Jul 22 2022 09:11 AM
Hello,
Seeing these alerts on two domain controllers on a regular 1-hour interval.
Back when we ran the sizing tool about 4 months ago they passed the analysis with flying colors (required CPU/RAM of 1 and 6 vs 24 and 64 available ). These are on-prem physical servers. No issues with other domain controllers.
Also how exactly is this alarm triggered? Is there a time threshold or any spike would cause it?
Jul 25 2022 05:21 AM
The alerts are generated when the sensors do not have enough resources to analyze the network traffic.
Things might have changed since you ran the sizing tool, such as more users being added to the environment or a change in the sites or subnets configuration that now cause more traffic to be sent to the domain controllers.
If the sensor is using the winpcap drivers (installed with the sensor in versions earlier than 2.184) we recommend you replace them with npcap. This is described in https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#winpcap-and-npcap-drivers
This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO Offload
You should also consider adding additional processors and memory as required.
Jul 25 2022 12:25 PM