Demoted domain controller problem with agents

Copper Contributor

I ran into an issue with 2 agents on certificate authorities failing to start with LDAP connection errors.  The AD site they are had all its domain controllers replaced with new servers a few weeks ago.  The agent logs showed they were trying to connect to old DC server names.  There's no trace of those servers in DNS or elsewhere in AD that could make them discoverable.  There's no trace of those server names in the config files or registry anywhere, but somehow the agent wasn't forgetting them.  I had to reinstall the agent to resolve the issue.  It seems like this should be something that is more of a standard DC discovery process, or using the existing secure channel server as the DC a standalone agent connects to.

3 Replies

@nlinley 
When you initially installed the sensor on those machine you selected in the portal DCs that you want to use for resolution.
https://learn.microsoft.com/en-us/defender-for-identity/deploy/active-directory-federation-services#...

All you needed was to remove them from the portal registration, no uninstall was required.

The reason reinstall worked is because when uninstalling the sensor, it was untrgistered,
and when reinstalling a newer code was invoked that selects a DC using DC locator service instead of forcing you to manually choose.

I don't remember ever having to provide a dc name when setting them up. I just downloaded the installer and provided it the access key. Either way, the agent should be able to handle infrastructure changes a little better and automatically. Would the agent start to fail if a DC went down for a few days as well?
That was always true for integrated sensors on domain controllers.
For ADFS sensors from the previous generation, after the sensor installation you had to go to the portal and define a target DC for resolution.

In the modern sensors, this step is now optional, as setup will use one from the locator and allow you to change it in the portal if you wish.

You can also add more than one to allow fallbacks.

See:
https://learn.microsoft.com/en-us/defender-for-identity/deploy/active-directory-federation-services#...