09-21-2017 07:59 AM
There is one part of passive ID that I am unclear on. I know the following options:
The one scenario I am unclear of is pushing the agent to a member server and have that member server poll the DCs. Just pushing an agent to a member server doesn't give it rights to poll the DCs. That member server would need a service account with sufficient privileges and the DCs would have to have the Config WMI run on them right?
Solved! Go to Solution.
09-21-2017 09:58 AM
Paul,
The agent uses native Windows APIs so the controllers don't need to have the WMI configuration changes.
Regards,
-Tim
09-21-2017 09:58 AM
Paul,
The agent uses native Windows APIs so the controllers don't need to have the WMI configuration changes.
Regards,
-Tim
09-21-2017 10:07 AM
So once the agent is installed on a member server there are no special permissions/accounts needed to make those API calls.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-21-2017 11:37 AM
Tim,
I am testing this in my lab. When I install the DC agent on my DCs I have no issues getting passive ID information. When I remove the DC agent from the DCs and install it on a member server and assign that member server to monitor my DCs I don’t seem to be getting any information. When I wireshark the member server I see a lot of Kerberos auth required and RPC access denied messages coming from my DCs. There is nothing extra I am supposed to need to allow the member server to pull security logs?
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-21-2017 11:46 AM
Please use the DC pages (in ISE/ISE-PIC admin web UI) and set the user credentials used to monitor them.
09-21-2017 11:57 AM
I shouldn’t need to set any credentials. I am using the DC agent which is my original question. I know how to monitor the DCs with WMI and credentials and I know that installing the DC agent on the DCs themselves works just fine. What I am unclear of is exactly how just installing the DC agent on a member server and telling it to poll a DC is supposed to work if there are no credentials.
I have customers that don’t want to install the service on a DC which makes sense. I am trying to understand how the DC agent running on a member server is able to communicate with the DCs.
I am sure I am missing something obvious, but other solutions that install on member servers require credentials to poll the domain controller security logs.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-21-2017 12:09 PM
I did a similar test a couple of months ago and found it needed to set the credentials.
If you checked the event viewer of the DC being monitored, you would likely find the agent attempts from the member server using "administrator" as the username.
09-21-2017 02:02 PM
Okay looks like you are right. When I set the credentials on the DC object in ISE and stop and start the service on the member server running the agent I see a bind request being made with the username I specified on the DC in ISE. So installing the agent on a member server still requires a special account with a decent amount of access. So all you are really saving is the PSNs using that account and doing direct WMI calls. Installing the agent on the DCs directly doesn’t require any special account.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide