In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• How to reach support

• Related topics and articles

Issue description  

These errors occur in ManageEngine ADAudit Plus when attempting to add a Domain or Domain Controller. The error messages typically seen are:

"Unable to get domain DNS/FLAT names, configure domain with proper credentials." "A security package-specific error occurred, error code: 721."

These errors are caused by communication failures between ADAudit Plus and the Domain Controller, often due to authentication issues, DNS misconfigurations, or firewall restrictions. They occur specifically within the Domain Configuration or Domain Controller Addition module, under the Admin Console > Domain Settings > Add Domain / Add Domain Controller section. This issue primarily affects administrators configuring Active Directory integrations in ADAudit Plus. Any version of ADAudit Plus where required ports are not properly configured can be impacted by this problem.

Prerequisites

Before troubleshooting, ensure:

• The user account used for integration has domain administrator or equivalent permissions.

• The domain name is correctly entered (e.g., example.com and not example\com).

• The application server can communicate with the domain controllers over the required ports.

Possible causes  

• Active Directory Ports and Protocols Issues – Required ports for communication with Active Directory are not properly configured, leading to installation failures.

• Firewall and Security Restrictions – Firewall or security group rules are blocking the installation process.

• DNS Configuration Errors – Incorrect or misconfigured DNS settings prevent proper resolution of the installation path.

• Duplicate SPNs – Conflicting or duplicate Service Principal Names (SPNs) can interfere with authentication during installation.

• Insufficient Credentials and Permissions – The SYSTEM account or installer lacks the necessary permissions to write to the installation directory.

• Service-Related Issues – Dependent services required for installation are not running or need to be restarted.

Resolution

Step 1: Verify active directory ports and protocols  

Ensure the following ports are open and accessible:

Note: If you are using Windows Firewall you can open dynamic ports, 49152-65535, on the monitored computers by enabling the inbound rules listed below.

Remote Event Log Management (NP-In)

Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

To enable the above rules: Open Windows Firewall → Advanced settings → Inbound Rules → Right click on respective rule → Enable Rule.

Step 2: Check firewall and security group rules  

• Ensure the necessary inbound and outbound rules are enabled in the system firewall.

• Open Windows Firewall → Advanced settings → Inbound\outbound Rules (based on the port direction) → Right click on respective rule → Enable Rule.

• If using AWS/Azure, confirm security group rules allow traffic on these ports.

AWS – Check security group rules  

1. Go to the EC2 dashboard  

• Sign in to the AWS Management Console.

• Navigate to EC2 → Security Groups (under "Network & Security").

2. Locate the security group  

• Select the Security Group attached to your EC2 instance.

• You can find the SG name in your EC2 instance details under the Description tab.

3. Check inbound rules  

• Click on the Inbound rules tab.

• Look for entries that match the ports you want to verify

• Ensure:

• Protocol is correct (TCP/UDP).

• Port Range includes the desired port.

• Source allows the traffic (e.g., 0.0.0.0/0 for public access, or a specific IP range).

Azure – Check network security group (NSG) rules  

1. Go to azure portal  

• Log in to https://portal.azure.com.

• Navigate to Virtual Machines → Select your VM.

2. Find the NSG  

• Under the VM’s Networking section, locate the Network Interface or Subnet that the NSG is attached to.

• Click the NSG name to open it.

3. Check inbound security rules  

• Go to Settings → Inbound security rules.

• Review the list and ensure:

• Priority is low enough (lower numbers take precedence).

• Port matches the one required.

• Protocol is correct.

• Source is properly configured.

Step 3: Validate DNS configuration  

1. Open Command Prompt on the ADAudit Plus server.

2. Run the following command to check forward lookup:

3. nslookup <domain-name>

• Ensure that it resolves to the correct IP address.

4. Run the following command to check reverse lookup:

5. nslookup <domain-controller-IP>

• Ensure that it resolves to the correct hostname.

Step 4: Check and remove duplicate SPNs  

1. Open Command Prompt as an administrator.

2. Run the following command to check for duplicate SPNs:

3. setspn -Q */<TargetMachineHostname>

4. If duplicates exist, remove them using:

5. setspn -D <duplicateSPN> <MachineName>

Step 5: Verify credentials and permissions  

• Use a domain administrator account or an account with Read and Write permissions for Active Directory.

• Confirm that the account is not locked out or restricted by policies.

Step 6: Restart related services  

1. Restart the following services on the domain controller:

1. net stop netlogon
   net start netlogon

2. Restart the ADAudit Plus service:

1. net stop ADAuditPlus
   net start ADAuditPlus

Related topics and articles  

• Configuring ADAudit Plus for Active Directory

• Troubleshooting DNS and LDAP Issues

• Microsoft SPN Configuration Guide

How to reach support