Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
Read through the FAQ archives, or send him your questions via email.
Today: John shares about using Advanced Threat Analytics to monitor your domain controllers for threats in different environments plus he talks about controlling the reboots of your domain controllers after updates.
Q. If I want to monitor a number of domain controllers with Advanced Threat Analytics that are geographically distributed do I need multiple ATA servers?
A. Advanced Threat Analytics provides detection of attacks against your Active Directory, for example golden ticket, pass the hash and more. It works by receiving traffic from domain controllers either by:
Using a gateway which has traffic from DCs mirrored to it which then sends to the ATA server
Installing a lightweight gateway on each DC which sends traffic direct to the ATA server
If using in the public cloud where port mirroring is not possible then the lightweight gateway is used and its very efficient. The lightweight gateway analyzes the traffic and typically only sends 1-2% of the total traffic (the traffic needed) to the ATA server and is optimized for WAN environments. Because of this even if the DCs are geographically distributed it is common to still use a single ATA server as currently you cannot merge views across multiple ATA instances.
Q. If I enable the automatic gateway update on my domain controllers and auto reboot are the reboots staggered?
A. As ATA server is updated there is often an update to the gateway and lightweight gateway. One of the options is to automatically update any gateways (full or lightweight) along with the option to automatically reboot them if required. A common consideration would be that if you enable the automatic reboot of your domain controllers would these reboots stagger so your entire AD is not taken offline. The actual process just pushes the update and then the restart is performed independently for each gateway, i.e. there is not centrally managed staggering. Therefore to ensure service availability it is best to not enable automatic reboot for all servers and instead manually restart them or at most enable the automatic restart for half the servers in any single location.
Note that often a restart is not required and is typically only performed if an upgrade of .NET is required.
Q. Can I use Advanced Threat Analytics for domain controllers in Azure IaaS?
A. Absolutely. You would install the lightweight gateway on each DC in Azure IaaS which would then pass the relevant traffic to the ATA server for inspection. The only difference between a DC in Azure and one on-premises is you cannot use the port forwarding of traffic option from a DC to a full gateway server.