TROUBLESHOOTING GUIDE

Lepide Software LepideAuditor Suite TROUBLESHOOTING GUIDE This document explains the troubleshooting of the common issues that may appear while using LepideAuditor Suite.

Copyright LepideAuditor Suite, LepideAuditor App, LepideAuditor App Server, LepideAuditor Suite (Web Console), LepideAuditor Logon/Logoff Audit Module, any and all components, any and all accompanying software, files, data and materials, this Configuration Guide, and other documentation are copyright of Lepide Software Private Limited, with all rights reserved under the copyright laws. This user guide cannot be reproduced in any form without the prior written permission of Lepide Software Private Limited. No Patent Liability is assumed, however, with respect to the use of the information contained herein. Lepide Software Private Limited, All Rights Reserved. Warranty Disclaimers and Liability Limitation LepideAuditor Suite, LepideAuditor App, LepideAuditor App Server, LepideAuditor Suite (Web Console), LepideAuditor Logon/Logoff Audit Module, any and all components, any and all accompanying software, files, data and materials, are distributed and provided AS IS and with no warranties of any kind, whether expressed or implied. In particular, there is no warranty for any harm, destruction, impairment caused to the system where these are installed. You acknowledge that good data processing procedure dictates that any program, listed above, must be thoroughly tested with non-critical data before there is any reliance on it, and you hereby assume the entire risk of all use of the copies of LepideAuditor Suite and the above listed accompanying programs covered by this License. This disclaimer of warranty constitutes an essential part of this License. In addition, in no event does Lepide Software Private Limited authorize you or anyone else to use LepideAuditor Suite and the above listed accompanying programs in applications or systems where LepideAuditor Suite and the above listed accompanying programs failure to perform can reasonably be expected to result in a significant physical injury, or in loss of life. Any such use is entirely at your own risk, and you agree to hold Lepide Software Private Limited harmless from any and all claims or losses relating to such unauthorized use. Trademarks LepideAuditor Suite, LepideAuditor App, LepideAuditor App Server, LepideAuditor Suite (Web Console), LepideAuditor Logon/Logoff Audit Module, LepideAuditor for Active Directory, LepideAuditor for Group Policy Object, LepideAuditor for Exchange Server, LepideAuditor for SQL Server, LepideAuditor SharePoint, Lepide Object Restore Wizard, Lepide Active Directory Cleaner, Lepide User Password Expiration Reminder, and LiveFeed are registered trademarks of Lepide Software Pvt Ltd. 2

All other brand names, product names, logos, registered marks, service marks and trademarks (except above of Lepide Software Pvt. Ltd.) appearing in this document are the sole property of their respective owners. These are purely used for informational purposes only. We have compiled a list of such trademarks but it may be possible that few of them are not listed here. Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 2000 Server, Windows 2000 Advanced Server, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Exchange Server 2003, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, SharePoint Server, SharePoint Server 2010, SharePoint Foundation 2010, SharePoint Server 2013 SharePoint Foundation 2013, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2005 Express Edition, SQL Server 2008 Express SQL Server 2008 R2 Express, SQL Server 2012 Express, SQL Server 2014 Express.NET Framework 4.0,.NET Framework 2.0, Windows PowerShell are registered trademarks of Microsoft Corporation. Intel and Pentium are registered trademarks of Intel Corporation. Contact Information Email: sales@lepide.com Website: http://www.lepide.com 3

Table of Contents Introduction... 6 Related Documents... 6 Why the auditing logs are not being displayed in LepideAuditor Suite after installing it?... 7 The user is facing issues in dealing with multiple domain controllers.... 13 Problem in adding domain controller as LepideAuditor Suite is not resolving the IP Address automatically.... 15 The user is facing issues in uninstalling or upgrading the agent on the server.... 18 The user is not able to perform the change auditing of the added domain(s).... 18 The auditing of a domain is still not enabled even after clicking Enable Audit while adding/ modifying the domain.... 20 Logon and Logoff events are not being monitored.... 20 Non-owner accesses to some or all mailboxes are not being audited.... 21 Auditing logs are not being generated for Group Policy Management Console.... 21 No logs are being collected or displayed for Health Monitoring of Windows Server 2003 or 2003 R2. How to fix this issue?... 22 Which Health Monitoring Reports will not be displayed for Exchange Server 2003?... 22 LepideAuditor Suite is not performing any audit. SQL Server Management Studio show (suspect) status for the database.... 23 What are the pre-requisites to add a SharePoint Server?... 25 Error "Provided IP is already added" while adding a SharePoint Server.... 26 There is no monitoring and no collection of changes of SharePoint Server.... 26 Error "SharePoint Agent is not running" in Change Capture Current Status in the Dashboard Tab.. 27 4

