Active Directory group resolution fails on some endpoint agents

book

Article ID: 160558

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You have configured Active Directory user groups for your endpoint agents, but some of the agents show a failure in group resolution when the agent starts. In the agent logs (if increased to FINEST level), you may see the error message: [WIN32 ERROR 8250]  The server is not operational.

Resolution

Windows returns the 8250 error code when the Active Directory (AD) LDAP server does not respond to a query. This has been observed in cases where the network interface needed to contact Active Directory (for example, a wireless adapter or VPN client) is not fully operational when the agent service starts.

 

If the resolution fails, the Endpoint Agent services EDPA and WDP will need to be restarted on the Endpoint Agent machine once the network is completely online. To work around this, either schedule an automatic restart of the services after login, or make sure that Active Directory is accessible at service startup.

 

If after restarting the EDPA and WDP services the problem persists verify if the error "Userenv Error; Event ID 1053: Windows cannot determine the user or computer name (The specified domain either does not exist or could not be contacted)" is present in the Windows Application Events on the Endpoint Agent machine. If this is the case ensure that the Endpoint Agent machine's TCP/IP settings includes the proper IP address of the Domain Controller for its DNS server. If not, add it and reboot the machine.

The Userenv error, Event ID 1053 should disappear and the AD User Group resolution should work fine.

A workaround for this issue was tracked under PM-2208 and has been implemented in DLP 14.5.