Over 1 million tech questions and answers.

Lightweight Gateway installation fails on only two Domain Controllers on same site.

Q: Lightweight Gateway installation fails on only two Domain Controllers on same site.

I have the latest version of ATA - 1.9.7312.32791
I have deployed ATA Lightweight Gateway to many domain controllers throughout my organisation from exactly the same "Microsoft ATA Gateway setup.exe" with accompanying .json file in the same folder.

Nearly all the Domain Controllers have been Windows Server 2016 Core with a quiet install via command line.
The installation has worked perfectly with the exception of two domain controllers on the same physical subnet/site.
The installation error code in the log is:
Error [\[]TaskAwaiter[\]] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
Failed to validate certificate thumbprint [\[]thumbprint=FC78E602AA1E8BF57CC2270E81788E5ADC511DF4[\]]

Seeing as every other installation worked fine, I suspect something must be blocking or interfering with the certificate being successfully negotiated back at the ATA centre
The likelyhood if being an error with the JSON file is extremely small as the failures occurred in the middle of the installation program, with successful implementations either side of the two that failed.

What can I get the network team to check regarding firewalls, network traffic or blocked ports?

Has anyone seen similar?

Thank you

Chris

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Lightweight Gateway installation fails on only two Domain Controllers on same site.

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 118.4

I am attempting to lab up ATA 1.7.1, and am having a similar issue to the following ATA Forum thread: https://social.technet.microsoft.com/Forums/security/en-US/c817193a-9859-48fa-a208-eb644b17005b/service-on-lightweight-gateway-wont-start?forum=mata
Event viewer is showing that the service is attempting to restart, and the ATA logs are full of this error (occurs every 20 seconds):
2016-10-18 23:49:50.2983 856 5 00000000-0000-0000-0000-000000000000 Error [DirectoryServicesClient+<OnInitializeAsync>d__12] Microsoft.Tri.Infrastructure.ExtendedException: Domain controllers are not configured
at Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.<OnInitializeAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Framework.Module.<InitializeAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Framework.ModuleManager.<OnInitializeAsync>d__4.MoveNext()
--- End of stack trace from previous location whe... Read more

Read other answers
RELEVANCY SCORE 111.2

I installed a lightweight gateway in a child domain in the forest (there are working trusts).  I am getting an error message while the service fails to start:

2018-05-22 18:44:00.0328 6332 9   Error [DirectoryServicesClient+<CreateLdapConnectionAsync>d__32] Microsoft.Tri.Infrastructure.Utils.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=HOSTNAME.DOMAIN ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: A local error occurred.
   at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.CreateLdapConnectionAsync(?)
   --- End of inner exception stack trace ---
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.CreateLdapConnectionAsync(?)
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.CreateLdapConnectionAsync(?)
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.TryCreateLdapConnectionAsync(?)
2018-05-22 18:44:00.0328 6332 5   Error [DirectoryServicesClient+<OnInitializeAsync>d__14] Microsoft.Tri.Infrastructure.Utils.ExtendedException: Failed to communicate with configured domain controllers
   at async Microsoft.Tri.Gateway.Resolution... Read more

Read other answers
RELEVANCY SCORE 87.6

I have a problem with installing ATA Lightweight Gateway as screen shot attached, the center is 1.8 and windows server 2012 r2, and non-domain joined, I have tried to join the server with no luck, there is no log in the center, and I have tried 1.9 before
the same result.
any ideas...

Read other answers
RELEVANCY SCORE 87.2

I see in the documentation that 'ALL' ATA Gateways are by default configured as 'Domain Synchronizer Candidate'. I am using exclusively ATA Lightweight Gateway agents installed on my DC. How many of LWG per Active Directory Domain should configured
as 'Domain Synchronizer Candidate'?
Thanks,
Steve

Read other answers
RELEVANCY SCORE 85.6

Hi All,
I've recently completed the deployment of a large number of ATA lightweight gateways in our environment.  All of them are working great, except for one. The service hangs on starting for a long period of time and then fails to start. This is a server
2008r2 standard domain controller, and the recurring error I can find in the Microsoft.Tri.Gateway-errors file is below:
2017-07-07 20:20:57.4359 2604 5   00000000-0000-0000-0000-000000000000 Error [Enumerable] System.InvalidOperationException: Sequence contains more than one element
   at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source)
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.ConnectDisconnectedDomainControllersAsync(?)
   at async Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
   at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

I've uninstalled/reinstalled, reset performance counters, rebooted, etc.  And I'm out of ideas.  Any help would be greatly appreciated.  T... Read more

Read other answers
RELEVANCY SCORE 84.8

I recently had a lightweight gateway that stopped checking in with ATA.  I found the ATA services not running, and couldn't start them.  I tried uninstalling the lightweight gateway from the server, but the uninstall failed.  Attempted to
run the setup again, but it won't run because it sees that it's already installed.
Per the suggestion here: https://social.technet.microsoft.com/Forums/lync/en-US/e54b04aa-10b0-4ef8-8aad-4d3fd5bc75ec/i-cannot-uninstall-ata-gateway-after-installing-from-the-zip-file?forum=mata
I searched the registry for anything mentioning Advanced Threat Analytics and removed it, and ran the setup again.  The setup didn't seem to complete successfully, and the services still won't start.  However ATA doesn't show up in add/remove programs
anymore, and I don't see any registry keys under HKLM\Software which contain 'Advanced Threat Analytics'.
What's the best way to clean this up and get it working again?
Also, we get ATA as part of our EMS subscription.  Does that subscription include Tech support for ATA? 

