link: Verify the policy is linked to Domain Controllers OU
  3. Verify task scheduler: Open taskschd.msc and look for "IoA Collector" task
  4. Check event logs for Group Policy errors in Windows Event Viewer

AD Agent Connection Issues

Problem: AD Agent fails to start or connect to domain controllers.

Solution:

  1. Verify service account permissions are correctly configured
  2. Check network connectivity between NodeZero runner and domain controller
  3. Ensure the specified domain controller hostname is accessible
  4. Verify the service account has necessary permissions to access SYSVOL

Problem: No events appearing in Horizon3 portal.

Solution:

  1. Verify tripwire accounts are created and configured correctly
  2. Check that the scheduled task is running on domain controllers
  3. Test connectivity to the EventAnalytics directory in SYSVOL
  4. Review AD Agent logs on the NodeZero runner

Account Provisioning Issues

Problem: Failure to create tripwire accounts during provisioning.

Solution:

  1. Ensure the account used for provisioning has the required permissions. See the Permission Requirements section in the Getting Started guide for detailed information
  2. Verify the domain is accessible from the machine running the utility
  3. Check for naming conflicts with existing accounts
  4. Review Active Directory permissions and domain policies that might block account creation

Verification Steps

Confirm GPO is Applied

  1. Open Group Policy Management Console (gpmc.msc)
  2. Navigate to Domain Controllers OU
  3. Verify "H3 IoA Policy" appears in the linked GPOs list
  4. Check GPO status shows as "Enabled"

Verify Scheduled Task

  1. On each domain controller, open Task Scheduler (taskschd.msc)
  2. Look for "IoA Collector" task in Task Scheduler Library
  3. Verify task is enabled and shows recent successful runs
  4. Check task history for any errors

Confirm Tripwire Accounts

  1. Open Active Directory Users and Computers (dsa.msc)
  2. Locate the created tripwire accounts
  3. Verify account properties match expected configurations:
  4. Exposed credential accounts have descriptions with embedded credentials
  5. Kerberoastable accounts have Service Principal Names (SPNs) configured
  6. AS-REP Roastable accounts have "Do not require Kerberos preauthentication" enabled

Test AD Agent Status

  1. In Horizon3 portal, navigate to AD Tripwires management
  2. Verify AD Agent shows as "Active" status
  3. Check last communication timestamp is recent
  4. Review any error messages or warnings displayed

Common Error Messages

"Access Denied" during provisioning

  • Cause: Insufficient privileges for Active Directory operations or SYSVOL access
  • Solution: Ensure the account has the following minimum permissions:
  • Active Directory: Create/modify user accounts, set SPNs, and modify user properties
  • SYSVOL Access: Full control permissions to create the EventAnalytics directory and set permissions
  • Alternative: Use Domain Admin account which includes all necessary permissions

"Domain Controller not accessible"

  • Cause: Network connectivity or DNS resolution issues
  • Solution: Verify hostname, check network connectivity, ensure DNS resolution works

"SYSVOL path not found"

  • Cause: Incorrect domain controller configuration or SYSVOL permissions
  • Solution: Verify SYSVOL share is accessible and service account has read permissions

Example Alert and Tripwire Account Status

The portal provides visual feedback for tripwire alerts and account status.

Tripwire Alerts

Example of tripwire alerts in the NodeZero portal.

Tripwire Show

Tripwire account details and status.

Tripwire Show Error

Error state for a tripwire account.

Getting Additional Help

If you continue experiencing issues:

  1. Check Portal Logs: Review any error messages in the Horizon3 portal under AD Tripwires status
  2. Event Viewer: Check Windows Event Logs on domain controllers for related errors
  3. Contact Support: Provide detailed error messages and steps taken when contacting Horizon3 support

Running Windows Tools

  1. Press Win+R
  2. Type tool name in the Open text box
  3. Click OK or press Enter

Tool Names

  • Group Policy Management Console: gpmc.msc
  • Windows Task Scheduler: taskschd.msc
  • Active Directory Users and Computers: dsa.msc