Sep 29 2023 06:19 AM - edited Sep 29 2023 02:26 PM
I'm setting up a defender for identity in a multi domain enviroment.
Lets call the top domain zzz.net with the subdomain xxx.zzz.net
The top domain has very few users and computers. The sub domain is where all the users, Client computers, and more or less all the servers are. Beste practise is to use gmsa account. I have tried with one created in the top domain, but this did not work for the subdomain. I created a dedicated for the subdomain and that seems to work for the subdomain. But there is no data for the topdomain.
Then i have created a normal service account in the topdomain. In the defender portal ->directory service account i have specified it like this. This is the same account.
Account Domain
def-svc zzz.net
def-svc'at'zzz.net xxx.zzz.net
Looks like it collect data from both domains - so it looks better. The sensor health is also ok in the portal.
But there is very many error messages in the sensor log.
Typically like this:
Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dcxxx.xxx.zzz.net IsGlobalCatalog=True DistinguishedName=DC=778977744,DC=_msdcs.zz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral]
at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)
And
Error DirectoryServicesClient+<SearchInternalAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=dc1.zzz.net IsGlobalCatalog=True DistinguishedName=DC=pc-xzy123,DC=xxx.zzz.net,cn=MicrosoftDNS,DC=ForestDnsZones,DC=zzz,DC=net Scope=Base Filter=(|(objectClass=user)(objectClass=computer)(objectClass=group)) AttributeCount=65] ---> Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [ResultCode=Referral]
at async Task<IReadOnlyCollection<SearchResultEntry>> Microsoft.Tri.Sensor.DirectoryServicesClient.SearchInternalAsync(SearchRequest searchRequest, DomainControllerConnection domainControllerConnection, DirectoryServicesSearchOptions options)
What is wrong and how to fix this?