Read other answers
RELEVANCY SCORE 83.2

Hello Everyone,
Reference to below statement from MS documentation
During installation, the .Net Framework 4.6.1 is installed and might cause a reboot of the domain controller.



Just wanted to know if .NET Framework would be part of the binaries or will it be downloaded from the internet during the setup. I ask because I don't have internet on my domain controllers so if .NET Framework is downloaded as part of the setup the setup
might fail.





Senior Technical Consultant, MDS Computers

Read other answers
RELEVANCY SCORE 82.4

We removed two lightweight gateways from our environment, and only have lightweight gateways installed. We deployed a new DC that has the IP address of the old DC but a different hostname. For the life of me I can't find where a cached thumbprint or a cert
discrepency might be hiding. I get the below error on ATA center. The gateway service will not start on the new DC.
Version 1.9.7412.9649
2019-03-15 22:15:55.8645 10424 54  Error [AppBuilderExtension] Failed to validate certificate thumbprint [thumbprint=XXXXXXXXXXXXXXXXXXX] from XXX.XXX.XXX.XXX
2019-03-15 22:15:55.8645 10424 54  Error [CertificateValidator] System.IdentityModel.Tokens.SecurityTokenValidationException: Failed to validate certificate thumbprint [thumbprint=XXXXXXXXXXXXXXXXXXX]
   at Microsoft.Tri.Infrastructure.Utils.CertificateValidator.Validate(String thumbprint)
   at Microsoft.Tri.Infrastructure.Utils.CertificateValidator.Validate(X509Certificate2 certificate)
   at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c__DisplayClass3_0.<UseCertificateValidation>b__0(?)
   at async Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.Invoke[](?)
   at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c.<UseExceptionHandler>b__2_0(?)

Read other answers
RELEVANCY SCORE 80.8

I was excited to see that the new ATA 1.6 has a Lightweight Gateway that no longer requires port mirroring by installing it directly on the Domain Controllers. This makes total sense to me and gives me confidence in this ATA team. We have VMWare
and the port mirroring was an issue.
However, we are not excited about the .NET requirement on the Domain Controllers. The installation does indicate it is needed for the setup, but does anyone know if we can uninstall the .NET component once the installation is complete? Any thoughts?
Thanks!
-Srvrgeek

Read other answers
RELEVANCY SCORE 79.6

Hi,
I have successfully deployed ATA Center 1.7 and ATA Lightweight Gateways then i have changed ATA Center Console certificate.
Now we have deployed new AD Domain Controller and i can't install ATA Lightweight Gateway on it.
When i download ATA Gateway installation from Center, there is still old certificate thumbprint in GatewayInstallationConfiguration.json file. Also when i change thumbprint value in config and try to install Lightweight Gateway again,
same error in install log occurs.
I have already restarted ATA Center server but issue still occurs.
I am considering to backup Mongo DB, reinstall ATA Center and Restore Mongo DB. 
Can you give me advice?
Here is ATA Gateway installation log: [0CDC:11C4][2016-10-04T15:55:41]i000: 2016-10-04 13:55:41.6441 3292 5   Error [\[]TaskAwaiter[\]] System.Net.Http.HttpRequestException: An error occurred while sending the request. --->
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: Failed to validate certificate thumbprint [\[]Subject=CN=ataweb.ourdomain.com Thumbprint=4832CDB5AE2F2AE1E76E8D53B41AA1F361B881E8[\]]

Read other answers
RELEVANCY SCORE 66

I have come across a situation like this.
I planned to install ATA Gateway to monitor datacenter DC traffic. These 4 DCs are physical blade servers resides in a single HP blade enclosure. And 2 switches in blade enclosure are connecting to 2 different physical switches. These 2 rack switches are
basic switches which doesn't support stacking or any other method to do port mirroring (RSPAN). So will it be possible to place a gateway?
Secondly, when I ran the sizing tool, lightweight gateways can be installed on these 4 DCs with hardware upgrades. I can upgrade RAM, but since these servers are old, I have an issue with increasing processors because processors are not available to be purchased.
The recommendation is to upgrade just 1-3 cores in a server.
So I want to know whether not increasing processors in DCs will adversely affect the functionality of LWGW and the DC? And any other good method to take care (GW or LWGW) of this 4 physical DCs?

