Skip to main content

Active Directory | Inspector Fails to Collect Data for Users / Computers / Groups / DNS / DHCP

Active Directory, Data missing, Users, Groups, Computers, Task timed out, Unable to obtain DNS hostname, Unable to resolve the DNS hostname, Incomplete Data, AD

Updated over 3 weeks ago

Overview 💥

Sometimes, the Active Directory inspector in Liongard can fail to collect information for one or more object types like Users, Computers, Groups, or DNS. When this happens, you might notice:

  • Missing or incomplete data prints

  • Failed alerting and reporting

  • Debug logs showing errors like:

    • Task timed out

    • No such host is known

    • PowerShell module import failures

These issues are typically environment-specific and relate to:

  • DNS misconfigurations

  • Stale or offline domain controllers (DCs)

  • Performance bottlenecks due to large object counts

  • Insufficient permissions or restrictive GPOs

Think of it like a communication channel between two systems: the pathway must be clear, properly configured, and both endpoints must be able to accurately send and receive signals.

Why Does This Happen? 🤔

Cause

Explanation

DNS Resolution Failures

  • Trigger: If the Liongard agent cannot resolve a domain controller’s hostname to an IP address, it cannot establish a connection to collect data.

  • Typical Causes: Stale or incorrect DNS entries, missing DNS suffixes on the agent server, or DNS servers that are slow or unreachable.

  • Effect: Inspector logs may show “Unable to resolve the DNS hostname” or “No such host is known.”

Missing PowerShell Modules

  • Trigger: The inspector relies on modules like ActiveDirectory or DhcpServer to query AD objects. If a required module is absent or cannot be loaded, collection fails.

  • Typical Causes: RSAT tools not installed, restricted execution policies, or modules blocked by GPO.

  • Effect: Errors such as “The specified module ‘DhcpServer’ was not loaded” appear in logs.DhcpServer must be installed. Otherwise, errors occur during collection.

High Object Volume / Latency

  • Trigger: Very large environments with thousands of users or groups can exceed inspector timeouts, causing tasks to fail.

  • Typical Causes: High AD object count, slow domain controllers, or network latency between agent and DCs.

  • Effect: Log entries like “Task timed out after 600 seconds” for Users, Groups, or Computers.

Stale or Decommissioned DCs

  • Trigger: The agent attempts to query a DC that is offline or incorrectly registered in Active Directory Sites and Services.

  • Typical Causes: Decommissioned DCs not removed from topology, offline servers, or replication issues.

  • Effect: Inability to retrieve DNS, group, or computer data for that domain controller.

Replication Failures / Broken NTDS Settings

  • Trigger: Inconsistent AD replication can prevent the agent from accessing certain objects, resulting in partial or missing data.

  • Typical Causes: Replication latency, misconfigured NTDS settings, or lingering objects from removed DCs.

  • Effect: Missing Users or Groups, or incomplete DNS entries in inspector logs.

Insufficient Permissions / GPO Interference

  • Trigger: If the agent’s service account lacks read access to required AD objects or is restricted by policies, collection will fail.

  • Typical Causes: Account missing membership in required groups, blocked by restrictive GPO settings, or UAC restrictions.

  • Effect: Partial data collection or permission-related errors in logs.

Pro Tip: Even the most diligent inspector can’t retrieve data if the network is blocked or DNS is misconfigured. Think of it as trying to read a book through a brick wall! 🕵️‍♂️

Common Errors Observed 👀

Object Type

Error Message in Logs

Groups

Task timed out after 600 seconds

Users

Task timed out after 600 seconds

Computers

Error retrieving IP address: No such host is known

DHCP

The specified module 'DhcpServer' was not loaded

Computers

Task timed out after 300 seconds

DHCP

Failed to get version/configuration from DHCP server

AD Attributes

The 'msDS-SPNSuffixes' attribute is not present

DNS

Unable to obtain DNS hostname of domain controller

DNS

Unable to resolve the DNS hostname

Step-by-Step Resolution 🧑‍🏫

1️⃣ Run Inspector in Clear Cache + Debug Mode

Why: Forces a fresh data pull and exposes the exact failure points.

