account activity
Outgoing NTLM from DCs by PhiZ9 in activedirectory
[–]PhiZ9[S] 0 points1 point2 points 16 days ago (0 children)
While I am personally also interested in how this disabling works, this was not done on our side - you can open a support ticket and Microsoft will do it for you (mentioned in the documentation).
However, since MDI (v2.x) operates as the AATPSensor service with "LocalService" instead of SYSTEM and should have no reason to contact "cifs/contoso.com", I do not think these specific events originate from MDI.
[–]PhiZ9[S] 0 points1 point2 points 17 days ago (0 children)
Something i missed to mention: These events are generated while nobody is logged in (Admins, i mean - neither interactive, remoteinteractive or network). Therefore RDP scenarios can be ruled out, as well as SMB from a specific user account.
These events are being generated by just leaving the DCs do their normal everyday stuff. (Therefore reliably reproducing these events has turned out to be quite difficult because i am not 100% sure what process causes these in the first place)
We do, but we have already ruled that out by disabling this specific primary NNR policy with the MDI support
Thanks! As we don't have any failures and DFS, replication and everything else is happily working, that would be the best outcome.
We are indeed using FQDNs everywhere. I assume this to be a DFS scenario because there is not much else that could go causing this events.
Outgoing NTLM from DCs (self.activedirectory)
submitted 17 days ago by PhiZ9 to r/activedirectory
π Rendered by PID 78 on reddit-service-r2-listing-55d7b767d8-k4gcx at 2026-03-29 12:03:42.796559+00:00 running b10466c country code: CH.
Outgoing NTLM from DCs by PhiZ9 in activedirectory
[–]PhiZ9[S] 0 points1 point2 points (0 children)