Read other answers
RELEVANCY SCORE 64.4

HI,
We have gone through the ATA installation guide (https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata).
However, nowhere can we find information on where to find the binaries to install the ATA Lightweight Gateway, or how to actually install it?
Please could someone shed some light on this?
Thank you
SK

Read other answers
RELEVANCY SCORE 63.6

I am constructing a lap environment to test ATA 1.6
The service of ATA lightweight Gateway is not running after installing the lightweight  gateway on the DC

and I got the error Domain synchronizer not assigned even if I checked every recommendation appeared on the Health state of the center console.
The error ID 1067 appears when I 'm trying to force start the service on the DC

Read other answers
RELEVANCY SCORE 63.6

In the planning docs for Lightweight Gateway, the following table is presented as reference:

Notice it only goes up to 10 CPUs & 24GB of RAM.
So...I want to know if it will go beyond that number if the DC can handle it.  Our DCs are much too beefy.  We have 32 cores and 256GB of RAM.  
Our Busy Packets are around 8-9K (which is uncomfortably close to 10K).  While we haven't had an issue yet, we are concerned that it will fail if goes over 10K.
QUESTION:  Can the Lightweight Gateway handle more Packets per Second than 10K if the DC is beefy enough?  Or is it a software limit?  If it is a software limit, is it possible to apply a tweak to get additional performance
from the Lightweight Gateway?
Unfortunately, we have been told that Port Mirroring isn't an option for us and we are forced to use the Lightweight Gateway.  Thank you for your time.

Read other answers
RELEVANCY SCORE 63.6

I have a client that is seeing performance issues with their DCs.  They have both StealthBits and the ATA Lightweight Gateway services installed on the DC.  Has anyone seen similar issues and if so, any known workarounds?
Thanks

Microsoft Security Technology Specialist

Read other answers
RELEVANCY SCORE 63.6

On a few DCs in a customer's production environment, ATA LGW crashes during startup, thousand times over. There is apparently a problem with the PEFNDIS driver. How can this problem be solved?
This is at the end of the ATA LGW log:
2016-05-19 12:35:02.7224 5240 11  d1d78b4c-043c-4bad-8630-5254d3a6a515 Debug [NetworkListener] Starting
2016-05-19 12:35:03.2849 5240 5   00000000-0000-0000-0000-000000000000 Error [EtwMessagePusher] System.ApplicationException: Fail to start live consumer  ---> Microsoft.Opn.Runtime.Monitoring.MessageSessionException: The PEFNDIS event provider
is not ready.  The provider is not installed or not running.
   at Microsoft.Protocols.Tools.DataSourceConfig.EtwDataSource.Plugins.PefNdis.EtwMessageSourcePluginPefNdis.BeforeStart()
   at Microsoft.Protocols.Tools.DataSourceConfig.EtwDataSource.EtwMessagePusher.Start(Boolean startAtPause)
   --- End of inner exception stack trace ---
   at Microsoft.Protocols.Tools.DataSourceConfig.EtwDataSource.EtwMessagePusher.Start(Boolean startAtPause)
   at Microsoft.Opn.Runtime.Monitoring.CaptureSession.Start(Boolean pause)
   at Microsoft.Tri.Gateway.Collection.Network.NetworkListener.OnStartAsync()
   at Microsoft.Tri.Infrastructure.Framework.Module.<StartAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServic... Read more

Read other answers
RELEVANCY SCORE 63.6

Hi,
I am getting the following error when my lightweight gateway agent tries to start on one of my Windows 2008R2 Domain Controllers:
2016-10-11 18:26:38.4188 2112 5   00000000-0000-0000-0000-000000000000 Error [IDataCollectorSet] System.Runtime.InteropServices.COMException (0xC0000BC9): Exception from HRESULT: 0xC0000BC9
   at PlaLibrary.IDataCollectorSet.start(Boolean Synchronous)
   at Microsoft.Tri.Infrastructure.Utils.DataCollectorSet.Start(String name)
   at Microsoft.Tri.Infrastructure.Framework.PerformanceCounterManager.<OnStartAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Tri.Infrastructure.Framework.Module.<StartAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Tri.Infrastructure.Framework.ModuleManager.<OnStartAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerS... Read more

Read other answers
RELEVANCY SCORE 63.6

Hello Everyone,
When upgrading lightweight gateway client on the DC does it require a restart?

Senior Technical Consultant, MDS Computers

A:Lightweight Gateway restsart

Only if the deployment process needs to update the .net framework, or if there is already a pending reboot for the machine.
Maing sure ahead you have .net 4.6.1 or higher install , will likely avoid a reboot unless there is already one pending for another reason.