How:

  1. Go to Admin > Inspectors > Active Directory.

  2. Right-click the inspector → Run > Clear Cache + Debug Mode.

  3. Check logs for failed object types.

Next: Focus troubleshooting on the failed object types (Users, Groups, DNS, etc.).

2️⃣ Verify Agent Connectivity & DNS Resolution

Why: Liongard agents must resolve and reach DC hostnames.

How: On the agent server:

Test-Connection <DomainControllerName> Resolve-DnsName <DomainControllerFQDN>

Watch For:

  • Resolve-DnsName failure → stale/missing DNS entries

  • Test-Connection failure → DC offline or firewall issues

Next: Fix DNS records, ensure DC availability, adjust firewall as needed.

3️⃣ Check Event Logs & PowerShell Output

Why: Some errors are visible only locally, not in inspector logs.

How: On the DC:

Get-ADUser -Filter * -ResultSetSize 10 Get-ADComputer -Filter * -ResultSetSize 10 Get-ADGroup -Filter * -ResultSetSize 10

Interpretation:

  • Slow results → performance bottlenecks

  • Failures → missing modules or insufficient permissions

Next: Install missing features, raise permissions, or split inspector loads.

4️⃣ Verify PowerShell Modules & Features

Required Modules:

  • ActiveDirectory

  • DhcpServer

Check Installed Modules:

Get-Module -ListAvailable

Install Missing Modules:

Install-WindowsFeature RSAT-AD-PowerShell Install-WindowsFeature RSAT-DHCP

Next: Re-run the inspector.

5️⃣ Verify Agent Permissions

Why: Insufficient read access or GPO restrictions cause missing/partial data.

Check:

  • Service account group membership

  • GPOs or UAC restrictions

6️⃣ Split the Load (Optional)

Why: Very large AD environments can exceed inspector processing limits.

How:

Next: Test object-specific inspectors (e.g., Users-only or DNS-only) to isolate load impact.

Advance Troubleshooting 👨‍💻

Step

Action & How-To

Reason / Why It Matters

Expected Outcome / What to Look For

1

Run dcdiag /v and repadmin /replsummary

  • Open PowerShell/Command Prompt on a DC

  • Execute dcdiag /v

  • Execute repadmin /replsummary

Checks DC health, DNS resolution, and replication integrity to ensure Liongard can collect data reliably

dcdiag /v: Look for DNS errors, unreachable DCs, replication failures
repadmin /replsummary: Look for replication latency, failed replication partners

2

Review Active Directory Sites & Services

  • Open AD Sites & Services

  • Verify all DCs are online and correctly named

  • Check replication topology

Ensures Inspector targets only live, reachable DCs

Prevents failures caused by querying offline or misconfigured DCs

3

Remove stale NTDS connections / decommissioned DCs

  • Identify stale connections via AD Sites & Services or PowerShell

  • Remove or disable them

Avoids Inspector targeting non-existent DCs, improving reliability

Streamlined replication and consistent object retrieval

4

Confirm agent server DNS suffix

  • Check server DNS suffix matches AD domain (Control Panel → System → Advanced → Computer Name → More)

  • Test Resolve-DnsName <DC FQDN> and Test-Connection <DC Name>

Accurate DNS ensures agent can resolve and communicate with all DCs

Successful hostname resolution and stable connectivity for data collection

5

Restart Liongard agent & rerun inspectors

  • Restart the Liongard agent service

  • Run Inspector in Clear Cache + Debug Mode

Applies configuration changes and refreshes cached data

Confirms fixes are effective; Inspector collects complete and accurate data

Why Cleaning Up AD / NTDS / DNS Settings Matters for Security 🔒

Maintaining a clean and accurate Active Directory environment isn’t just about preventing inspector failures, it’s also a critical security best practice. Here’s why:

  1. Reduces Attack Surface

    • Stale or decommissioned domain controllers that remain in AD Sites and Services or NTDS settings may still appear in network scans. Attackers could target these outdated systems if they’re not properly removed.

