Sentinel status “Unreachable” or “Unknown”

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Sentinel status “Unreachable” or “Unknown”

Make sure that standard communication is allowed.

The management Computer with the Specops Password Policy Domain Administration Tool installed must be able to communicate with Domain Controllers on:

LDAP: TCP 389

SMB: TCP 445

Kerberos: TCP 88, 464

DNS: TCP/UDP 53

Other common client protocols

RPC (Remote Procedure Call)

RPC should be open/allowed between the domain controllers and the management computer.

The Specops Password Policy Domain administration tool will connect to the admin$ share on each domain controller to read the status of the Specops Password Sentinel. This requires full RPC access.

Permissions

The user account you’re logged in with on the management computer when running the Specops Password Policy Domain administration tool must be able to access the admin$ share on each domain controller. The sentinel state is queried by connecting to the admin$ share on the domain controller and it requires domain admin level permissions. Confirm that you’re able to browse the admin$ share on the Domain controller e.g. \\servername\admin$

Two files to be precise are being checked on the domain controller. SppFilter.dll and SPPFilterinfo.json

Usually domain admins has the permissions via the admin$ share to read, write, read & execute and modify these files during installations, upgrades etc., Full Control is recommended.

Web API status

The Web API serves requests on port 4385.

By default the Web API is enabled on the Domain Controller that holds the PDC emulator role. The Sentinel state in the admin tool should say Enabled or OK (depends on your installed Specops Password Policy version). The main function of the WEB API is to run breached password scans and send test emails.

Specops will automatically detect the PDC Domain Controller and enable the Web API if the Specops Password Policy Sentinel service is running and port 4385 isn’t blocked. When the WEB API is enabled on the Domain Controller it adds an inbound rule for port 4385.

If necessary the Web API can be enabled/disabled manually on the Domain Controller with a registry key. Note this will also require a restart of the sentinel service to take effect.

HKLM \SOFTWARE\Specopssoft\Specops Password Policy\SentinelService

Create a DWORD called EnableWebAPI and set it to 1 or 0

Publication date: November 16, 2023
Modification date: February 23, 2024

Was this article helpful?

Yes No