May 13 2024 05:59 PM
I ran into an issue with 2 agents on certificate authorities failing to start with LDAP connection errors. The AD site they are had all its domain controllers replaced with new servers a few weeks ago. The agent logs showed they were trying to connect to old DC server names. There's no trace of those servers in DNS or elsewhere in AD that could make them discoverable. There's no trace of those server names in the config files or registry anywhere, but somehow the agent wasn't forgetting them. I had to reinstall the agent to resolve the issue. It seems like this should be something that is more of a standard DC discovery process, or using the existing secure channel server as the DC a standalone agent connects to.
May 15 2024 01:04 AM
@nlinley
When you initially installed the sensor on those machine you selected in the portal DCs that you want to use for resolution.
https://learn.microsoft.com/en-us/defender-for-identity/deploy/active-directory-federation-services#...
All you needed was to remove them from the portal registration, no uninstall was required.
The reason reinstall worked is because when uninstalling the sensor, it was untrgistered,
and when reinstalling a newer code was invoked that selects a DC using DC locator service instead of forcing you to manually choose.
May 19 2024 05:26 PM
May 20 2024 12:05 AM