Sep 08 2020 01:08 PM
We are using Computer Group Syncing to synchronize our AD Group memberships into Log Analytics. It looks like the data here is incomplete, it is only capturing a portion of the systems that are a member of the AD group.
We have the agent installed on 60 or so systems and log analytics reports its syncing membership for 29 systems.
Are there any secrets to get this reliably working?
Sep 10 2020 08:45 AM
So the Microsoft Managment Agent is deployed on 60 machines, but you get results from 27. Do you have any records in the Heartbeat table for the 33?
Heartbeat
| summarize arg_max(TimeGenerated, *), count() by Computer
You may need to add a Line #2 to the above, e.g. if the 60 have "AD" in their name, this may help
Heartbeat
| where Computer contains "AD"
//| where Computer startswith "abc"
//| where Computer endswith "xzy"
| summarize arg_max(TimeGenerated, *), count() by Computer
If we know you have Agent data reported to Heartbeat that rules out issues such as Firewalls etc...
See here for more help: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows-troubleshoot
Sep 11 2020 01:49 PM
Running the heartbeat query, 61 records are returned
If I run the below query, I only receive 31 records.
ComputerGroup
| where GroupSource == "ActiveDirectory"
| distinct Computer
It doesn't appear to be an agent communication issue since all of our systems are sending heartbeats.
Sep 12 2020 02:39 AM
...and are all 60 in ComputerGroup if you remove
| where GroupSource == "ActiveDirectory"
?
If not, then we have 60 working systems, but only some make it into the ComputerGroup...