Error "The agent could not be connected to SQL Server" appears in Change Capture Current Status in the Dashboard Tab.... 27 The software is not responding or taking a long time during the data collection.... 28 Reports and alerts are not being generated for SharePoint Server even if software is able to collect the changes.... 28 There is no monitoring and no auditing of the particular sites of SharePoint Server.... 29 No Report is being generated for an already added domain. Event Viewer is displaying Event ID 521 "Unable to log events to security log with Status code: 0xc0000008".... 30 Support... 31 5

Introduction Like other software, the users may face some problems and errors while using LepideAuditor Suite. The common errors, problems, and their resolution or workaround steps are detailed in this Guide. You can refer to the following guides to deal with product s installation, activation, and configuration. Installation & Activation Guide http://www.lepide.com/installationguide/lepideauditorsuite.pdf Configuration Guide http://www.lepide.com/configurationguide/auditor-suite-configuration-guide.pdf System Requirements http://www.lepide.com/lepideauditor/documentation/#tab-2 After installing, activating, and configuring LepideAuditor Suite, it can be used for performing change auditing, health monitoring, and object restoration. You can refer to the preinstalled Help Manual to get the exact steps for performing any action. Related Documents Data Sheet - http://www.lepide.com/datasheet/lepideauditorsuite.pdf Release History - http://www.lepide.com/lepideauditor/release-history.html FAQ - http://www.lepide.com/lepideauditor/faq.html Enable Auditing Manually http://www.lepide.com/configurationguide/auditor-suite-enable-auditing-manually.pdf Enable logon/logoff Monitoring http://www.lepide.com/configurationguide/auditor-suite-enable-logon-logoff-monitoring.pdf Configure Mailbox Auditing http://www.lepide.com/configurationguide/auditor-suite-configure-mailbox-auditing.pdf Let us have a look at the common problems or error messages that may appear while using LepideAuditor Suite. 6

Why the auditing logs are not being displayed in LepideAuditor Suite after installing it? Please make sure that auditing is enabled properly on the added domain. Click here to know the steps in detail. If auditing is enabled, then follow the steps below, 1. Go to the Server. 2. Open its Event Viewer and check "Security" logs. 3. Please check for following event IDs. a. Event ID 4662 for Windows Server 2008 and later Server OS b. Event ID 566 for Windows Server 2003 family 4. If these events are not being generated, then it means auditing is not enabled or being disabled automatically after a frequent interval. This can be because of a Group Policy applied on the server. 5. To rectify this issue, run "GPMC.msc" in Run or CMD prompt, to open Group Policy Management Console. 7

Figure 1: Group Policy Objects in GPMC 6. Browse to root node Forest Domains www.domain.com Group Policy Objects. This will list all Group Policy Objects for the domain. 8

7. Now, you have to perform the following steps on all Group Policy Object nodes listed under Group Policy Objects. a. Right click on a GPO. Figure 2: Right click on a GPO b. Select "Edit" option. This will open "Group Policy Management Editor". c. Go to "Default Domain Controllers" Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options. d. Selecting "Security Options" will list all its Group Policies in the right panel. 9

e. Double click "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings". This will open "Properties" box for this policy. Figure 3: Properties of Group Policy f. Please make sure that "Define this policy" check box should be unchecked and the options to "Enable" or "Disable" should be disabled. g. If not, uncheck "Define this policy setting". 10

Figure 4: Configuring policy to not defined h. Click "Apply" and "OK" buttons to close the dialog box. i. Close Group Policy Management Editor window. 8. Follow the above steps for all nodes under Group Policy Objects. In our case, these steps are performed again for "Default Domain Policy" and "Logon Logoff by LepideAuditor". In our case, these steps has to be performed on following policies. Default Domain Controllers Policy Default Domain Policy Logon Logoff by LepideAuditor 9. Close "Group Policy Management Console". 11

10. Now go to software "Settings" tab "Component Management", right click on "Domain" node and click "Properties". This will show the wizard to modify the domain's listing. Figure 5: Wizard to modify domain 11. Click button. 12. This will enable domain auditing. If you face any error, then please refer to Guide to Enable Auditing Manually. 12

