Connecting Active Directory.

Known errors when connecting an Active Directory domain to TenLens and how to resolve them, including read-account (LDAP) failures and per-server event collection errors.

UPDATED · MAY 28, 2026READ TIME · 7 MINAPPLIES TO · beta

Where errors show up
Read account cannot reach the domain
Server shows a remote procedure call error
Server shows access is denied
Collector is unreachable
Events are not arriving
A server says "Via forwarder"
Still stuck?

TIP· Two independent health signals

The Servers step shows two separate things: a domain-wide read account banner (the LDAP bind used for both directory queries and remote event collection) and a per-server health pill (whether TenLens can read that machine's audit logs). They fail independently, so a green read-account banner with a red server pill is normal and tells you the credentials are fine but one machine is unreachable.

Where errors show up

When you connect an Active Directory domain, TenLens checks health continuously and surfaces problems in two places on the Servers and forwarding step of the wizard:

Read account banner (top of the step): the domain read account's LDAP bind. Green means TenLens can query the directory and authenticate for remote event collection. Red means the bind is failing for the whole domain.
Per-server health pill (each row): whether TenLens can actively read that server's audit logs right now. Healthy, Error (with a message), or Via forwarder.

Every issue below maps to one of those two signals. After fixing the underlying cause, click Save and re-check health to re-run the checks immediately, or wait for the automatic refresh.

Read account cannot reach the domain

WARNING· What you see

Red read-account banner: Read account cannot reach the domain, often with The LDAP server is unavailable.

This means the domain read account could not bind over LDAP. Because the same account is used for directory queries and remote event collection, fix this first; it can mask per-server checks.

Common causes and fixes:

Wrong domain or host. The read-account host should be the domain DNS name (for example contoso.com) or a reachable domain controller. Confirm the value on the Read account step.
Wrong username or password. Re-enter the read account credentials on the Read account step. Use the account's domain login (for example CONTOSO\svc-tenlens).
DNS cannot resolve the domain. The collector machine must resolve the domain name to a domain controller. On a domain-joined collector this is automatic; on a non-joined machine, point DNS at a domain controller.
LDAP port blocked. By default TenLens uses integrated authentication (an encrypted Kerberos/NTLM bind) over TCP 389, so the collector only needs that one port open to the domain controller and no LDAPS certificate is required. If you selected Simple bind over LDAPS on the Read account step, the collector instead needs TCP 636 open and a valid LDAPS certificate installed on the domain controller. Confirm no firewall is blocking the port your chosen mode uses.
Domain controller down. Confirm the target domain controller is running and reachable.

After correcting the value, click Save and re-check health; the banner turns green when the bind succeeds.

NOTE· Which authentication to choose

Integrated (recommended) keeps the bind encrypted on port 389 and needs no certificate, which works on a default domain controller out of the box. Choose Simple bind over LDAPS only when your policy requires certificate-based TLS and your domain controllers already have an LDAPS certificate.

Server shows a remote procedure call error

WARNING· What you see

Red Error pill on a server row with The remote procedure call failed. or The RPC server is unavailable.

TenLens reads each server's audit logs over RPC. This error means the collector reached the network but could not open the remote Event Log service. The most common cause is the Windows firewall on the source server.

1
Allow Remote Event Log Management on the server
On each domain controller (or forwarder) TenLens reads from, enable the built-in firewall rule group. In an elevated PowerShell session on that server:
POWERSHELL
```
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"
```
2
Confirm RPC connectivity
Remote event collection uses TCP 135 (the RPC endpoint mapper) plus a range of dynamic high ports. Make sure both are open from the collector to the server. If a network firewall sits between them, allow that traffic.
3
Re-check health
Back in the wizard, click Save and re-check health. The pill turns green once the remote read succeeds.

NOTE

TenLens uses an active liveness check, so this error reflects the live state of the server. It clears on the next health check as soon as the server becomes reachable, and reappears if it breaks again.

Server shows access is denied

WARNING· What you see

Red Error pill with Access is denied. while the read-account banner is green.

The collector reached the server but the read account lacks permission to read its logs remotely. Grant the read account the least privilege it needs on the source server:

Add the read account to the Event Log Readers built-in group to read most logs remotely.
The Security log additionally requires the Manage auditing and security log user right (or membership in a group that has it). Many environments grant this through a delegated group rather than Domain Admins.

After adjusting group membership, allow a short delay for the change to apply, then click Save and re-check health.

Collector is unreachable

WARNING· What you see

Errors mentioning Could not read collector status, connection refused, or TLS or pairing failures.

This means TenLens could not reach the collector itself, so it cannot run any health checks.

Collector service stopped. Confirm the collector is running on its host.
Wrong host. Use a hostname that is reachable from TenLens. When the collector is off your local network, use its reachable DNS name, not a private IP.
Pairing lost. If the collector was reinstalled or its certificates changed, re-pair it on the Collector step.

Events are not arriving

WARNING· What you see

Health is green but no audit events appear in the viewer, sometimes with collector log entries like No connection could be made because the target machine actively refused it.

Health checks confirm TenLens can read the source, but events are pushed to your TenLens API over a separate path. If that push fails, events are queued and do not appear.

Ingestion URL not reachable from the collector. The events ingestion URL must be an address the collector can reach (not localhost when the collector runs on another machine). Set it to the reachable address of your TenLens API on the Collector step.
API not running. Confirm your TenLens API is up and reachable from the collector.

A server says "Via forwarder"

NOTE· This is not an error

When you add a Windows Event Collector (forwarder), TenLens collects from the forwarder and does not read those domain controllers directly, to avoid collecting every event twice. Affected domain controllers show a Via forwarder pill instead of Healthy. You can still view per-controller events in the audit viewer by filtering on the originating server.

If you expected a domain controller to be collected directly, remove the forwarder from the Servers step. With no forwarder present, TenLens reads each domain controller directly again.

Still stuck?

A quick checklist that resolves most connection problems:

Read account banner is green (fix the read account first).
Each server allows Remote Event Log Management through its firewall.
TCP 135 plus dynamic RPC ports are open from the collector to each server.
The read account is in Event Log Readers (and can read the Security log).
The collector is running and reachable, and the events ingestion URL points at a reachable TenLens API.

If problems persist, open the Desktop Launcher Support tab and submit a ticket with Attach diagnostics bundle enabled.

← PreviousCommon issues Next →Resolving sync errors