Name resolution alert for one DC only, for three name resolution methods

%3CLINGO-SUB%20id%3D%22lingo-sub-1538142%22%20slang%3D%22en-US%22%3EName%20resolution%20alert%20for%20one%20DC%20only%2C%20for%20three%20name%20resolution%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20have%206%20DCs%20with%20the%20ATP%20sensor%20installed.%20One%20DC%20has%20recently%20started%20alerting%20with%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSERVERNAME%3E%20failed%20more%20than%2090%25%20of%20the%20time%20when%20doing%20active%20resolution%20using%20RPC%20over%20NTLM%2C%20NetBIOS%20and%20reverse%20DNS.%20It%20might%20affect%20detections%20capabilities%20and%20increase%20amount%20of%20FPs.%22%3C%2FSERVERNAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20we%20can%20determine%20this%20DC%20is%20configured%20identically%20to%20the%20other%205.%20Network%20traces%20do%20not%20reveal%20any%20unusual%20amount%20of%20DNS%20or%20NETBIOS%20name%20resolution%20failures.%20Can%20anyone%20suggest%20what%20our%20next%20move%20should%20be%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538171%22%20slang%3D%22en-US%22%3ERe%3A%20Name%20resolution%20alert%20for%20one%20DC%20only%2C%20for%20three%20name%20resolution%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538171%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F736246%22%20target%3D%22_blank%22%3E%40StuartSquibb%3C%2FA%3E%26nbsp%3B%22%3CSPAN%3ENetwork%20traces%20do%20not%20reveal%20any%20unusual%20amount%20of%20DNS%20or%20NETBIOS%20name%20resolution%20failures%22%20-%20Can%20you%20explain%20exactly%20what%20did%20you%20check%20%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAnyway%2C%20the%20best%20option%20here%20is%20to%20contact%20support%2C%20they%20can%20turn%20on%20verbose%20logging%20for%20you%20on%20this%20machine%20for%20a%20few%20hours%20which%20will%20show%20detailed%20info%20about%20which%20IPs%20are%20not%20resolved%2C%20and%20also%20what%20what%20the%20failure%20percentage%20before%20you%20got%20the%20alert.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538203%22%20slang%3D%22en-US%22%3ERe%3A%20Name%20resolution%20alert%20for%20one%20DC%20only%2C%20for%20three%20name%20resolution%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538203%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3Bwe%20ran%20netsh%20trace%20on%20the%20DC%20in%20question%20up%20to%20the%20point%20that%20alert%20re-raised%20after%20we%20had%20closed%20it.%20We%20then%20looked%20for%20DNS%20and%20NBTNS%20traffic%20that%20was%20failing.%20I%20realise%20that%20doesn't%20cover%20every%20protocol%20in%20the%20alert%2C%20but%20DNS%20and%20NBTNS%20are%20protocols%20that%20are%20relatively%20easy%20to%20trace.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20to%20be%20dense%2C%20but%20how%20do%20I%20contact%20support%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538254%22%20slang%3D%22en-US%22%3ERe%3A%20Name%20resolution%20alert%20for%20one%20DC%20only%2C%20for%20three%20name%20resolution%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538254%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F736246%22%20target%3D%22_blank%22%3E%40StuartSquibb%3C%2FA%3E%26nbsp%3BThe%20alert%20is%20based%20on%20daily%20stats%2C%20so%20closing%20it%20will%20just%20make%20it%20reopen%20until%20the%20stats%20are%20stabilized%2C%20not%20sure%20if%20you%20will%20see%20enough%20failures%20during%20that%20time%20in%20a%20trace%20of%20a%20few%20minutes%2C%20but%20I%20di%20expect%20that%20with%2090%25%20failure%20rate%20you%20will%20see%20some%20failures%20in%20the%20trace...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20this%20for%20support%20options%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-support%23support-options-and-community-resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-support%23support-options-and-community-resources%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1539948%22%20slang%3D%22en-US%22%3ERe%3A%20Name%20resolution%20alert%20for%20one%20DC%20only%2C%20for%20three%20name%20resolution%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1539948%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F736246%22%20target%3D%22_blank%22%3E%40StuartSquibb%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20checking%20if%20the%20TriSizing%20tool%20was%20run%3F%3C%2FP%3E%3CP%3EDid%20that%20show%20anything%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20seen%20some%20issues%20with%20some%20DC's%20getting%20caught%20up%20in%20the%20Proxy%2Fno%20Proxy%20battle%20internally%20and%20hence%20the%20network%20side%20of%20things%20get's%20out%20of%20whack%20-%20perhaps%20it's%20worth%20checking%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDaveC%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi, we have 6 DCs with the ATP sensor installed. One DC has recently started alerting with the following:

 

"<ServerName> failed more than 90% of the time when doing active resolution using RPC over NTLM, NetBIOS and reverse DNS. It might affect detections capabilities and increase amount of FPs."

 

As far as we can determine this DC is configured identically to the other 5. Network traces do not reveal any unusual amount of DNS or NETBIOS name resolution failures. Can anyone suggest what our next move should be?

4 Replies
Highlighted

@StuartSquibb "Network traces do not reveal any unusual amount of DNS or NETBIOS name resolution failures" - Can you explain exactly what did you check ?

Anyway, the best option here is to contact support, they can turn on verbose logging for you on this machine for a few hours which will show detailed info about which IPs are not resolved, and also what what the failure percentage before you got the alert.

Highlighted

@Eli Ofek we ran netsh trace on the DC in question up to the point that alert re-raised after we had closed it. We then looked for DNS and NBTNS traffic that was failing. I realise that doesn't cover every protocol in the alert, but DNS and NBTNS are protocols that are relatively easy to trace.

 

Sorry to be dense, but how do I contact support?

Highlighted

@StuartSquibb The alert is based on daily stats, so closing it will just make it reopen until the stats are stabilized, not sure if you will see enough failures during that time in a trace of a few minutes, but I di expect that with 90% failure rate you will see some failures in the trace...

 

See this for support options:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-support#support-options-and-co...

 

Highlighted

Hi @StuartSquibb,

 

Just checking if the TriSizing tool was run?

Did that show anything?

 

We have seen some issues with some DC's getting caught up in the Proxy/no Proxy battle internally and hence the network side of things get's out of whack - perhaps it's worth checking that?

 

DaveC