The user is facing issues in dealing with multiple domain controllers. There can be n number of domain controllers of a server to be audited. However, you can exclude the domain controllers not to be audited while adding the domain in software or while modifying its listing. Follow the steps below to exclude the unwanted domain controllers. 1. Go to "Settings" tab "Component Management", select the domain that has to be modified. 2. Click "Advanced Domain Configuration" link in "Actions" pane on right side. Figure 6: Showing the domain controllers 3. All domain controllers are listed herein the middle section between two headers "Active Directory and Exchange Servers" and "Group Policy Servers". 4. Each domain controller has the checkboxes for following options. Some may show disable as these are not applicable. 13

a. Change Auditing: It shows status for Change Auditing for added server's Active Directory, Exchange Server, and Group Policy. b. Health Monitoring: It shows status for Health Monitoring for added server's Active Directory and Exchange Server. c. Non-Owner Mailbox Auditing: It shows status for Non-owner Mailbox Access Auditing for added Exchange Server. 5. Uncheck the change auditing, health monitoring and non-owner mailbox auditing options for the domain controllers, which you do not want to audit. Figure 7: Selecting the domain controllers The unchecked domain controllers will not be monitored. Now click "OK" to apply the modifications in the domain's listing. 14

Problem in adding domain controller as LepideAuditor Suite is not resolving the IP Address automatically. While adding a domain, LepideAuditor Suite tries to resolve the IP Addresses of its domain controller(s). Sometimes the IP Addresses are not resolved automatically and you may receive the following error. Figure 8: Warning if the software cannot resolve the IP Addresses Follow the steps below to fix this issue. 1. While Adding Domain: If you receive the error while adding domain, perform the following steps. 15

a. Double click the IP Address fields for the domain controller(s), whose IP Address is being displayed incorrectly. Figure 9: Change Collection Settings b. Enter the correct IP Address. c. Click "Next" to proceed with wizard to add domain. 2. After Adding Domain: Perform the following steps to replace the incorrect IP Address of domain. 16

a. Select a domain controller in "Component Management" whose IP Address is being displayed wrong. b. Click "Network Settings" link in "Actions" pane to access following dialog box. Figure 10: Dialog box to enter correct IP Address of server c. Enter the correct IP address for the selected server. Figure 11: Showing a sample IP Address d. Click "OK" to apply this IP Address. This will take you back to "Component Management". NOTE: Alternatively, you can click "Properties" to view domain properties and click "IP Settings" to replace the wrong IP Address with a correct one. 17

The user is facing issues in uninstalling or upgrading the agent on the server. You have to uninstall the agent from the domain and then reinstall it. Browse the page Uninstall Agent from Domain page in the Help Manual, which comes preinstalled with the software setup. This will explain the detailed steps how to uninstall the agent from the server and then how to reinstall the upgraded version of the agent from the software itself. The user is not able to perform the change auditing of the added domain(s). This problem comes when the option "Enable Audit at Domain Level" is not selected while adding the domain or the Administrator has manually disabled the auditing. You can follow the steps given herein below to enable the auditing. 1. Go to "Settings" tab "Component Management", right click on the target domain node. Figure 12: Option to view domain properties 18

2. Click "Properties" option to modify the selected domain with the following wizard. NOTE: You can also select a domain entry and click "Properties" link in "Actions" pane to edit its listing. Figure 13: Dialog box to modify the domain 3. Click button to enable the auditing. 4. Software will enable the auditing. 19

The auditing of a domain is still not enabled even after clicking Enable Audit while adding/ modifying the domain. You may receive the following or another error when the software is not able to enable the auditing at the server because of any reason. Figure 14: Error message for problem in enabling the auditing In such cases, you've to enable the auditing settings manually at the Windows Server. You can download the guide Enable Logon/Logoff Monitoring for LepideAuditor Suite from http://www.lepide.com/configurationguide/auditor-suite-enable-auditing-manually.pdf. It illustrates the detailed steps to enable auditing at any Windows Server manually. Logon and Logoff events are not being monitored. You've to create a customized Group Policy for allowing LepideAuditor Suite to monitor the logon and logoff events. You can download the guide Enable Logon/Logoff Monitoring for 20

LepideAuditor Suite from http://www.lepide.com/configurationguide/auditor-suite-enable-logonlogoff-monitoring.pdf. It contains the detailed steps to enable the collection and auditing of logon and logoff events for any Windows Server by LepideAuditor Suite. Non-owner accesses to some or all mailboxes are not being audited. While adding a domain, LepideAuditor Suite gives an option to configure the mailbox auditing for Exchange Server. You've to select this option to enable the auditing of the mailboxes. You can download the guide Configuring Mailbox Auditing in LepideAuditor Suite from http://www.lepide.com/configurationguide/auditor-suite-configure-mailbox-auditing.pdf. Auditing logs are not being generated for Group Policy Management Console. Before resolving this issue, please make sure that Server Computer running Windows Server 2003 should meet the following system requirements. System Requirements to audit Windows Server 2003.NET Framework 2.0 Windows PowerShell 2.0 GPMC.MSC Hotfix of http://support2.microsoft.com/hotfix/kbhotfix.aspx?kbnum=941084&kbln=en-us for Windows Server 2003. LepideAuditor Suite may face some problem and throw error while performing the Group Policy auditing of Windows Server 2003. It is necessary to install the hotfix 203455 on the domain controllers of Windows Server 2003. Without this hotfix, queries against the Win32_PerfFormattedData_NTDS_NTDS class on domain controllers of Windows Server 2003 will fail with error 0x80041010. Follow the steps given below: 1. Install the Service Pack 2 of Windows Server 2003 for both 32-bit and 64-bit, if not installed earlier. 2. Download the hotfix from 21

