"Test failed for agent service account on domain controller. Failed to open the security log" (4235370)

"Test failed for agent service account on domain controller. Failed to open the security log"

Error occurs when attempting to install Active Administrator audit agent: "Test failed for agent service account on domain controller [servername] Failed to open the security log. The network path was not found."

1. The credential used to run the Active Administrator audit agent does not have permission to manage the Security.evt log on the domain controller.
2. "SMB3 Secure Dialect Negotiation" has failed on a Windows 2012 operating system.
3. Remote Registry service is not running on the DC
4. Network communication is blocked
5. Mismatch in patching levels between the Domain Controllers and the Active Administrator server

1. Open the local policies on the Domain Controller and grant the service credential explicit user rights assignment to manage the Security.evt log

2. Add a new DWORD registry key (named: RequireSecureNegotiate) in this location:

  HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
with a value of "2"

Valid values for the key:
  0 – Disabled (Default value)
  1 – Required
  2 – Enabled if needed.

NOTE:  Quest does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 "Description of the Microsoft Windows registry" at Microsoft Support.

 

3. Ensure the Remote Registry service is enabled and running on the DC

4. If the DC is located on a different network, ensure any firewalls are open. Confirm you can access the volumes on the DC from the AA server as the Audit Agent installer is copied from the AA server to the DC and then run on the DC

5. Check and confirm that all of the machines (DCs and AA server) have the same patches applied. For example, the patch KB5003637 locks down remote access to the Event Viewer. If a machine tries to access the Event Viewer on a remote machine with this patch, it will fail if the calling machine does not have the same updates applied. 

To install the agent from the AA console, you need to have ports open for SMB, Service Management, WMI and AD. So you would need to have ports 445, 389, 135 and the RCP Dynmaic ports (Ephemeral Ports). If you want to be able to manage the agent from the AA console (uninstall, upgrade, restart) you will need to keep the previously mentioned ports open. Once the agent is installed it communicates back to the AA database over the SQL port (default is 1433). Microsoft Open Specifications Support Team Blog: http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx