vault service account was accidently added to domain admins. it has been removed but EV now gives there following error even though it is removed. any ideas?
Log Name: Symantec Enterprise Vault
Source: Enterprise Vault
Date: 9/16/2020 4:31:00 PM
Event ID: 8596
Task Category: Directory Service
Data decryption has failed.
Cipher text: EV//AwAAAD8GAAC.......................................
Were you getting these errors prior to the VSA being in the Domain Admins Group?
A very foolish question (of me) to ask is have you restarted the EV services after removing the VSA from Domain Admins Group?
Also, a very basic thing we tend overlook in this scenario but considering the fault of someone else adding the VSA to the Domain Admins group, then there would be some other changes made without your knowledge and you would want to revisit this article; Enterprise Vault Accounts and Permissions
Let us know if any of the above helped.
If the issue is local to the EV Server in question, then, I guess we need to focus on the Server itself.
After redacting environment information, Could you share the Dtrace of the Directory Service?
Follow the steps mentioned below...
- Start the Dtrace
- Enable Verbose Logging for the Directory Service
- Restart the EV Admin Services (effectively restarting all the EV services) or stop the EV Services and restart them in this order
- EV Admin Service
- EV Directory Service
- EV Storage Service
- EV Task Controller Service
- EV Shopping Service
- EV Indexing Service
- EV SMTP Service (if installed and present)
- Monitor the Event Viewer for Event ID 8596
- Once event is logged, wait for a few seconds and stop the Dtrace