http://support2.microsoft.com/hotfix/kbhotfix.aspx?kbnum=941084&kbln=en-us. This URL will display different hotfixes for 64-bit and 32-bit computers. 3. Install the downloaded hotfix named "Fix203455". 4. Start the Command Prompt with administrative rights and execute the following command to refresh WMI. wmidap.exe /f No logs are being collected or displayed for Health Monitoring of Windows Server 2003 or 2003 R2. How to fix this issue? Follow the steps below to fix this issue, 1. Download and install the hotfix from Hotfix KB941084. 2. Open Command Prompt after running it as an administrator. 3. Type the following command wmidap.exe /f 4. Restart the server. Which Health Monitoring Reports will not be displayed for Exchange Server 2003? Following Health Monitoring reports will not be displayed for Exchange Server 2003. Message Queue RPC Status Replication Status 22

LepideAuditor Suite is not performing any audit. SQL Server Management Studio show (suspect) status for the database. This problem occurs when LepideAuditor Suite is using a database for storing auditing logs and SQL Server storing that database is closed unexpectedly because of any reason. It may be possible that either local SQL Server is terminated or remote computer, where SQL Server is installed, reboots or crashes unexpectedly. In such cases, SQL Server turns the state of currently being used databases to (suspect). Such suspected databases cannot be used for storing and retrieving data. This is because LepideAuditor Suite will not audit the server(s) of which data is stored in a suspected database. Follow the steps below, 1. Open SQL Server Management Studio of SQL Server, which stores the database(s). 2. Establish the connection using Windows authentication or SQL Server authentication. 3. Expand Database node and access the database that is connected with LepideAuditor Suite for storing logs. 4. Make sure it shows (suspect) as its status. 23

Figure 15: New Query option for Suspected Database 5. Click New Query button on the toolbar. Alternatively, you can right click on the database and select New Query. 6. This will display the section at right side for executing a query. 7. Copy and paste the following query in this area. Replace DATABASE_NAME with the name of your database. EXEC sp_resetstatus DATABASE_NAME ; ALTER DATABASE "DATABASE_NAME" SET EMERGENCY DBCC checkdb("database_name") ALTER DATABASE "DATABASE_NAME" SET SINGLE_USER WITH ROLLBACK IMMEDIATE DBCC CheckDB ("DATABASE_NAME", REPAIR_ALLOW_DATA_LOSS) ALTER DATABASE "DATABASE_NAME" SET MULTI_USER 24

Figure 16: Executing Query 8. Click Execute button on the toolbar to execute the query. 9. This will execute the query and remove suspect status. 10. Right click on the database and select Refresh to refresh its status. Please check whether LepideAuditor Suite is working now and auditing the domain properly. What are the pre-requisites to add a SharePoint Server? 25

SharePoint Server can be added only when you have installed Microsoft System CLR Types for SQL Server 2012 and Microsoft SQL Server 2012 Management Objects Setup at the server where SharePoint is installed. The setup files to install these two add-ons come pre-installed with the software. Perform the following steps, 1. Go to the server and browse the folder where LepideAuditor Suite is installed. 2. Open the folder "Redist" which has different setup files. 3. "x64" folder has the setup files for 64-bit Windows Server, whereas "x86" contains the files for 32-bit Windows Server OS. 4. Open the required folder. 5. Run the setup file "SQLSysClrTypes.msi" to install Microsoft System CLR Types for SQL Server 2012. Follow the onscreen instructions. 6. Run the file "SharedManagementObjects.msi" to install Microsoft SQL Server 2012 Management Objects Setup. Follow the onscreen instructions. 7. Connectivity of LepideAuditor Suite to the Instance of SQL Server, which is interlinked with SQL Server. Error "Provided IP is already added" while adding a SharePoint Server. Please provide a new IP Address to add a different server as the provided IP Address is already added in the software. There is no monitoring and no collection of changes of SharePoint Server. Cause There is no connectivity between the Software and the Agent. Solution 26

