May 25 2020 07:52 PM
May 25 2020 11:46 PM
May 26 2020 05:37 AM
May 26 2020 12:01 PM
@ISEGOVIA . Telemetry shows this error happens on 5 sensors, all of them belonging to the same workspace (probably yours 🙂
This is unknown issue, and too complex to resolve over the forums as it will require exchanging sensitive info.
I strongly suggest to open a support ticket to handle it.
Eli.
Jun 05 2020 02:50 PM
Hi @EliOfek:
As you suggested, we put together a premier support case for analysis of the incident presented. I tell you that we were recommended to create and use a gMSA account in the environment. This account was generated according to the documentation, also, it was validated that all the communication ports necessary for the service will be open, the use of wireshark in DCs was ruled out and the sensor version was updated to 2.115.8077, however the Azure ATP service continues without starting.
Logs only show us the following errors:
Microsoft.Tri.Sensor.Updater
2020-06-03 19:34:27.1581 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
Microsoft.Tri.Sensor-Errors
2020-06-03 19:38:08.2531 Error DirectoryServicesResolver+<CreateDomainAsync>d__130 System.NullReferenceException: Object reference not set to an instance of an object.
at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Thanks for your help.
Jun 05 2020 03:09 PM
@ISEGOVIA I am working with the escalation engineer on this one. I got to take a look at the dumps collected today a few minutes ago and found an interesting insight about the possible root cause.
Since it involves specific domain information, support will elaborate on what was found and what to check next.
Jun 09 2020 12:34 PM
Hi @Eli Ofek
I comment that reviewing the Azure ATP portal today we can see that one of the sensors is already running correctly and the Azure ATP tool is already starting to report information from the environment.
However the other sensors still continue in starting.
I attach the evidence.
Thanks for your help.
May 13 2022 02:03 AM