https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213549#M62108 <P>Hi guys,</P><P>&nbsp;</P><P>I've installed the Palo User-ID agent on a single domain controller (8.0.906) using the Palo Networks guide below:</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/install-the-windows-based-user-id-agent" target="_self">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/install-the-windows-based-user-id-agent</A></P><P>&nbsp;</P><P>Our environment already has User-ID running and is working, but due to some server retirement we have had to change the placement of this application.</P><P>&nbsp;</P><P>So I installed the application, gave the dedicated domain service account full control over the Palo User-ID application folder, full control over the registry keys in Wow6432Node (ensured child object permissions for both were replaced) and the service account is already a member of the required AD builtin groups.</P><P>&nbsp;</P><P>I've then added the new server to firewall and confirmed it is connected (change commited).</P><P>&nbsp;</P><P>However the logs under Monitoring does not show any activity for user ID collections, the old (existing) server is still pulling them out OK. The only entries I am seeing are:</P><P>&nbsp;</P><PRE>need to alloc xxxx bytes for big body</PRE><P>I understand this one is normal and can be ignored (<A href="https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-agent-logs/ta-p/104091" target="_self">https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-agent-logs/ta-p/104091</A>)</P><P>&nbsp;</P><PRE>New connection 127.0.0.1 : 61332 Device thread 0 with 127.0.0.1 : 61332 is started. Device thread 0 accept finish.</PRE><P>Which I assume is it connecting to itself (domain controller) OK.</P><P>&nbsp;</P><PRE>can't get prefix from address()</PRE><P>I then see this event a lot, I've modified the include/exclude address ranges (192.168.0.0/16) on the Discovery option but I can't get this to work.</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P> Tue, 08 May 2018 09:11:30 GMT Wildman85 2018-05-08T09:11:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213549#M62108 <P>Hi guys,</P><P>&nbsp;</P><P>I've installed the Palo User-ID agent on a single domain controller (8.0.906) using the Palo Networks guide below:</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/install-the-windows-based-user-id-agent" target="_self">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/install-the-windows-based-user-id-agent</A></P><P>&nbsp;</P><P>Our environment already has User-ID running and is working, but due to some server retirement we have had to change the placement of this application.</P><P>&nbsp;</P><P>So I installed the application, gave the dedicated domain service account full control over the Palo User-ID application folder, full control over the registry keys in Wow6432Node (ensured child object permissions for both were replaced) and the service account is already a member of the required AD builtin groups.</P><P>&nbsp;</P><P>I've then added the new server to firewall and confirmed it is connected (change commited).</P><P>&nbsp;</P><P>However the logs under Monitoring does not show any activity for user ID collections, the old (existing) server is still pulling them out OK. The only entries I am seeing are:</P><P>&nbsp;</P><PRE>need to alloc xxxx bytes for big body</PRE><P>I understand this one is normal and can be ignored (<A href="https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-agent-logs/ta-p/104091" target="_self">https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-agent-logs/ta-p/104091</A>)</P><P>&nbsp;</P><PRE>New connection 127.0.0.1 : 61332 Device thread 0 with 127.0.0.1 : 61332 is started. Device thread 0 accept finish.</PRE><P>Which I assume is it connecting to itself (domain controller) OK.</P><P>&nbsp;</P><PRE>can't get prefix from address()</PRE><P>I then see this event a lot, I've modified the include/exclude address ranges (192.168.0.0/16) on the Discovery option but I can't get this to work.</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P> Tue, 08 May 2018 09:11:30 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213549#M62108 Wildman85 2018-05-08T09:11:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213557#M62109 <P>Only difference I can see is that my working server is using 7.0.713 instead.</P><P>&nbsp;</P><P>Installed 8.0.906 on a member server and that has the same issue.</P><P>&nbsp;</P><PRE>can't get prefix from address()</PRE> Tue, 08 May 2018 10:47:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213557#M62109 Wildman85 2018-05-08T10:47:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213558#M62110 <P>Installing 7.0.7-13 works. So I'll stick with that one I guess. Would be to know why the newer version(s) are causing that error.</P> Tue, 08 May 2018 11:09:59 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-installed-on-domain-controller-doesn-t-appear-to/m-p/213558#M62110 Wildman85 2018-05-08T11:09:59Z