Hey guys good morning! Is a rainy day today, just brings the relax mood on.
Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.
When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.
There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.
Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.
This is how the alert looks like on the ATP portal;
To proof that whether the domain controller needs increment of the hardware resources
- Download the sizing tool
- Install the sizing tool on the domain controller that has issue with the sensor
- *it does not require restart of domain controller
- Run the application for 24 hours
- It will export a excel file on directory of the application
This is how the reports looks like, filename is TriSizingToolResults_<date>
As you can see above the I have 3 domain controllers that exceeds 30k of packets per second, and it recommended me to increase the RAM size.
Below is a diagram of requirements needs to be meet;
I highlighted ones is needs to be met for my 3 domain controllers.
References:
Sabrina Kay's Blog 