Make sure the computer containing the agent is started and logged on. In addition, it should be connected to the other computer where the LepideAuditor for SharePoint is installed. Try to share the files between these computers for confirming their connectivity. Error "SharePoint Agent is not running" in Change Capture Current Status in the Dashboard Tab. Agent is not running on the target SharePoint Server. Try to uninstall and reinstall the agent for SharePoint Server. Please refer to Uninstall Agent from SharePoint page of the Help Manual for detailed steps. Error "The agent could not be connected to SQL Server" appears in Change Capture Current Status in the Dashboard Tab. Agent is not connected to SQL Server, which is interlinked with target SharePoint Server. Please perform the following steps one-by-one. Verify the user credentials in the agent to login at SQL Server Are you able to logon with the same credentials on the SQL Server? Check connectivity between SharePoint Server and its linked SQL Server 27

If SharePoint Server, interlinked SQL Server, and LepideAuditor Suite are on different computers, please check whether these computers could be connected with each other over the network. The software is not responding or taking a long time during the data collection. There is a problem in establishing the connectivity with the agent, which is causing the data collection process to stick in a loop and freezing the software. Please check the network connectivity between the computers, where software and the agent are installed. Please restart software to resolve the freezing issue during data collection. Reports and alerts are not being generated for SharePoint Server even if software is able to collect the changes. Cause Either SharePoint Server is not functioning or the agent in it is not deployed at it. Solution 28

Please check whether SharePoint Server is working properly or not. If yes, then please check whether the target SharePoint Server has the Lepide SP Agent installed in it. Follow the below steps for verifying its existence: 1. Select "SharePoint 2010 Central Administration" from the Start Menu. 2. It will open the Central Administration for SharePoint Server in the system's default Web browser. 3. You've to login with the Administrator's credentials. 4. Go to System Settings > Farm Management > Manage Farm Solutions. It should show the lepidespagent.wsp agent in deploying state as displayed in the following image. Figure 17: Agent is deployed in SharePoint Server. 5. If this agent is un-deployed, then kindly deploy the agent from the SharePoint Server Settings. If it has been deleted or is not being deployed, then kindly uninstall and reinstall the Agent. Refer to the Uninstall Agent from SharePoint page of Help Manual to know about the steps to uninstall and reinstall SharePoint Agent. There is no monitoring and no auditing of the particular sites of SharePoint Server. This is because the auditing settings for a SharePoint Server have been modified in software. Follow below steps, 29

1. Please go to the Settings tab > Component Management. 2. Select the relevant SharePoint Server, and click button. This will show "Modify SharePoint" wizard. 3. Click "Site Collection" in the left panel. Figure 18: Site Collection Settings in "Modify SharePoint" wizard 4. Check whether the monitoring of the problematic sites is turned or not. 5. Set the Auditing Settings to monitor all the sites or include the required sites. No Report is being generated for an already added domain. Event Viewer is displaying 30

Event ID 521 "Unable to log events to security log with Status code: 0xc0000008". Problem No report or LiveFeed is generated for an already added domain. Event Viewer for that server is displaying the Event ID 521 "Unable to log events to security log with Status code: 0xc0000008". Cause There can be any of the following listed reasons for this issue. Event Logs have consumed all available free disk space. There is no enough disk space to record new events. Security Event Log has been corrupted. AutoBackupLogFiles entities may be missing. Preferred Solution It is advised to perform the following solutions one by one and check the status of LepideAuditor Suite after each step. 1. Check the disk space. 2. If disk space is full, then please archive or delete the old events. It is recommended to archive the old events to a separate drive. 3. Backup security.evtx file stored in %SystemRoot%\System32\Winevt\Logs to a safe location. Remove it from the folder so that server can create a new security.evtx file 4. Please make sure to enable the option Do not overwrite events (clear log manually) in Event Viewer. 5. Restart the server. Support We have an extensive and efficient support system to assist our customers with all issues related to using LepideAuditor Suite. The software comes with an embedded help manual that can be accessed by clicking Help in the software main window. You can also press the F1 key on the keyboard of your computer to access it. 31

You can access the online help for LepideAuditor Suite at http://www.lepide.com/documentation-center.html We also offer live support wherein you can chat with our software experts at http://www.lepide.com/support.html Helpline To talk on phone with our software experts call: +91-9818725861 1-866-348-7872 (Toll Free for USA/CANADA) You can also email us about your queries at: sales@lepide.com for Sales support@lepide.com for Support contact@lepide.com for General Queries 32