inconsistencies setting up FIM on member servers
Hi we have a group of 60+ member servers behind a firewall that I am setting up for FIM and for the most part it appears to work fine but I have some issues.
I set up a test where I create a fake dll file on the server then delete it and then see if the data get into ADAudit. I would say this seems to work about 70% of the time. Every time I go to the server make sure "Force audit policy subcategory" is enabled, check SACL on desired folders to be monitored is applied, verify all desired advanced auditing is enabled and everything checks out fine.
To make it even more difficult to try to determine the issue when I look at configured member servers under the status column they all show success and maybe 70 % of them show what I would expect under "time stamp of last event" then about 30 % of them show "Yet to fetch Event Data".
That would all be fine but the fact is when I run my test some of the servers configured that show "Yet to fetch Event Data" are in fact reporting properly and some that do show a time stamp of the collected event are not showing up in the FIM reports.
I attached some screen shots to try to help illustrate this.
I can run the same test several times and get mixed results so I am wondering if our firewall could be blocking some of the data from getting through for some reason because it was unclear to me on what ports were needed when I made my request to our networking group.
These are the ports currently opened
* Port "88" to communicate with Kerberos
* Port "139" NetBIOS
* Port "389" to communicate with the LDAP Protocol.
* Port "135" to communicate with RPC & DCOM.
* Port "445" and "135" to communicate with NetBioS Session Service
Dynamic " 49152-65535"
My question is about the dynamic ports.
We opened 49152-65535 and that seemed to get things working initially but now I am wondering if this was correct.
When I use the DMZ port analyzer as the instructions say not matter what server I pick it always says "the following ports are need to be open: 88 389"
The exception to this would be if I point it to our domain controller then it reports everything is ok.
Where are you supposed to install the DMZ port analyzer anyways? I installed it on ADManager server and have been running it from there is that correct?
Is 49152-65535 correct for dynamic ports?
Any advice would be appreciated it is hard to troubleshoot when it seems like a moving target I am trying to hit.
I set up a test where I create a fake dll file on the server then delete it and then see if the data get into ADAudit. I would say this seems to work about 70% of the time. Every time I go to the server make sure "Force audit policy subcategory" is enabled, check SACL on desired folders to be monitored is applied, verify all desired advanced auditing is enabled and everything checks out fine.
To make it even more difficult to try to determine the issue when I look at configured member servers under the status column they all show success and maybe 70 % of them show what I would expect under "time stamp of last event" then about 30 % of them show "Yet to fetch Event Data".
That would all be fine but the fact is when I run my test some of the servers configured that show "Yet to fetch Event Data" are in fact reporting properly and some that do show a time stamp of the collected event are not showing up in the FIM reports.
I attached some screen shots to try to help illustrate this.
I can run the same test several times and get mixed results so I am wondering if our firewall could be blocking some of the data from getting through for some reason because it was unclear to me on what ports were needed when I made my request to our networking group.
These are the ports currently opened
* Port "88" to communicate with Kerberos
* Port "139" NetBIOS
* Port "389" to communicate with the LDAP Protocol.
* Port "135" to communicate with RPC & DCOM.
* Port "445" and "135" to communicate with NetBioS Session Service
Dynamic " 49152-65535"
My question is about the dynamic ports.
We opened 49152-65535 and that seemed to get things working initially but now I am wondering if this was correct.
When I use the DMZ port analyzer as the instructions say not matter what server I pick it always says "the following ports are need to be open: 88 389"
The exception to this would be if I point it to our domain controller then it reports everything is ok.
Where are you supposed to install the DMZ port analyzer anyways? I installed it on ADManager server and have been running it from there is that correct?
Is 49152-65535 correct for dynamic ports?
Any advice would be appreciated it is hard to troubleshoot when it seems like a moving target I am trying to hit.