https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257956#M73183 <P>Hello,</P><P>&nbsp;</P><P>Microsoft AD under Server Monitoring is showing as 'not connected.'</P><P>We would like to use the PAN-OS Integrated User-ID Agent</P><P>Output from debug commands show UserID Debug Log is enabled but nothing is logging.</P><P>&nbsp;</P><P>Anyone encountered similar issue?</P><P>&nbsp;</P> Thu, 18 Apr 2019 09:58:48 GMT FarzanaMustafa 2019-04-18T09:58:48Z https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257956#M73183 <P>Hello,</P><P>&nbsp;</P><P>Microsoft AD under Server Monitoring is showing as 'not connected.'</P><P>We would like to use the PAN-OS Integrated User-ID Agent</P><P>Output from debug commands show UserID Debug Log is enabled but nothing is logging.</P><P>&nbsp;</P><P>Anyone encountered similar issue?</P><P>&nbsp;</P> Thu, 18 Apr 2019 09:58:48 GMT https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257956#M73183 FarzanaMustafa 2019-04-18T09:58:48Z https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257980#M73189 <P>did you follow this guide?:<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0</A></P> Thu, 18 Apr 2019 11:38:31 GMT https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257980#M73189 reaper 2019-04-18T11:38:31Z https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257982#M73191 Yes, but still no luck. Thu, 18 Apr 2019 11:42:06 GMT https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/257982#M73191 FarzanaMustafa 2019-04-18T11:42:06Z https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/261187#M74043 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>Did you find the solution for this issue?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 May 2019 16:29:52 GMT https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/261187#M74043 upatino 2019-05-15T16:29:52Z https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/261276#M74074 <P>Yes...PA TAC assisted us in resolving the issue. Below is the case notes.</P><P>&nbsp;</P><P><SPAN>&gt; less mp-log useridd.log</SPAN></P><P>&nbsp;</P><P><SPAN>Looking at User-ID logs, there were repeated logs:</SPAN><BR /><SPAN>2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for sydcwdc01.mainstreambpo.local failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003</SPAN><BR /><SPAN>2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server sydcwdc01.mainstreambpo.local: NTSTATUS: NT code 0x80041003 - NT code 0x80041003</SPAN><BR /><BR /><SPAN>WMI error code 0x80041003 indicates the account does not have permission.</SPAN><BR /><A href="https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants" target="_blank" rel="noopener">https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants</A><BR /><BR /><SPAN>Please check that the service account (mainstreambpo\palocw) is member of Event Log Readers and Distributed COM Users</SPAN><BR /><BR /><SPAN>Some useful commands related to User-ID:</SPAN><BR /><SPAN>- Restart User-ID service: debug software restart process user-id</SPAN><BR /><SPAN>- View server monitor statistics: show user server-monitor statistics</SPAN></P><P>&nbsp;</P><P><SPAN>Other than the group membership of service account, kindly also check the WMI permission in every DC server being used under Server Monitoring. This WMI permission is local configuration (not replicated).<BR /><BR />Agentless User-ID 'Access Denied' Error In Server Monitor<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC</A></SPAN></P><P>&nbsp;</P><P><SPAN>We checked that we have given all the correct permissions on the WMI side for all our DCs.&nbsp;<BR />We asked for a trace to run to figure out what exactly its failing on when it accesses the AD side of things.</SPAN></P><P>&nbsp;</P><P><SPAN>PA TAC provided us the following.</SPAN></P><P>&nbsp;</P><P><SPAN>Provided that the WMI permissions are set, can you test to do WMI remote connection using wbemtest?<BR />1. In any windows client (domain member), run wbemtest<BR />2. Default namespace is 'root\cimv2', please change to '\\&lt;dcservername&gt;\root\cimv2'<BR />3. Provide username and password (firewall service account), then click Connect<BR />4. Observe if there is error message when wbemtest is trying to connect to DC server<BR /><BR />Link:&nbsp;<A href="https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-wbemtest-and-powershell/" target="_blank" rel="noopener">https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-wbemtest-and-powershell/</A></SPAN></P><P>&nbsp;</P><P><SPAN>This fixed the issue!</SPAN></P> Wed, 15 May 2019 23:29:04 GMT https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/m-p/261276#M74074 FarzanaMustafa 2019-05-15T23:29:04Z