06-28-2017 12:54 PM - edited 02-21-2020 10:32 AM
All,
I wanted to put some of my thoughts down in ISE Passive ID and cofirm what I am thinking as we lay this out for customers. Please let me know if I have anything incorrect or am missing something.
I am listing the Passive ID options in order of how I would prefer to implement them:
Option #1- Agent Installed on Each DC
Advantages
Disadvantages
Scalability and Performance
Can scale up to 100 DCs. In terms of performance, I would think this would be the middle performer of the 3. The workload is offloaded from the PSNs, but I have 1:1 feeds coming into the PSNs from the agents.
Option #2- WMI Queries from the PSNs
Advantages
Disadvantages
Scalability and Performance
Can scale up to 100 DCs. In terms of performance, I would think this would be the worst performer out of the 3 options as the PSNs have to do all the work.
Option #3- Agent on Member Servers Polling up to 10 DCs Each
Advantages
Disadvantages
Scalability and Performance
Can scale up to 100 DCs. In terms of performance, I would think this is the best performance since it is aggregating the data so the PSNs have less data sources to deal with.
Solved! Go to Solution.
06-29-2017 11:58 AM
Paul,
You wouldn't need to deploy an agent on each DC. The agent can monitor up to 10 controllers whether the agent is installed on the controller or a member server. Since the agent is running on a trusted source, you don't need elevated account privileges. That would only be true for the WMI probe because the server would need to be configured for remote monitoring. Here are all 3 options in order of efficiency:
1: Agent (either member or controller) - up to 100 controllers
2: WMI - up to 100 controllers
3: Kerberos SPAN - Zero touch / point-in-time only / no history
Regards,
-Tim
06-29-2017 11:58 AM
Paul,
You wouldn't need to deploy an agent on each DC. The agent can monitor up to 10 controllers whether the agent is installed on the controller or a member server. Since the agent is running on a trusted source, you don't need elevated account privileges. That would only be true for the WMI probe because the server would need to be configured for remote monitoring. Here are all 3 options in order of efficiency:
1: Agent (either member or controller) - up to 100 controllers
2: WMI - up to 100 controllers
3: Kerberos SPAN - Zero touch / point-in-time only / no history
Regards,
-Tim
06-29-2017 12:27 PM
Tim,
All member servers are allowed to automatically WMI poll DCs for security logs? Or how is the member server getting the security logs from the DCs?
In other solutions even when you deploy agents on member servers they need AD credentials to make WMI calls to the DCs.
I am sure I am missing something.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide