Oct 31 2019 06:12 AM
Oct 31 2019 06:12 AM
On the sensors config page, it shows "Azure ATP sensors on xxx of yyy domain controllers". What we are seeing, is that yyy is definitely more domain controllers shown than in our forest. How is ATP determining that list of DCs ? If I download the list....I am seeing domain controllers listed that were decomm'ed some time ago, hence it looks like ATP does not update/prune its discovery list.
Anyone else see this ?
Oct 31 2019 07:00 AM
@StuartH . It's a known issue in case the read only AD user account supplied to AATP does not have access to the AD Deleted objects folder.
We are working on discovering this info in another way that won't need special permissions.
This feature is now tested with select customers, and when it will be mature enough will be released to everyone, after which the mentioned report should look fine.
Nov 19 2019 09:46 AM
@Eli Ofek Appreciated.
Having enabled the directory account read rights to our multiple \Deleted Objects containers (we have single forest, multiple domains)...we are still seeing the "retired" sensors in the list. Something else need to be done to kick this into life to prune things away?
How close are you to the new "feature", where this wouldn't be needed ?
Nov 19 2019 12:03 PM
@StuartH . giving access after the fact will not always solve the issue.
We are still perfecting the new solution, and although we do have progress I don't have a release date yet.
I hope it will be few weeks before we can deploy it globally.
Nov 20 2019 12:57 AM
@Eli Ofek Well, I wondered how, after the fact, that would work....as I assumed that the service account would compare what was deleted to what was existing...but after the tombstone lifetime, how would that ever know the retired DC would exist?
No way to clean up those retired DCs some other way ?
Nov 20 2019 01:02 AM
@StuartH . Currently no, but once the new feature is available it will detect "unreachable DCs" and mark them as missing, thus will also remove from the report.