Read other 1 answers
RELEVANCY SCORE 63.6

Hello,
I had ATA 1.7 installed on a small virtualized environnement with
1 Lightweigth Gateway installed on my DC (Windows server 2012, 1CPU, 4Go RAM)
1 ATA Center
2 computers
Everything was fine but since I updated ATA to the 1.8 version my gateway doesn't start anymore. When I check the tasks manager, I can see the process "Microsoft ATA Gateway" appear and disappear.
Does anyone encounter the same problem ?

Read other answers
RELEVANCY SCORE 62.8

i keep receiving this health error from my ATA light Gateway : 
Some network traffic is not being analyzed

<monitoring-alert-loader part="description" style="box-sizing:border-box;color:#424242;font-family:'Segoe UI', Tahoma, '?????? Pro W3', 'Hiragino Kaku Gothic Pro', Osaka, ????, Meiryo, '?? ?????', 'MS PGothic';font-size:14px;">

<bind-html class="ng-scope" html="alertDescription" style="box-sizing:border-box;">Gateway, XXX , is receiving more network traffic than it can process. A portion of the network traffic is not analyzed.</bind-html>

Recommendations

<bind-html class="ng-scope" html="alertRecommendation" style="box-sizing:border-box;">Consider adding additional processors and memory to the Gateway or reducing the number of domain controllers being monitored
by the Gateway.</bind-html>

although it's 32 GB RAM Physical machine and performance at the time of this repeated error is CPU= 10% and Memory = 32 %  .
Any ideas please ? 
<bind-html class="ng-scope" html="alertDescription" style="box-sizing:border-box;"></bind-html>

</monitoring-alert-loader>

Read other answers
RELEVANCY SCORE 62.8

We have a virtual 2012 R2 domain controller on which we have installed the ATA Lightweight Gateway. We've given the DC 6 CPU and 16GB (dynamic) memory. The VM is running on a two host Hyper-V 2012 R2 cluster.
Nightly we are seeing the DC reboot, usually around the time DPM backups are in operation (one is an in-guest backup of system state, the other is a VM image backup). In the logs the following errors are present:

Faulting application name: Microsoft.Tri.Gateway.exe, version: 1.6.4103.64991, time stamp: 0x57172e09
Faulting module name: clr.dll, version: 4.6.1055.0, time stamp: 0x563c12de
Exception code: 0xe0004743
Fault offset: 0x00000000001e65a1
Faulting process id: 0x1bc
Faulting application start time: 0x01d1b48323d2d90a
Faulting application path: C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Microsoft.Tri.Gateway.exe
Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Report Id: 1b40303e-20de-11e6-80e1-001dd8b71c57
Faulting package full name:
Faulting package-relative application ID:
And then follows a number of write errors similar to
DFSRs (1628) \\.\C:\System Volume Information\DFSR\database_3864_2C8F_642C_51C4\dfsr.db: An attempt to write to the file "\\.\C:\System Volume Information\DFSR\database_3864_2C8F_642C_51C4\dfsr.db" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes failed after 0.000 seconds with system error 1453 (0x000005ad): "Insufficient quota to complete the requested service... Read more

Read other answers
RELEVANCY SCORE 62.8

I ran the sizing tool in my vmware environment and it says I am able to deploy all lightweight gateways to all the DC's. My question is, does this means to analyze what ATA has found, I have to go to each DC and look at ATA, then move to the next box and
so on?

Read other answers
RELEVANCY SCORE 62.8

One of our lightweight gateways is now failing to startup.  The issue started after we rebooted the domain controller after our monthly patch window.  I tried reinstalling the gateway but it still won't start.  The other two DCs we have lightweight
gateways on are still working just fine.  They got the same set of patches and were also rebooted but they start up just fine.  I also tried restarting the services again but they start up so the problem appears to be isolated on this one DC.
I looked in the "Microsoft.Tri.Gateway-Errors.log" and the couple errors I see are below but I haven't been able to find related articles that talk about how to fix them.
Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with the configured domain controllers
and
Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=xxxxxx.local ErrorCode=82] ---> System.DirectoryServices.Protocols.LdapException: a local error occurred.
A few of the things I have tried are:
- Confirmed using the ldp.exe tool that I could connect via both 389 and 636 to itself as well as the other two DCs.
- Uninstall and reinstall, didn't fix the issue.  The new gateway does appear in the console in a "Start Failed" status.  Makes me think it isn't a problem with the lightweight gateway being able to talk to the console.
- Other than the patches the only thing else that we know chang... Read more

Read other answers
RELEVANCY SCORE 62.8

Hi,

After update to MS ATA 1.8 the ATA Lightweight gateway on one of my domain controllers don't work. The second DC work normally.
MS ATA console show that Service status is Stopped.

I reinstall the ATA light gateway many times, delete ATA certificats on DC before it, download install package from ATA Center.

The ATA services (gateway and gateway updater) on DC is running normally

WinEvents have't errors.

