返回
-
标题
Tier Zero Objects page does not list any objects after installing the Hybrid Agent as the Tier Zero provider -
说明
After first-time setup and installing the Hybrid Agent as the Tier Zero provider as discussed in the “Configuring Additional components” section of the Security Guardian Current - User Guide, the Tier Zero Objects page continues to display the following:
No Tier Zero Objects
Configure the Hybrid Agent or BloodHound Enterprise to begin scanning your environment. You will continue to see this page until your first collection is completed. -
原因
A successful Tier Zero collection has not completed for the Active Directory Domain(s) assigned to the Hybrid Agents(s). -
解决办法
When assigned the “Collect Active Directory object data” action and first installed, the Hybrid Agent (Quest On Demand On-Premises Agent) will perform a collection of Active Directory objects to determine what objects are Tier Zero. Collection duration is highly dependent upon several factors. Typically, a collection will finish in an hour or less but can take two or more hours in large organizations. Subsequent collections occur every 12 hours since the last collection completed. The amount of time to collect the Active Directory can vary depending on different factors such as:- Number of objects in Active Directory
- Number of Domain Controllers
- Amount of group nesting in Active Directory
- Hybrid agent server performance
- Network latency
- Performance of the domain controller when handling the collection request
The following steps can be used to investigate why a Tier Zero collection has not completed:
1. On Demand “Tenants | Hybrid Agents”, ensure the Hybrid Agent that is assigned to the domain being investigated does not display “Not Configured” for either “Domains” or “Actions”. If “Not Configured” is displayed, perform the following:a. Click “Edit configuration”.
b. In the “Actions” section, ensure that “Collect Active Directory object data” is listed in “Allowed Actions”. If “Collect Active Directory object data” is not listed, perform the following:i. Click “Select Actions”.
ii. Select “Collect Active Directory object data” from the list.
iii. Click the “Select” button.c. In the “Connected Domains” section, ensure the correct domain is listed in “Allowed Domains”. If the correct domain is not listed, perform the following:i. Click “Select Existing”. If there are no domains listed, refer to the “Adding an Active Directory domain” section of the On Demand Global Settings Current - User Guide.
ii. Select the correct domain from the list.
iii. Click the “Select” button.d. Click Save.
e. Ensure a green check mark with a number is displayed for both “Domains” and “Actions”.
2. In “Tenants | Hybrid Agents”, ensure the Hybrid Agent assigned the domain being investigated has an Agent Status of “Connected” and “Enabled”. If “Connected” and “Enabled” is not displayed, perform the following:a. Logon to the computer where the Hybrid Agent is installed.
b. Open Windows Services and ensure the “Quest On Demand On-Premises Agent” is running:i. If the “Quest On Demand On-Premises Agent” is not present, install the agent using the instructions in the “Configuring Additional components” section of the Security Guardian Current - User Guide.
ii. If the “Quest On Demand On-Premises Agent” is present but not running, start the service. If the service fails to start, investigate the reason using the error displayed in the Windows pop-up and the Windows Event Viewer System log.c. Check the Quest On Demand On-Premises Agent log for connection errors:i. Open the Quest On Demand On-Premises Agent log in the installation directory (typically, “<drive>:\QuestAgent\bin\ agentservice.log”)
ii. Look for the log lines:
Attempting to connect to the Azure IoT hub using Primary…
The connection to the IoT Hub was opened successfully
iii. If “The connection to the IoT Hub was opened successfully” is not recorded, the connection to On Demand is likely blocked. The Quest On Demand On-Premises Agent requires an outbound HTTPS (port 443) connection to On Demand.NOTE: The agent connection will use the proxy server settings applied to the service account or computer where it is installed
3. Perform the following to view and investigate the progress of the Hybrid Agent Active Directory data collection:a. In On Demand “Settings | Activity Trail”, locate the “Data collection started” event recorded by the “On Demand Platform” module.
b. Confirm in the Activity Trail if a “Data collection completed” recorded by the “On Demand Platform” module is also recorded.
c. If either the “Data collection started” even is not recorded or the “Data collection completed” event is not recorded and more than an hour has passed since the collection started, perform the following:i. Logon to the computer where the Hybrid Agent is installed.
ii. Open the Quest On Demand On-Premises Agent log in the installation directory (typically, “<drive>:\QuestAgent\bin\ agentservice.log”).
iii. Locate the log line “AD Collection started at <date_and_time>” to confirm if a collection has started. If the log line is not recorded, restart the “Quest On Demand On-Premises Agent” and review the log to confirm it is recorded after the agent is initialized and connected to On Demand.
iv. Within the log, track the progress of different objects being collected with the log lines:
Collection of the <object_name> started.
Collected <object>.
v. The log line “An asynchronous operation has completed successfully.” Will be recorded when a collection has completed.
vi. If the most recent log line in log file is “Collection of the <object_name> started.”, the collection is progressing, and that object type may be taking an extended amount of time to collect.d. If a “Data collection failed” for the “On Demand Platform” module is recorded in the Activity Log, perform the following:i. Logon to the computer where the Hybrid Agent is installed.
ii. Open the Quest On Demand On-Premises Agent log in the installation directory (typically, “<drive>:\QuestAgent\bin\ agentservice.log”).
iii. Locate the most recent copy of the log line “AD Collection started at <date_and_time>”.
iv. Continue reviewing the log for the log line starting with “An unexpected error occurred while”.
v. Use the details in error to investigate while the failure occurred.
NOTE: “Data collection failed” can be recorded if in the Activity Log if the Hybrid Agent or the server it is installed on was shut down at the time of a scheduled collection. There will be a message in the event “Collect AD Data failed. No connected agent was found.” In which case, a collection will start once the Hybrid agent and Server are back online.