Correct defender for identity setup in a multidomain enviroment

Copper Contributor

I'm  setting up a defender for identity in a multi domain enviroment.

Lets call the top domain zzz.net with the subdomain xxx.zzz.net

The top domain has very few users and computers. The sub domain is where all  the users, Client computers, and more or less all the servers are. Beste practise is to use gmsa account. I have tried with one created in the top domain, but this did not work for the subdomain. I created a dedicated for the subdomain and that seems to work for the subdomain. But there is  no data for the topdomain.

 

Then i have created a normal service account in the topdomain. In the defender portal ->directory service account i have specified it like this. This is the same account.

Account                  Domain

def-svc                    zzz.net

def-svc'at'zzz.net    xxx.zzz.net

Looks like it collect data from both domains - so it looks better. The sensor health is also ok in the portal.

But there is very many error messages in the sensor log.

Typically like this:

Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dcxxx.xxx.zzz.net IsGlobalCatalog=True DistinguishedName=DC=778977744,DC=_msdcs.zz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral]
at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

 

And

 

Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dc1.zzz.net IsGlobalCatalog=True DistinguishedName=DC=pc-xzy123,DC=xxx.zzz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral]
at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)

 

 

What is wrong and how to fix this?

0 Replies