But we have errors in gateway log file:

2017-08-01 07: 42: 40.6072 4208 14 07d6fbab-080e-4654-ac24-23fd73ed0fc5 Error [GatewayConfigurationManager]
Failed to get configuration, using default configuration
Error [WebClient + <InvokeAsync> d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName = UpdateGatewayServiceStatusRequest] ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. --->
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: Attempt to connect failed. From another computer for the required time, the desired response was not received, or the already established connection
was broken because of the incorrect response of the already connected computer 192.168.1.168:3128
   At System.Net.Sockets.Socket.EndConnect (IAsyncResult asyncResult)
   At System.Net.ServicePoint.ConnectSocketInternal (Boolean connectFailure, Socket s4, Socket s6, Socket & socket, IPAddress & address, ConnectSo... Read more

Read other answers
RELEVANCY SCORE 62.8

We have lightweight gateways installed on 3 other DCs and they all work fine. On a fourth DC, the service won't start.  I get an Error 1067 if I try to manually start it.  In the error log, I see:
2016-08-16 19:17:54.3467 4028 5   00000000-0000-0000-0000-000000000000 Error [PerformanceCounterLib] System.InvalidOperationException: Category does not exist.
   at System.Diagnostics.PerformanceCounterLib.CounterExists(String machine, String category, String counter)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName, Boolean readOnly)
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName)
   at Microsoft.Tri.Gateway.Service.GatewayAppDomainManager.<OnInitializeAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Tri.Infrastructure.Framework.Module.<InitializeAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) ... Read more

Read other answers
RELEVANCY SCORE 62.8

Hi,
I've installed ATA 1.8 and the lightweight gateway on a 2012 R2 domain controller. 

On the domain controller, the ATA Insights service is running but the main ATA service is stuck in a starting loop.

Are there any logs to find out the reason? I've rebuilt the performance counter database as suggested in another thread, but to no avail. Nothing of use in the event logs.


Thanks!

Read other answers
RELEVANCY SCORE 62.8

The lightweight gateway ran for a month or so then it stopped last week.  After reinstalling and rebooting the DC, the lightweight gateway started again.  It ran for a few days but stopped again.  Reinstalling and rebooting didn't help this
time.  I tried reinstalling a couple of times.  No luck.  I get this: "error 1067: the process terminated unexpectedly" when trying to restart the service.  The error log doesn't help me much.  Maybe someone else can decode
it.
2016-08-09 16:55:49.6348 172 5   00000000-0000-0000-0000-000000000000 Error [DirectoryServicesClient+<SearchInternalAsync>d__23] Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=WORK-DNS2.dcsms.org
IsGlobalCatalog=True DistinguishedName=DC=hhh,DC=test,DC=org Scope=Base Filter= AttributeNames=canonicalName objectClass whenCreated displayName distinguishedName objectGUID isDeleted name objectSID whenChanged lockoutDuration lockoutThreshold maxPwdAge minPwdAge
pwdHistoryLength pwdProperties fSMORoleOwner replUpToDateVector] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral]
   at Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.<SearchInternalAsync>d__23.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.... Read more

Read other answers
RELEVANCY SCORE 62.8

Hi all,
This is a tip for customers working to deploy the lightweight gateway who are receiving 0x80070643. Firstly, that error code is a generic error for an MSI installation failure, so causes and solutions will vary greatly. This thread is specific to the below
scenario.
While deploying the lightweight installer on a 2012 R2 DC that has KB2919355 installed, I repeatedly received 0x80070643 in the GUI of the installer. Reviewing the "*_MsiPackage" log in <C:\Users\%USERNAME%\AppData\Local\Temp> revealed that
the installer was failing to create the Data Collector Set required by ATA:
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at PlaLibrary.IDataCollectorSet.Commit(String name, String Server, CommitMode mode)
at Microsoft.Tri.Infrastructure.Utils.DataCollectorSet.Create(String name, String configurationFilePath)
at Microsoft.Tri.Deployment.Package.Actions.DataCollectorSetActions.Install(Session session)
at Microsoft.Tri.Gateway.Deployment.Package.Actions.CustomActions.InstallFinalize(Session session)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Ob... Read more

Read other answers
RELEVANCY SCORE 62.8

We have 4 domain controllers which acts as an ATA lightweight gateway.
All 4 domain controllers have installed a certificate from our trust CA with the following CNs:
Common Name : Computername(FQDN)
Our ATA Center has a certificate
Common Name: ATA Center URL (ata.<domainFQDN>)
Both certificates have the following specs:
EKU:
Client authentication
Server authentication
Key Type: Exchange
Key Length: 2048
CSP: Microsoft RSA SChannel Cryptographic Provider (Encryption)
We could use both certificates for ata gateway<-->ata center connection but after the upgrade to ATA 1.8.1 it creates a self signed certificate and using that certificate instead of the one from our CA.
I have changed the thumbprint in the gateway json file, but after restarting the gateway services it changes back to the self signed thumbprint.
How can I use my CA certificate instead of the self signed certificate?