    • Removing old objects ensures that only legitimate, active systems can be queried or attacked.

  2. Prevents Unauthorized Access

    • Stale computer accounts or orphaned DCs can have old credentials or tokens cached, which may be exploited.

    • By cleaning up NTDS and DNS entries, you ensure that only active, properly configured systems can authenticate and interact with AD.

  3. Improves Audit and Compliance Posture

    • Security audits often flag inconsistencies in AD, like inactive DCs or stale NTDS connections.

    • Regular cleanup demonstrates compliance with internal security policies and standards like ISO 27001 or SOC 2.

  4. Enhances Incident Response

    • Accurate AD data ensures that logs, alerts, and audit trails reflect reality.

    • If a breach or suspicious activity occurs, knowing exactly which systems are active allows faster detection and containment.

  5. Supports Secure Agent Operations

    • Liongard agents rely on AD accuracy to pull data securely. Stale or misconfigured entries could result in misrouted queries, failed inspections, or incomplete alerts, which might mask potential security gaps.

Tip 💡: Combine this cleanup with regular DNS health checks, DC decommissioning procedures, and OU trimming to maintain a robust, secure AD environment.

Quick Summary 🌟

Issue Encountered!


Run Inspector (Clear Cache + Debug Mode)


Check Debug Logs

  ├─► Failure in Users/Groups/Computers/DNS?
  │       │
  │       ▼
  │   Check Agent Connectivity & DNS Resolution
  │       │
  │       ├─► DNS Fails?
  │       │       │
  │       │       ▼
  │       │   Update DNS Records & Verify Host Availability
  │       │
  │       └─► Connectivity Fails?
  │               │
  │               ▼
  │           Check Firewall & Network


Check PowerShell Modules & Features

  ├─► Missing ActiveDirectory/DHCP Modules?
  │       │
  │       ▼
  │   Install RSAT-AD-PowerShell / RSAT-DHCP


Check Agent Permissions & GPOs

  ├─► Insufficient Permissions?
  │       │
  │       ▼
  │   Adjust Account Rights / Test with Elevated Account


Optional: Split Load

  ├─► Large AD Environment?
  │       │
  │       ▼
  │   Create Separate Inspectors per DC / Limit Object Scope


Additional Checks

  ├─► Run dcdiag / repadmin / Check AD Sites & Services

  └─► Confirm DNS Suffix & Agent Hostname


Rerun Inspector

  ├─► Success?
  │       │
  │       ▼
  │   Data Collected Successfully ✅

  └─► Failure?


    Contact Liongard Support

Contact Liongard Support 🦁

If the issue persists:

Provide:

  • Inspector debug logs

  • PowerShell outputs (dcdiag, repadmin, Resolve-DnsName)

  • Agent version & OS

  • Domain topology details (DCs, OUs, decommissioned servers)

Open a ticket: Click the support icon or visit support.liongard.com

Additional Resources 🤩

  1. Active Directory Inspector Setup Process

  2. Microsoft Active Directory | Can I exclude users from User-Related Active Directory Actionable Alerts?

  3. Microsoft Active Directory | Privileged Users List

  4. Microsoft Active Directory | What version of Windows Server does Liongard Support for Active Directory inspection?

  5. Active Directory | Inspector Updates and Reconfiguration Steps

  6. Microsoft Active Directory | DHCP/DNS Information Missing

  7. Microsoft Active Directory | Default Domain Policy Information Source

  8. Microsoft Active Directory | "Computers with Anomalous Login Activity" Alert

  9. Inspector: Active Directory | Error : The inspector job exited with a non-zero exit code

Did this answer your question?