Dec 22 2019 11:43 PM
I recently set up the RAM as recommended by the sizing tool, but now I get the message again in Azure ATP "some network traffic is not being analyzed".
Currently the tool shows the following:
DC | Sensor Supported | Failed Samples | Max Packets/sec | Avg Packets/sec | Busy Packets/sec | Busy Packets/sec Start Time | Busy Packets/sec End Time | Min Avail MB | Avg Avail MB | Busy Avail MB | Busy RAM Start Time | Busy RAM End Time | Total MB | Max % CPU Time | Avg % CPU Time | Busy % CPU Time | Busy CPU Start Time | Busy CPU End Time | Logical processors | Processor Groups | Core Count | VM Indicator | AD Site | Time Zone Name | Is DST | OS Caption | OS Build Number | OS Installation Type | OS Server Levels |
srvRODC1.contoso.com | Yes, but additional resources required: +2GB | 0 | 2.438 | 55 | 111 | 08:17:54 | 08:32:51 | 1.833 | 2.081 | 2.040 | 07:15:54 | 07:30:57 | 4.095 | 89 | 8 | 13 | 07:20:04 | 07:35:07 | 2 | 1 | 2 | VMWare | London | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvRODC2.contoso.com | Yes, but additional resources required: +3GB | 0 | 1.940 | 63 | 94 | 08:21:09 | 08:36:12 | 534 | 1.188 | 1.153 | 06:23:16 | 06:38:13 | 4.095 | 100 | 11 | 14 | 07:17:54 | 07:32:57 | 2 | 1 | 2 | VMWare | Lyon | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvRODC3.contoso.com | Yes, but additional resources required: +3GB | 0 | 2.237 | 173 | 229 | 07:19:15 | 07:34:18 | 600 | 929 | 907 | 07:26:21 | 07:41:18 | 3.071 | 100 | 10 | 14 | 07:20:00 | 07:35:02 | 2 | 1 | 2 | VMWare | Pune | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvRODC4.contoso.com | Yes, but additional resources required: +3GB | 0 | 4.109 | 62 | 94 | 07:16:34 | 07:31:37 | 633 | 924 | 899 | 06:46:40 | 07:01:37 | 4.095 | 100 | 36 | 41 | 06:23:21 | 06:38:19 | 2 | 1 | 2 | VMWare | Rom | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvdc3.contoso.com | Yes, but additional resources required: +1GB | 0 | 13.915 | 3.425 | 4.296 | 07:32:12 | 07:47:09 | 7.378 | 7.987 | 7.896 | 08:21:54 | 08:36:57 | 12.287 | 100 | 30 | 42 | 08:11:18 | 08:26:16 | 4 | 1 | 4 | VMWare | Berlin | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvdc2.contoso.com | Yes, but additional resources required: +1GB | 0 | 9.664 | 3.934 | 4.506 | 07:38:18 | 07:53:15 | 7.062 | 7.613 | 7.552 | 07:52:30 | 08:07:27 | 12.287 | 91 | 24 | 47 | 08:33:18 | 08:48:19 | 4 | 1 | 4 | VMWare | Berlin | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvdc1.contoso.com | Yes, but additional resources required: +1GB | 0 | 12.198 | 4.356 | 5.565 | 07:55:30 | 08:10:27 | 7.311 | 7.843 | 7.635 | 08:15:38 | 08:30:35 | 12.287 | 76 | 17 | 25 | 08:01:41 | 08:16:38 | 4 | 1 | 4 | VMWare | Muenchen | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
srvdc4.contoso.com | Yes, but additional resources required: +1GB | 0 | 4.728 | 743 | 1.320 | 07:12:23 | 07:27:26 | 7.024 | 7.342 | 7.259 | 07:15:09 | 07:30:11 | 12.286 | 94 | 17 | 28 | 08:38:43 | 08:53:42 | 2 | 1 | 2 | Physical | Leipzig | (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna | False | Microsoft Windows Server 2016 Standard | 14393 | Server Core | ServerCore |
How much RAM must be free and available for Azure ATP to run correctly and without warning?
Is 9.5GB RAM the maximum Azure ATP needs? (without OS,....) => https://docs.microsoft.com/en-US/azure-advanced-threat-protection/atp-capacity-planning
We are currently testing Azure ATP, but we plan to roll it out soon.
For better planing i need to know how much RAM the servers need.
It is always difficult to add more RAM later.
thanks,
Best Regards,
Ralf
Dec 23 2019 01:28 PM
SolutionOn which of the above machines did you get the health alert?
In general, it's important to understand that the sizing tool is based on heuristics.
It's pretty good most of the times, but we did see anomalies in networks that act a little different.
For example, different mixture of traffic, increased AD events due to lot's of Apps querying AD, or networks with exceptional amounts of AD entities. those and more are issues that the tool can't reasonably measure, so it could be that in some cases you would need to add more memory or cores compared to what the tool says or even mentioned in the table,
Still, for most cases it is a good fit or a good starting point.
As for sizing... the data in the tables is what the sensor itself is consuming.
In addition to that, the sensor resource manager expect to have AT LEAST 15% free RAM and CPU at all times to protect AD services, or else it will throttle itself.
So for example, let's say the sensor needs 10 GB, And AD services / OS need 10 GB more, that's 20GB used RAM at all times. so in this case, I would use a machine with at least 24 GB of RAM, so at all times I will have a bit more than 15% free, and won't get throttled.
Same goes for total CPU.
Dec 24 2019 12:49 AM
@Eli Ofek Hello Eli,
thank you very much for your fast reply and the explanation.
The messages comes from srvdc1, srvdc2 and srvdc3.
Ok, the warning comes because there are sometimes peak loads.
I have to check how much RAM I can provide for the DCs.
Thank you very much for your support.
Best Regards,
Ralf
Dec 23 2019 01:28 PM
SolutionOn which of the above machines did you get the health alert?
In general, it's important to understand that the sizing tool is based on heuristics.
It's pretty good most of the times, but we did see anomalies in networks that act a little different.
For example, different mixture of traffic, increased AD events due to lot's of Apps querying AD, or networks with exceptional amounts of AD entities. those and more are issues that the tool can't reasonably measure, so it could be that in some cases you would need to add more memory or cores compared to what the tool says or even mentioned in the table,
Still, for most cases it is a good fit or a good starting point.
As for sizing... the data in the tables is what the sensor itself is consuming.
In addition to that, the sensor resource manager expect to have AT LEAST 15% free RAM and CPU at all times to protect AD services, or else it will throttle itself.
So for example, let's say the sensor needs 10 GB, And AD services / OS need 10 GB more, that's 20GB used RAM at all times. so in this case, I would use a machine with at least 24 GB of RAM, so at all times I will have a bit more than 15% free, and won't get throttled.
Same goes for total CPU.