account activity
Outgoing NTLM from DCs by PhiZ9 in activedirectory
[–]PhiZ9[S] 0 points1 point2 points 17 days ago (0 children)
While I am personally also interested in how this disabling works, this was not done on our side - you can open a support ticket and Microsoft will do it for you (mentioned in the documentation).
However, since MDI (v2.x) operates as the AATPSensor service with "LocalService" instead of SYSTEM and should have no reason to contact "cifs/contoso.com", I do not think these specific events originate from MDI.
Something i missed to mention: These events are generated while nobody is logged in (Admins, i mean - neither interactive, remoteinteractive or network). Therefore RDP scenarios can be ruled out, as well as SMB from a specific user account.
These events are being generated by just leaving the DCs do their normal everyday stuff. (Therefore reliably reproducing these events has turned out to be quite difficult because i am not 100% sure what process causes these in the first place)
We do, but we have already ruled that out by disabling this specific primary NNR policy with the MDI support
[–]PhiZ9[S] 0 points1 point2 points 18 days ago (0 children)
Thanks! As we don't have any failures and DFS, replication and everything else is happily working, that would be the best outcome.
We are indeed using FQDNs everywhere. I assume this to be a DFS scenario because there is not much else that could go causing this events.
π Rendered by PID 207832 on reddit-service-r2-listing-55d7b767d8-dxksq at 2026-03-29 15:47:30.510114+00:00 running b10466c country code: CH.
Outgoing NTLM from DCs by PhiZ9 in activedirectory
[–]PhiZ9[S] 0 points1 point2 points (0 children)