Overview π₯
In some environments, the Active Directory Inspector may successfully run but fail to collect data for specific components such as:
β
Users
β
Computers
β
Groups
β
DNS
β
DHCP
Partners typically notice:
Missing or incomplete Dataprints
Alerts not triggering correctly
Inspection failures or timeouts
Data appearing intermittently
Common log errors include:
Task timed out after 600 seconds
No such host is known
Unable to resolve DNS hostname
Unable to obtain DNS hostname of domain controller
The specified module 'DhcpServer' was not loaded
β Important Understanding
The Active Directory Inspector does not generate directory data.
It reads information directly from:
Domain Controllers
Active Directory Services
DNS infrastructure
DHCP services
If Windows or Active Directory cannot return data reliably, the inspector cannot collect it.
How the Active Directory Inspector Works π€
Understanding this eliminates most confusion.
Liongard Agent
β
βΌ
Discover Domain Controllers via DNS
β
βΌ
Connect using AD PowerShell Queries
β
βΌ
Query AD Objects + Infrastructure
β
βΌ
Return Dataprint to Liongard Platform
Failure at any step results in missing object types.
Why This Happens π§
Below are the real technical causes, ordered by frequency.
π 1. DNS Resolution Problems (Most Common Cause)
Active Directory heavily depends on DNS.
If the Liongard Agent cannot resolve a Domain Controller hostname:
β Connection fails
β Queries timeout
β Data collection stops
Typical causes:
Stale DNS records
Decommissioned Domain Controllers
Incorrect DNS server configured
Missing DNS suffix
π₯οΈ 2. Offline or Stale Domain Controllers
Active Directory may still advertise Domain Controllers that:
No longer exist
Are powered off
Failed demotion cleanup
The inspector attempts connection β waits β timeout occurs.
Result:
Task timed out after 600 seconds
Unable to obtain DNS hostname
βοΈ 3. Missing PowerShell / RSAT Modules
The inspector relies on Microsoft modules:
Module | Purpose |
ActiveDirectory | Queries Users, Groups, Computers |
DhcpServer | Collects DHCP configuration |
If missing β collection fails silently.
𧩠4. Active Directory Replication Issues
Each Domain Controller may contain slightly different data.
Broken replication causes:
Partial Users list
Missing Groups
Inconsistent inspections
π 5. Permission or GPO Restrictions
Security hardening or restrictive GPOs may block read operations required by inspection.
π 6. Large Active Directory Environments
Very large environments can exceed execution time limits.
Example:
50,000+ users
Multi-site domains
High latency between agent and DC
Common Error β Cause Mapping π
Log Message | Meaning |
Task timed out | DC unreachable or slow |
No such host is known | DNS failure |
Module not loaded | RSAT missing |
Unable to resolve hostname | Stale DC entry |
Partial Dataprint | Replication or permissions |
Step To Resolve π¨βπ»
1οΈβ£ Run Inspector in Debug + Clear Cache Mode
Why We Do This?
Removes cached results and forces a fresh Active Directory query.
How?
Admin β Inspectors β Active Directory
Right-click Inspector
Run β Clear Cache + Debug Mode
What This Shows:
Debug logs reveal exact failure point:
Users
DNS
DHCP
Groups
2οΈβ£ Verify Domain Controller Discovery (DNS Test)
Why This Matters?
Active Directory discovery happens entirely through DNS.
If DNS fails β inspection fails.
1. Run on Liongard Agent Server:
nltest /dclist:yourdomain.local
What This Command Does:
Queries Active Directory
Lists all advertised Domain Controllers
Expected Result:
All returned DC's must exist and be reachable.
2. Test DNS Resolution
Resolve-DnsName <DomainControllerFQDN>
β Confirms hostname resolves to IP.
3. Test Network Connectivity
Test-Connection <DomainControllerName>
β Confirms network communication.
If Failure Occurs, Likely causes are:
Offline DC
Incorrect DNS record
Firewall issue
3οΈβ£ Confirm Agent DNS Configuration
Why?
The agent must use Active Directory DNS, not public DNS.
Run:
ipconfig /all
Verify:
β
DNS server = Domain Controller
β
DNS suffix matches domain
β Google / ISP DNS configured
4οΈβ£ Verify Required PowerShell Modules
Why This Is Required?
Liongard queries AD using Microsoft cmdlets like:
Get-ADUser
Get-ADComputer
These exist only when RSAT components are installed.
Check Modules:
Get-Module -ListAvailable ActiveDirectory
Get-Module -ListAvailable DhcpServer
Install Missing Modules:
Install-WindowsFeature RSAT-AD-PowerShell
Install-WindowsFeature RSAT-DHCP
Expected outcome:
β Modules load successfully
β Inspector retrieves data
5οΈβ£ Validate Active Directory Query Performance
Why?
Confirms AD itself responds normally.
Run:
Get-ADUser -Filter * -ResultSetSize 10
Get-ADComputer -Filter * -ResultSetSize 10
Get-ADGroup -Filter * -ResultSetSize 10
What This Tests:
AD responsiveness
Permissions
Query execution health
Interpretation:
Result | Meaning |
Fast output | Healthy AD |
Slow response | Performance issue |
Errors | Permission/module issue |
6οΈβ£ Check Domain Controller Health
Run on a Domain Controller:
dcdiag /v
What It Does:
Microsoft diagnostic verifying:
DNS health
Authentication
Replication
DC availability
Check replication:
repadmin /replsummary
Why It's Important?
Inspector queries may hit different DCs.
Replication failure = inconsistent data.
7οΈβ£ Validate Active Directory Sites & Services
Open:
Active Directory Sites and Services
Confirm:
β
All DCs are active
β
No removed servers remain
β
NTDS connections valid
Remove stale entries if found.
8οΈβ£ Restart Agent After Fixes
Restart-Service LiongardAgent
Why?
Reloads environment
Clears cached connections
Applies DNS/module fixes
Then rerun inspector.
Troubleshooting Flow π§
Missing AD Data
β
βΌ
Run Debug Inspection
β
βΌ
DNS Resolution OK?
βββ No β Fix DNS / Remove stale DC
βββ Yes
β
βΌ
Modules Installed?
βββ No β Install RSAT
βββ Yes
β
βΌ
AD Queries Work?
βββ No β Permission / DC issue
βββ Yes
β
βΌ
Replication Healthy?
βββ No β Fix AD replication
βββ Yes
β
βΌ
Inspection Successful β
Security & Operational Impact π
Unhealthy AD environments may indicate:
Stale Domain Controllers
Lingering authentication objects
Incorrect DNS trust paths
Increased attack surface
Fixing inspection failures often improves overall AD security posture.
When to Contact Liongard Support π¦
If the issue persists, Open a ticket: Click the support icon or visit support.liongard.com
Provide:
β
Inspector Debug Logs
β
Agent OS + Version
β
Output of:
1. dcdiag /v
2. repadmin /replsummary
3. Resolve-DnsName <DomainControllerFQDN>
4. Resolve-DnsName <DomainControllerFQDN>
5. Get-Module -ListAvailable ActiveDirectory
6. Get-Module -ListAvailable DhcpServer
7. nltest /dclist:yourdomain.local
8. Get-ADUser -Filter * -ResultSetSize 10
9. Get-ADComputer -Filter * -ResultSetSize 10
10. Get-ADGroup -Filter * -ResultSetSize 10
β
Number of Domain Controllers
β
Screenshot of missing Dataprint section