Computer Group Syncing

%3CLINGO-SUB%20id%3D%22lingo-sub-1645884%22%20slang%3D%22en-US%22%3EComputer%20Group%20Syncing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1645884%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20Computer%20Group%20Syncing%20to%20synchronize%20our%20AD%20Group%20memberships%20into%20Log%20Analytics.%20It%20looks%20like%20the%20data%20here%20is%20incomplete%2C%20it%20is%20only%20capturing%20a%20portion%20of%20the%20systems%20that%20are%20a%20member%20of%20the%20AD%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20the%20agent%20installed%20on%2060%20or%20so%20systems%20and%20log%20analytics%20reports%20its%20syncing%20membership%20for%2029%20systems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20secrets%20to%20get%20this%20reliably%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1653654%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Group%20Syncing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1653654%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572555%22%20target%3D%22_blank%22%3E%40mperrotta%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20Microsoft%20Managment%20Agent%20is%20deployed%20on%2060%20machines%2C%20but%20you%20get%20results%20from%2027.%26nbsp%3B%20Do%20you%20have%20any%20records%20in%20the%20Heartbeat%20table%20for%20the%2033%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EHeartbeat%0A%7C%20summarize%20arg_max(TimeGenerated%2C%20*)%2C%20count()%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3BYou%20may%20need%20to%20add%20a%20Line%20%232%20to%20the%20above%2C%20e.g.%26nbsp%3B%20if%20the%2060%20have%20%22AD%22%20in%20their%20name%2C%20this%20may%20help%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20Computer%20contains%20%22AD%22%0A%2F%2F%7C%20where%20Computer%20startswith%20%22abc%22%0A%2F%2F%7C%20where%20Computer%20endswith%20%22xzy%22%0A%7C%20summarize%20arg_max(TimeGenerated%2C%20*)%2C%20count()%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3BIf%20we%20know%20you%20have%20Agent%20data%20reported%20to%20Heartbeat%20that%20rules%20out%20issues%20such%20as%20Firewalls%20etc...%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20here%20for%20more%20help%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows-troubleshoot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows-troubleshoot%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We are using Computer Group Syncing to synchronize our AD Group memberships into Log Analytics. It looks like the data here is incomplete, it is only capturing a portion of the systems that are a member of the AD group.

 

We have the agent installed on 60 or so systems and log analytics reports its syncing membership for 29 systems.

 

Are there any secrets to get this reliably working?

3 Replies

@mperrotta 

 

So the Microsoft Managment Agent is deployed on 60 machines, but you get results from 27.  Do you have any records in the Heartbeat table for the 33?

Heartbeat
| summarize arg_max(TimeGenerated, *), count() by Computer

 You may need to add a Line #2 to the above, e.g.  if the 60 have "AD" in their name, this may help

Heartbeat
| where Computer contains "AD"
//| where Computer startswith "abc"
//| where Computer endswith "xzy"
| summarize arg_max(TimeGenerated, *), count() by Computer

 If we know you have Agent data reported to Heartbeat that rules out issues such as Firewalls etc...

See here for more help: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows-troubleshoot

@Clive Watson 

 

Running the heartbeat query, 61 records are returned

 

If I run the below query, I only receive 31 records.

ComputerGroup
| where GroupSource == "ActiveDirectory"
| distinct Computer

 

It doesn't appear to be an agent communication issue since all of our systems are sending heartbeats. 

@mperrotta 

 

...and are all 60 in ComputerGroup if you remove

| where GroupSource == "ActiveDirectory"

?
If not, then we have 60 working systems, but only some make it into the ComputerGroup...