The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Active Directory (AD) Query does not recognize Users
Technical Level
Solution ID
sk60501
Technical Level
Product
Quantum Security Gateways
Version
All
Platform / Model
All
Date Created
12-Jan-2011
Last Modified
12-Nov-2020
Symptoms
AD Query does not recognize Users, although it is configured successfully.
"No AD Query" error message is displayed in SmartView Tracker.
Cause
AD Query correlates users to IP Addresses by reading security Event Logs from the domain controllers. By default, the necessary events are logged. If the audit configuration was changed and the necessary events are not logged, AD Query will not be able to correlate users to IP addresses. To verify this, look for the necessary events on the Security Event Log on the domain controllers.
The necessary events are:
Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770.
Windows 2012 servers: 4624*, 4768*, 4769*, 4770*
*4624: An account was successfully logged on. *4768: A Kerberos authentication ticket (TGT) was requested. *4769: A Kerberos service ticket was requested. *4770: A Kerberos service ticket was renewed.
Note: see "Success Audit" logs for the above events. The AD server may be configured to only log failures.
There has been Windows Management Instrumentation (WMI) related changes on the Domain Controller that require the WMI service to be restarted.
