In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the LDAP report provides insights into authentication and directory access events related to Lightweight Directory Access Protocol (LDAP) queries. These reports help IT administrators monitor and audit LDAP-based interactions with Active Directory (AD) to ensure security, compliance, and troubleshooting.

Prerequisites  

Before troubleshooting, ensure the following prerequisites are met:

• The respective domain controller or Member server is configured in ADAudit Plus.

• Required ports and firewall rules are enabled to allow communication between the domain controller and ADAudit Plus.

• The service account used in ADAudit Plus should be a member of the Event Log Readers group.

• Auditing must be enabled on the Primary Domain Controller (PDC) and replicated to all required domain controllers.

• The Event Log retention size should be at least 4 GB to prevent log overwrites.

Possible causes  

• The server where the LDAP traffic has occurred may not be configured in ADAudit Plus.

• There is a communication failure between ADAudit Plus and the domain controller.

• The service account lacks the necessary permissions to collect security event logs.

• Auditing is not enabled on the domain controller.

• The event log size is too small, causing logs to be overwritten.

• Files may be stuck in the event data/raw or processed directories of ADAudit Plus.

Resolution  

Step 1: Verify Domain Controller/Member Server configuration in ADAudit Plus  

1. Navigate to Domain Settings in ADAudit Plus.

2. Confirm if all domain controllers are configured.

3. Navigate to Configuration > Member Server and confirm if the member server is configured in ADAudit Plus.

Step 2: Check for communication issues  

1. If log collection fails, check for RPC-related errors.

2. If encountering "RPC Server Unavailable (Error Code 6ba)", follow the troubleshooting guide here.

Step 3: Verify service account permissions  

To check the service account configured in ADAudit Plus:  

1. Go to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

Grant necessary permissions:  

1. Open Active Directory Users and Computers.

2. Navigate to Built-in > Event Log Readers.

3. Right-click Event Log Readers > Members > Add the configured service account.

Step 4: Enable LDAP auditing for the Domain Controller/Member Server  

Verify LDAP interface and field engineering values  

1. On the Domain Controller/Member Server, open Registry Editor.

2. Navigate to:

3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

4. Set '15 Field Engineering' to '5'.

5. Set '16 LDAP Interface' to '2'.

Step 5: Configure event log retention  

1. Open Group Policy Management Console (GPMC).

2. Navigate to Default Domain Controllers Policy.

3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. Set 'Retention method' for security log to "Overwrite events as needed".

5. Set Maximum security log size to at least 4 GB.

6. Ensure logs retain a minimum of 12 hours of audit data.

Step 6: Check for stuck files in event data folder  

• If files are stuck in event data/raw or processed, contact ManageEngine Support for assistance.

Related topics and articles  

• General Event Collection Troubleshooting

• Troubleshooting LDAP Report Issues

How to reach support