Read other answers
RELEVANCY SCORE 62.8

I've installed the Lightweight Gateway on one dc in one of our domains, I see that it's collecting data and learning the environment.  However I'm wondering why I'm able to see other users in other domains within our forest?  If I specified one
domain in the forest why is it collecting users and computers from all domains in the forest from this one DC?

Is it not redundant to have to install the lightweight agent on all DC's in all domains in the forest?

Read other answers
RELEVANCY SCORE 62.8

After running the ATA Sizing Tool, I followed the CPU and memory recommendations and upgraded as needed.  Additionally, post-install, I made the recommended changes to the NIC configurations, as our lightweight gateways are running on VMWare. 
But I still am getting health alerts like the following:
Lightweight Gateway reached a memory resource limit

The Lightweight Gateway, <servername>, stopped itself and will restart automatically to protect the domain controller from a low memory condition
I picked one of the lightweight gateways that was experiencing this alert and added an additional 2GB of memory to it.  This did not resolve the problem.  Additionally, we have plenty of lightweight gateways  (domain controllers); I'm fairly
certain this is not the issue.
Any ideas/thoughts?

Read other answers
RELEVANCY SCORE 62.8

I am looking to apply update 2 (from 1.9 build 1.9.7312) and wanted to know a little bit more about the process, specifically for the lightweight gateways on the DC's.  It appears to be generally
simple and straightforward, but can they be updated over a stretch of days and not all at once?  I presume they are backwards compatible...  
Also, is a reboot of the DC's expected after the update is pushed out from the Gateway (I see no mention of it but am compelled to ask.)
Thanks in advance!

Read other answers
RELEVANCY SCORE 62.8

I'm running the Lightweight Gateway on two Server 2012 R2 Domain Controllers and the ATA service continually crashes. I've installed .NET 4.6.2 + Dec 2016 rollup on both servers with no effect. This is ATA 1.7 with the MSDN ISO.
From the gateway error logs...
2017-04-04 16:29:08.8518 4348 5 00000000-0000-0000-0000-000000000000 Error [NetworkListener] System.TypeLoadException: Could not load type 'Microsoft.Opn.Runtime.Values.BinaryValueBufferManager' from assembly 'Microsoft.Opn.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
When we look at the GAC'ed binary, Microsoft.Opn.Runtime.dll, the type BinaryBufferManager is indeed missing. So either the wrong assembly is being GAC'ed, or the wrong (old?) assembly is being shipped in the MSDN ISO.


The GAC'ed binary I have is version 4.0.8100.0 @ 3,122,904 bytes (size; not size on disk) with a created date of ?Wednesday, ?August ?31, ?2016, ??3:04:22 PM.


Trevor Seward
Office Servers and Services MVP






Author, Deploying SharePoint 2016


This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Read other answers
RELEVANCY SCORE 62.8

Lightweight Gateway

Hello
I have an issue where one of my Lightweight Gateway services started to die on me. I then uninstalled the agent restarted the DC and then installed the Lightweight Gateway again. After the installation the services still died for me. I then tried to uninstall
it again but the uninstall hanged for me and I had to kill the uninstall.
I search the forum and found how to remove the product that was in this state by doing this
1. Remove the services
2. Remove the ata folder in program files
3. Remove references in the registry to ATA
Downloaded a new copy of the client from the console
After doing this I restarted the server and tried to install the gateway again and it failes with error 0x80070643
Microsoft Advanced Threat Anlaytics Gateway log
[15E8:1744][2017-04-13T09:36:46]i001: Burn v3.10.3.3007, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Users\ADD-PE~1\AppData\Local\Temp\{801F942A-44AA-4DCE-9D35-0A88CF296AC1}\.cr\Microsoft ATA Gateway Setup.exe
[15E8:1744][2017-04-13T09:36:46]i000: Initializing string variable 'InstallationConfigurationFilePath' to value '[WixBundleOriginalSourceFolder]\GatewayInstallationConfiguration.json'
[15E8:1744][2017-04-13T09:36:46]i000: Initializing hidden variable 'ConsoleAccountPassword'
[15E8:1744][2017-04-13T09:36:46]i000: Initializing hidden variable 'ManagementAuthenticationToken'
[15E8:1744][2017-04-13T09:36:46]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value... Read more

