Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast
As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system
There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also
Adding a new domain controller
We can see the new object as domain controller
Adding Domain Controllers Group to Sensitive Groups could h
So we could get a report like this if a DC was added could be a very good feature
Or list domain controllers not monitored by ATA
Detecting Domain Controllers being added
One method could be to use @LazyWinAdm
https://github.com/lazywinadmin/Monitor-ADGroupMembership
Running
.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer 10.0.0.51 –Verbose
on a rapid schedule
First run find the now 2 domain controllers
And we will now get a email alart when a new domain controller is added or removed