In this article  :

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

ADAudit Plus relies on Windows services such as RPC, WMI, and DCOM to collect security event logs from configured domain controllers. The error The RPC server is unavailable (error code 6ba)typically occurs when these services fail to connect due to network-related issues such as firewall restrictions, blocked ports, or network congestion. This prevents ADAudit Plus from communicating with the target server, thereby interrupting the log collection process.

Prerequisites  

• The target machine should be reachable from the server where ADAudit Plus is installed.

• The required RPC ports (135 and 49152–65535) should be open bidirectionally or at least for inbound traffic on the target server.

• Windows Firewall must allow Remote Event Log Management and COM+ Network Access (DCOM-In).

• The service account must have the necessary permissions to collect logs remotely.

Possible cause  s

• ADAudit Plus is unable to ping the domain controller, member server, or workstation and vice versa.

• ADAudit Plus cannot resolve the flat name, fully qualified domain name (FQDN), or IP address of the target server.

• Unable to access the Event Viewer on the target machine from the ADAudit Plus server.

• The WMI service is not functioning properly.

• The service account does not have remote administration privileges.

Resolution

Step 1: Verify network connectivity

1. Ping the target server from the ADAudit Plus server.

2. To ping the server, open Command Prompt (open Run, type CMD, and hit Enter).

3. Type the following:
   ping <server name> -4 i.e ping terminal01 -4

Step 2: Verify name resolution

Ensure ADAudit Plus can resolve the flat name and FQDN of the target server.

1. Check DNS resolution using the following:

nslookup <Target_Server_Name>

2. To perform nslookup, open Command Prompt (open Run, type CMD, and hit Enter).

3. Type the following:
   nslookup <target_server_name>  i.e nslookup terminal01

Step 3: Test remote event log connectivity

1. Open Event Viewer on the ADAudit Plus server (open Run, type eventvwr, and hit Enter).

2. Click Action > Connect to Another Computer.

3. Enter the target domain controller name.

4. Select Connect as another user, provide the ADAudit Plus service account credentials, and click OK.

Note: If the connection fails here, ensure to allow the following ports or firewall rules if you are using an internal or external firewall. This is required to enable Windows-to-Windows event log management and the ability to collect event logs remotely.

External or third-party firewalls

1. Ensure the RPC ports (135 and dynamic range 49152–65535) are open in the firewall.

2. Open Windows Defender Firewall with Advanced Security (wf.msc).

3. Go to Inbound Rules > New Rule.

4. Select Port > TCP > Specific local ports and enter 135, 49152–65535.

5. Select Allow the connection > Domain, choose Private or Public, name the rule, and click Finish.

Internal or local firewalls

1. Open Windows Defender Firewall and go to Advanced Security.

2. Go to Inbound Rules.

3. Locate and enable the following rules:

• Remote Event Log Management (NP-In)

• Remote Event Log Management (RPC)

• Remote Event Log Management (RPC-EPMAP)

• COM+ Network Access (DCOM-In)

Note: For additional ports, external firewalls, or a centralized firewall, you must enable all the ports mentioned in this guide.

Step 4: Test the WMI connection

1. Click Start > Run, type wbemtest, and click OK.

2. In the WMI Tester, click Connect.

3. Enter the namespace:
   <dc_name>\root\cimv2

4. Provide the username and password of the service account.

5. Click Connect, and you should connect to the WMI Tester without errors.

Note: If the connection fails or you receive an "RPC service is unavailable" error, ensure that the mentioned firewall rules are not blocked and the required ports are allowed. If the issue persists, you must troubleshoot this from the environment (e.g., a GPO blocking WMI, RPC, or DCOM).

Step 5: Verify remote administration privileges

1. If the firewall is enabled on the domain controller, execute the following:

netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

Step 6: Validate and test to see if the issue has been fixed in ADAudit Plus

1. Log in to ADAudit Plus.

2. Launch ADAudit Plus and go to Domain Settings in the top-right corner.

3. Click Run Now next to the affected domain controller.

The latest logs should be collected. The status should change from RPC error unavailable to Success. The timestamp will also be updated, showing that the issue has been resolved.

Related topics and articles  

• Event collection troubleshooting: General errors

 How to reach support