Read other answers
RELEVANCY SCORE 62.8

On 1 out of 3 DCs, when installing the lightweight gateway, the service continually restarts (does it ever finish starting?) this is logged in the errors.log:
2016-06-01 10:42:16.6261 6168 19  d2c5f7d0-168d-44da-83c9-3d20f79ce814 Debug [GatewayTelemetryManager] Initializing
2016-06-01 10:42:16.6885 6168 19  d2c5f7d0-168d-44da-83c9-3d20f79ce814 Debug [GatewayTelemetryManager] Initialized
2016-06-01 10:42:16.6885 6168 19  00000000-0000-0000-0000-000000000000 Debug [GatewayModuleManager] Initialized
2016-06-01 10:42:16.6885 6168 19  00000000-0000-0000-0000-000000000000 Debug [GatewayModuleManager] Starting
2016-06-01 10:42:16.7041 6168 19  e86427bf-8853-47f4-b526-fc783fae6065 Debug [PerformanceCounterManager] Starting
2016-06-01 10:42:17.3437 6168 5   00000000-0000-0000-0000-000000000000 Error [IDataCollectorSet] System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Has anyone experienced similar? Or pointers in to find out which actions are being denied?

Read other answers
RELEVANCY SCORE 62.8

Hi All,
Our current certificates are expiring at the end of the month for all our lightweight gateway servers. I have recently followed Microsoft's documentation to renew the certificate on the ATA center server which has been successful and I can see in the JSON
files on the gateways that the thumbprint has updated accordingly.
I am however unsure of the method to update the similar certificate on the lightweight gateways, on the ATA center server I simply used PowerShell to create a new certificate based off the properties of the existing certificate and then synced the changes
in the center to the gateways.
What's the best process for updating the certificates on the gateways? I am not using version 1.8 where this is automatically managed by the system so I need to do this manually.
Hope you can help!
Thanks

Read other answers
RELEVANCY SCORE 62.8

I have been setting up ATA 1.7 in our environment,  I have installed the ATA gateway on three of our domain controllers, and two are having performance issue.  The error I am seeing is
Some network traffic is not being analyzed, with a recommendation of adding additional processor and\or memory.  Prior to installing the ATA gateway we did monitor the packets\sec on the network adapter, we averaged around 3000 to 4000,
with peaks around 10,000.  I have been monitoring for the last 6 hours on them, and we are averaging around 2,500.   Spec wise they are running 4 cores 24 GB of RAM, on the one that is working.  On the two that are not working one has 4 cores
the other has 6 cores, both have 24 GB of RAM.  From the documentation these should be more then enough to handle the ATA lightweight gateway.
I have been monitoring resource monitor on the three servers, thinking other AD processes are consuming to much resources to allow ATA to run, the following is what I have seen over the last couple days.
DC 1, Working - (4 Cores) CPU utilization between 25 and 40%.  Memory, (24GB) currently at 88% utilized, 21.8 GB used, 1.1 GB free and 1.6 in stand by.  The biggest consumer is the lsass.exe process, consuming about 18.5 GBs, tri.gateway.exe with
just over 2 GB consumed.
DC 2 Not working - (4 Cores) CPU utilization between 25 and 40%.  Memory (24GB) currently at 75% utilized, 18.3 GB used, 4.5 GB free, and 1.4 GB in stand by... Read more

Read other answers
RELEVANCY SCORE 62.4

Hi we upgraded our ATA Center from 1.7 to 1.8 successfully and push the gateway update out to all endpoints, unfortunately all but one DC upgraded. It was showing as disabled on the ATA Center Console. We were unable to manually start the service on the
DC and noted that it was disabled there as well.
We attempted to manually update the client to 1.8 however this failed. The ATA lightweight gateway was then un-installed and the server rebooted.
Subsequent attempts to install the 1.8 ATA gateway have failed, initially due to the installer seeing that the target directory is still present. Once this was renamed the installer then fails with error code 0x80070643.
Any assistance is greatly appreciated.
Below is the MsiPackage Log Part1
=== Verbose logging started: 20/09/2017 1:51:11 Build type: SHIP UNICODE 5.00.7601.00 Calling process: C:\Users\xxxxxx\AppData\Local\Temp\2\{D1F7E603-D19D-4DC3-940C-4A8C8E6D80A2}\.be\Microsoft ATA Gateway Setup.exe ===
MSI (c) (44:78) [01:51:11:316]: Resetting cached policy values
MSI (c) (44:78) [01:51:11:316]: Machine policy value 'Debug' is 0
MSI (c) (44:78) [01:51:11:316]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{E7B0C59F-1F36-4068-9ACD-2A0AB84315D8}v1.8.6765.36693\Microsoft.Tri.Gateway.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (c) (44:78) [01:51:11:316]: Client-side and UI is none or basic: Running entire install on the server.
MSI (... Read more

Read other answers
RELEVANCY SCORE 62.4

Now that ATA 1.6 supports installing the lightweight GW on the actual DC, is it still required to setup event forwarding or does the LWG do that automatically?

