Q. I have domain controllers on multiple Hyper-V servers and want to send their traffic to Microsoft Advanced Threat Analytics (ATA). how can I do this?
A. For one Hyper-V environment, you do this by setting the DC's network adapter to be a source for port mirroring (accessed via the VM settings - network adapter - advanced features - port mirroring), then set the ATA Gateway to be the destination for port mirroring.
For multiple DCs over multiple Hyper-V hosts the solution is to deploy an ATA Gateway to each Hyper-V host that hosts a DC and set up the required port mirroring relationship. This way all traffic from all DCs will be sent to ATA for analysis.
Why do you go to all this trouble? Because the Microsoft Advanced Threat Analytics (ATA) needs to access all network traffic to domain controllers before it can perform& deep packet inspection of data sent to domain controllers and identify suspicious activity. Since& ATA Gateways get sent copies of all traffic to domain controllers, you'll want to make sure the ATA Center has ample access to the ATA Gateways on each host.
