With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment? Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).
Also, if we were to stand up a member server with the agent on it, does it need to be set up as an Event Log Collector and all the domain controllers configured with Event Log Forwarding to the member server?
Thank you,
Brian Crocker bricrock