Read other answers
RELEVANCY SCORE 62.4

Hello,
I followed the deployment guide to create Event Viewer Subscriptions to forward Event ID 4776 to the DC itself; since each of my DCs has the Lightweight Gateway.
On the ATA Center I have enabled Windows Event Forwarding and the configuration has synced with the Lightweight Gateways.
However what I am having an issue with is, I do not see "Forwarded Events" anywhere in ATA Center. This is likely because there are no Event ID 4776 generated.
How can I test/verify that my event forwarding configuration is actually working on my DCs? How can I simulate/create an Event ID 4776?
We are running latest ATA build 1.7.
It is important to be able to prove out event forwarding is actually working; can anyone from ATA team give some guidance to generate ID 4776 so it triggers the "Forwarded Events" in ATA Center?

Read other answers
RELEVANCY SCORE 62.4

I am having problems installing the lightweight gateway on almost all of our DCs.  I was able to successfully install a lightweight gateway on our one DC that is running server 2016.  All the rest of the DCs are running server 2012r2 and fail every
time.  I have verified that all the KBs are installed and I have tried all the difference fixes online.  I have also tried the running the exe with PSexec but I am absolutely unable to get this installed on any DC with Server 2012R2.  any help
would be greatly appreciated.  I attached the log file below
[30EC:17F4][2017-08-28T10:51:36]i001: Burn v3.11.0.1701, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Users\administrator\AppData\Local\Temp\3\{63073131-4E95-4ABD-ADC7-D3845D0DA484}\.cr\Microsoft ATA Gateway Setup.exe
[30EC:17F4][2017-08-28T10:51:36]i000: Initializing string variable 'InstallationConfigurationFilePath' to value '[WixBundleOriginalSourceFolder]\GatewayInstallationConfiguration.json'
[30EC:17F4][2017-08-28T10:51:36]i000: Initializing hidden variable 'ConsoleAccountPassword'
[30EC:17F4][2017-08-28T10:51:36]i000: Initializing hidden variable 'ManagementAuthenticationToken'
[30EC:17F4][2017-08-28T10:51:36]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[30EC:17F4][2017-08-28T10:51:36]i009: Command Line: '"-burn.clean.room=C:\temp\Microsoft ATA Gateway Setup-1-8-2\Microsoft ATA Gateway Setup.exe" -burn.filehandle.... Read more

Read other answers
RELEVANCY SCORE 62.4

Is there a documented or recommended procedure for reverting a Lightweight Gateway upgrade?  Is reverting an ATA upgrade supported?
I need to submit install and back out procedures for documentation purposes and can't seem to find this information on the ATA documentation site.

Read other answers
RELEVANCY SCORE 62.4

Hi

We are trialing ATA, our setup:
ESXi version = 5.1 - older but is it truly significant?
ATA Center 1.91 on Windows Server 2016 on ESXi - 32 Gb RAM, 300Gb HDD
ATA Lightweight Gateway - one operates ok on a physical AD server.
The second (and last) Lightweight Gateway install attempts on a VM - AD  server (2012 R2 with KB 2919355 installed, 2 core, 8Gb memory) every time crashes the ESX host on attempt to install.
I dont think we are using memory sharing (how to verify this please?). Memory Hot Add is disabled at least.
The sizing tool indicates there shouldn't be a resource issue. 
ESX crashes almost as soon as we click on download and install the Gateway to the DC from a web interface on the DC.
Thanks
Best Regards
Al

Read other answers
RELEVANCY SCORE 62.4

Hi All,
I've recently deployed ATA 1.6 as a POC in our testing environment using the ATA Lightweight Gateway on only one of the DC's. Just have a few questions I don't think are clearly covered off in the doco;
1. Is it best practice to install the ATA Lightweight Gateway on ALL DC's in the domain to be monitored?
2. Any issues with installing the ATA Lightweight Gateway on a read only DC?
3. Assuming this is a no, but is it necessary to forward windows security logs for event ID 4776 for the DC on which the ATA Lightweight Gateway service is installed? The way the doco reads (could have been the lack of coffee at the time too) it could be
interpreted that the ATA LW Gateway only reads forwarded events, even if the DC is forwarding them to itself.  

Read other answers
RELEVANCY SCORE 62.4

I'm trying to install the ATA Lightweight gateway on Server 2016 Core Domain controller. I have this installed on other Server 2016 core DCs and no issue. This particular server gives the error below. Any help is greatly appreciated. Firewall is disabled.
Resources are fine.

2018-07-09 14:29:37.8435 5304 5   Error [WebClient+<InvokeAsync>d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName=UpdateGatewaySystemProfileRequest] ---> System.Net.Http.HttpRequestException: Response
status code does not indicate success: 500 (Internal server error).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at async Microsoft.Tri.Common.Communication.WebClient.PostAsync[](?)
   at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
   --- End of inner exception stack trace ---
   at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
   at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
   at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.GetConfigurationAsync[](?)
   at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.UpdateConfigurationAsync[](?)
   at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.UpdateConfigurationAsync[](?)
   at async Microsoft.Tri.Infrastructure.Framework.Configu... Read more

Read other answers