I'm setting up a defender for identity in a multi domain enviroment.
Lets call the top domain zzz.net with the subdomain xxx.zzz.net
The top domain has very few users and computers. The sub domain is where all the users, Client computers, and more or less all the servers are. Beste practise is to use gmsa account. I have tried with one created in the top domain, but this did not work for the subdomain. I created a dedicated for the subdomain and that seems to work for the subdomain. But there is no data for the topdomain.
Then i have created a normal service account in the topdomain. In the defender portal ->directory service account i have specified it like this. This is the same account.
Looks like it collect data from both domains - so it looks better. The sensor health is also ok in the portal.
But there is very many error messages in the sensor log.