Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Demoted domain controller in coverage report

Copper Contributor

Quite a while ago, we lost a domain controller (server died), and we cleaned up the object/reference in Active Directory (deleted computer object, removed from sites and services).  Azure ATP, though, still detects it when generating the "domain controller coverage" report (in the domain controllers OU).

 

1. How does Azure ATP discover the domain controllers? And how often does it update?

2. Any suggestions on where to look to find the remaining references to this old domain controller?

 

Thank you!

12 Replies

@ajbravo  if you did not uninstall the sensor prior to server loss, go into the config tab in the console UI, to the sensors list, and delete it from the list.

@Eli Ofek I wasn't clear--the domain controller is not showing as an installed sensor, but as one which doesn't have the agent (in the "domain controller coverage report"). 

 

So, at the top of the sensors list, it says "You have installed Azure ATP Sensor on 9 out of 10 domain controllers," when it should say "9 out of 9."

Hi, we're aware of the issue (lingering objects in the DC Coverage report) and are working to fix it.

@Or Tsemah Any update on this? I just opened a case for this issue.

@Jake Platt, I hope to share some good news soon, rest assure that we are on it

@Or Tsemah hi,  I am also facing the same issue. We have recently decommissioned 2 DC's and we did not installed ATP sensor on these DC's but it is still showing in the report " You have installed Azure sensor on 9 out of 11 DC".

How can i delete these from the report..

@roadrasher06 We are actively working on excluding these from the list of "Must-have" domain controllers.

Question: If excluded, would you still like to view these decommissioned DCs in the excel report as "unreachable" DCs (which will eventually be deleted) or they are of no interest to you at all?

A separate sheet in Excel might be OK, but generally I wouldn't have an interest in a DC once it has been demoted.

I am guessing this is still not fixed?

 

I have 3 long demoted domain controllers that still appear in the domain controller coverage list.

 

Proper demotion and metadata cleanup has been performed on all of them.

@Dennis_Peabody 

Yes, we are on it

@Or Tsemah 

 

Has this been implemented? We are trying to increase our secure score and having all DCs with sensors is a requirement. We had a couple that were not decom properly and are showing in ATP still. 

@jarrydanderson Yes, we are now using DCs reported by AD itself, if you believe it is showing false results, you can ping us at AatpFeedback@microsoft.com