AD Tripwires - Troubleshooting
This guide helps resolve common issues encountered during AD Tripwires setup and operation.
Error States
If your AD Tripwire deployment encounters an error, the UI will display error states to help you diagnose and resolve problems.
Domain index showing an error state for a domain.
Error when a tripwire account already exists in Active Directory.
Setup Issues
Domain Policy Import Problems
Problem: GPO import fails or settings don't appear correctly after import.
Solution:
- Verify the extracted folder contains all required files (
gpreport.xml
,manifest.xml
,Backup.xml
) - Ensure you're selecting the correct folder path during import
- Check that you have Domain Admin privileges
- Try creating a new GPO and importing again
Problem: Scheduled task doesn't appear after GPO application.
Solution:
- Force Group Policy update: Run
gpupdate /force
on domain controllers - Check GPO link: Verify the policy is linked to Domain Controllers OU
- Verify task scheduler: Open
taskschd.msc
and look for "IoA Collector" task - Check event logs for Group Policy errors in Windows Event Viewer
AD Agent Connection Issues
Problem: AD Agent
fails to start or connect to domain controllers.
Solution:
- Verify service account permissions are correctly configured
- Check network connectivity between NodeZero runner and domain controller
- Ensure the specified domain controller hostname is accessible
- Verify the service account has necessary permissions to access
SYSVOL
Problem: No events appearing in Horizon3 portal.
Solution:
- Verify tripwire accounts are created and configured correctly
- Check that the scheduled task is running on domain controllers
- Test connectivity to the EventAnalytics directory in
SYSVOL
- Review
AD Agent
logs on the NodeZero runner
Account Provisioning Issues
Problem: Failure to create tripwire accounts during provisioning.
Solution:
- Ensure the account used for provisioning has the required permissions. See the Permission Requirements section in the Getting Started guide for detailed information
- Verify the domain is accessible from the machine running the utility
- Check for naming conflicts with existing accounts
- Review Active Directory permissions and domain policies that might block account creation
Verification Steps
Confirm GPO is Applied
- Open Group Policy Management Console (
gpmc.msc
) - Navigate to Domain Controllers OU
- Verify "H3 IoA Policy" appears in the linked GPOs list
- Check GPO status shows as "Enabled"
Verify Scheduled Task
- On each domain controller, open Task Scheduler (
taskschd.msc
) - Look for "IoA Collector" task in Task Scheduler Library
- Verify task is enabled and shows recent successful runs
- Check task history for any errors
Confirm Tripwire Accounts
- Open Active Directory Users and Computers (
dsa.msc
) - Locate the created tripwire accounts
- Verify account properties match expected configurations:
- Exposed credential accounts have descriptions with embedded credentials
- Kerberoastable accounts have Service Principal Names (SPNs) configured
- AS-REP Roastable accounts have "Do not require Kerberos preauthentication" enabled
Test AD Agent Status
- In Horizon3 portal, navigate to AD Tripwires management
- Verify
AD Agent
shows as "Active" status - Check last communication timestamp is recent
- Review any error messages or warnings displayed
Common Error Messages
"Access Denied" during provisioning
- Cause: Insufficient privileges for Active Directory operations or
SYSVOL
access - Solution: Ensure the account has the following minimum permissions:
- Active Directory: Create/modify user accounts, set SPNs, and modify user properties
- SYSVOL Access: Full control permissions to create the EventAnalytics directory and set permissions
- Alternative: Use Domain Admin account which includes all necessary permissions
"Domain Controller not accessible"
- Cause: Network connectivity or DNS resolution issues
- Solution: Verify hostname, check network connectivity, ensure DNS resolution works
"SYSVOL path not found"
- Cause: Incorrect domain controller configuration or
SYSVOL
permissions - Solution: Verify
SYSVOL
share is accessible and service account has read permissions
Example Alert and Tripwire Account Status
The portal provides visual feedback for tripwire alerts and account status.
Example of tripwire alerts in the NodeZero portal.
Tripwire account details and status.
Error state for a tripwire account.
Getting Additional Help
If you continue experiencing issues:
- Check Portal Logs: Review any error messages in the Horizon3 portal under AD Tripwires status
- Event Viewer: Check Windows Event Logs on domain controllers for related errors
- Contact Support: Provide detailed error messages and steps taken when contacting Horizon3 support
Running Windows Tools
- Press Win+R
- Type tool name in the
Open
text box - Click
OK
or press Enter
Tool Names
- Group Policy Management Console:
gpmc.msc
- Windows Task Scheduler:
taskschd.msc
- Active Directory Users and Computers:
dsa.msc