Solved: Re: Passive ID and Read-Only DCs

paul · ‎09-23-2019

I am sure this is documented somewhere, but I can't find it. Does passive ID support RO DCs? When I bring up the DC list in ISE I don't see any of my customer's RO DCs. The SourceFire user agent support RO DC monitoring and we are trying to replace that agent with ISE passive ID.

Greg Gibbs · ‎11-05-2020

There are no updates to that enhancement request, so this enhancement does not appear to be implemented in any current versions of ISE. The workarounds mentioned earlier in the thread are still available.

ISE 3.0, however, does support Passive ID using MS-Eventing API or Microsoft Remote Procedure Call (MSRPC) protocol as per the Release Notes. You might test if that works with your RODCs instead.

View solution in original post

hslai · ‎09-25-2019

CSCvr32010 is a known issue on this area.

paul · ‎09-26-2019

Hsing,

That bug is not public. Can you send it over to me?

hslai · ‎09-29-2019

The bug has been marked customer-visible since Sept-19 so not sure why you are unable to see it.

It's an enhancement request to add Passive ID support for RODCs and the current workaround is using Windows Event Forwarding (WEF) or a syslog forwarder.

omar.mardini1 · ‎11-05-2020

Any update for this issue pls

Greg Gibbs · ‎11-05-2020

There are no updates to that enhancement request, so this enhancement does not appear to be implemented in any current versions of ISE. The workarounds mentioned earlier in the thread are still available.

ISE 3.0, however, does support Passive ID using MS-Eventing API or Microsoft Remote Procedure Call (MSRPC) protocol as per the Release Notes. You might test if that works with your RODCs instead.

medgaz · ‎07-10-2023

Hello, I am having the same issue, I have configured RODC to send security events to DCs, but MSRPC agent is not reading those users? Do you know why?