Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

What is this email alert: TUI-AD: All AD agents are down for realm Windows?

I added our IT group e-mail to the Ironport S160 to be alerted when product keys are about to expire.  Our IronPort C160 e-mail filter does this but the S160 did not.


We periodically get this email:


Subject: Critical <System> TUI-AD: All AD agents are down for realm Windows


The Critical message is:

TUI-AD: All AD agents are down for realm Windows

Product: Cisco IronPort S160 Web Security Appliance

Model: S160

Version: 7.5.1-079

Serial Number: (removed for public posting)

Timestamp: 24 Mar 2014 07:20:27 -0400



Any idea what this means?  Everything is working normally.  How can I stop this message?

Everyone's tags (2)
Cisco Employee

Check Network/Authentication

Check Network/Authentication and see if you configured the AD Realm with Transparent User Identification. If you did and are not using CDA (Context Directory Agent) then remove just the TUI configuration and leave your AD configuration.

New Member

Yes that is checked off.  It

Yes that is checked off.  It is pointing to one of our servers that is running our certificate services and anti virus console.  Would there be something installed on that server I should be looking for?  Nothing Cisco or IronPort is listed in the start menu.

Cisco Employee

It should only be pointing to

It should only be pointing to a Cisco CDA server. If you are not running Cisco CDA then uncheck use TUI and the messages will stop. CDA is not a Windows program, it is a standalone vm server running a linux kernel and our CDA processes.

New Member

Upon further investigation in

Upon further investigation in services.msc on that server I see a Cisco AD Agent.  I did some digging on this service and its located in C:\IBF.

First why is it called IBF?

Second, whats in here is this:








The emails came in at these times

3/24 11:59 PM

3/24 7:20 AM

3/23 12:59 AM

3/23 12:06 AM

3/22 10:56 PM

3/22 1:20 AM

3/21 12:52 PM

3/20 10:51 PM 


Cisco Employee

Ah the often forgotten about

Ah the often forgotten about AD Agent was the predecessor the CDA. It is a command line utility that collects login data and feeds it to ASA and WSA can query it also. I suggest you check with whomever installed it and/or your partner. If necessary contact Cisco TAC for assistance.

New Member

I guess maybe we are using

I guess maybe we are using this because I found in C:\IBF\adObserver I changed logconfig.cfg to log_verbose.  I restarted the service, and that generated an email.  But now I have a log called ADObserverLog and in there I can see what looks like timestamps, windows user names, entityID which is the IP address of the workstation that user is signed into (I know because I searched myself).

So maybe we would either add another one for high availability or just turn off email alerts and use outlook calendar reminders to remember when to renew our keys.