Forum Discussion

19873306's avatar
19873306
Copper Contributor
Sep 14, 2020

ATP and group managed service account not working on RODC

We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used.  There are a few read only domain controllers that can't seem to read the password, even th...
Sensor
19873306's avatar
19873306
Copper Contributor
Sep 17, 2020
sc qc npf does not return anything.

I also tried powershell get-service:

Get-Service npf
Get-Service : Cannot find any service with service name 'npf'.
At line:1 char:1
+ Get-Service npf
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (npf:String) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Sep 17, 2020

19873306 Make sure you are running elevated when running this.

If you still can't find npf driver, check also

sc qc npcap

 

If you don't have this one as well, then you have no capturing driver installed, which means the sensor cannot work.

I would try to uninstall and reinstall. if the same problem returns, it means you have something that is somehow blocking or reversing the driver installation.

Most likely a 3rd party security software, so try to disable during before deployment to see if it makes things work.

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Sep 19, 2020

    19873306 
    So it seems you are over the initial issue.

    As for the Gmsa issue, it's a bit more tricky.

    Check errors and warnings in both the sensor logs and the updater logs around this time span to see if you get new insights about what went wrong, or else I suggest opening a support case  as it might be tricky.

  • 19873306's avatar
    19873306
    Copper Contributor
    Sep 18, 2020

    EliOfek I uninstalled the sensor, rebooted, then reinstalled.

     

    I now have 

    C:\WINDOWS\system32>sc qc npf
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: npf
    TYPE : 1 KERNEL_DRIVER
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : \??\C:\WINDOWS\system32\drivers\npf.sys
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : NetGroup Packet Filter Driver
    DEPENDENCIES :
    SERVICE_START_NAME :

    C:\WINDOWS\system32>

     

     

    However, the sensor still will not start

     

    Partial error message:

    2020-09-18 22:55:35.0283 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password.

     

    The referenced group managed service account is installed on the server, ands tests true from powershell. 

     

    Partial event log message in directory services indicate the password is fetched successfully:

     

    A caller successfully fetched the password of a group managed service account.

    Group Managed Service Account Object:
    CN=Microsoft Azure ATP Sensor,OU=ATP,OU=Azure