SOLVED

Low success rate of active name resolution

%3CLINGO-SUB%20id%3D%22lingo-sub-2097609%22%20slang%3D%22en-US%22%3ELow%20success%20rate%20of%20active%20name%20resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097609%22%20slang%3D%22en-US%22%3E%3CP%3ENew%20install%20of%20Azure%20ATP%20Sensor%20on%20Domain%20Controller%20getting%20warning%20%22Low%20success%20rate%20of%20active%20name%20resolution%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECorp-DC1%2C%20failed%20more%20than%2090%25%20of%20the%20time%20when%20doing%20active%20resolution%20using%20NetBIOS%2C%26nbsp%3BNetworkNameResolverMethodRdpTlsName%2C%20RPC%20over%20NTLM%20and%20reverse%20DNS.%20It%20might%20affect%20detections%20capabilities%20and%20increase%20amount%20of%20FPs.%3C%2FP%3E%3CP%3ERecommendations%3C%2FP%3E%3CP%3ECheck%20that%20the%20sensor%20can%20reach%20the%20DNS%20server%20and%20that%20Reverse%20Lookup%20Zones%20are%20enabled.%3CBR%20%2F%3ECheck%20that%20Port%20137%20is%20open%20for%20inbound%20communication%20from%20MDI%20sensors%2C%20on%20all%20computers%20in%20the%20environment.%3CBR%20%2F%3ECheck%20that%20Port%20135%20is%20open%20for%20inbound%20communication%20from%20MDI%20sensors%2C%20on%20all%20computers%20in%20the%20environment.%3CBR%20%2F%3ECheck%20all%20network%20configuration%20(firewalls)%2C%20as%20these%20could%20prevent%20communication%20to%20the%20relevant%20ports.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20assistance%20interpreting%20or%20getting%20more%20information%20about%20this%20error.%20Domain%20controller%20is%20Server%202019%20serving%20several%20sites%2Fsubnets.%20All%20other%20services%20work%20fine%2C%20we%20see%20no%20error%20messages%20in%20DNS%20Server%20or%20DNS%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2097609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20for%20Identity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101060%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101060%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3Byou%20mean%20Office365%20support%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101995%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101995%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsupport%23support-options-and-community-resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fsupport%23support-options-and-community-resources%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2102166%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2102166%22%20slang%3D%22en-US%22%3EI%20will%20try%20that%2C%20thank%20you!%3C%2FLINGO-BODY%3E
Contributor

New install of Azure ATP Sensor on Domain Controller getting warning "Low success rate of active name resolution".

 

Corp-DC1, failed more than 90% of the time when doing active resolution using NetBIOS, NetworkNameResolverMethodRdpTlsName, RPC over NTLM and reverse DNS. It might affect detections capabilities and increase amount of FPs.

Recommendations

Check that the sensor can reach the DNS server and that Reverse Lookup Zones are enabled.
Check that Port 137 is open for inbound communication from MDI sensors, on all computers in the environment.
Check that Port 135 is open for inbound communication from MDI sensors, on all computers in the environment.
Check all network configuration (firewalls), as these could prevent communication to the relevant ports.

 

Need assistance interpreting or getting more information about this error. Domain controller is Server 2019 serving several sites/subnets. All other services work fine, we see no error messages in DNS Server or DNS client.

 

10 Replies
best response confirmed by RNalivaika (Contributor)
Solution

@RNalivaika 
Did you make sure the ports are open as described in 

https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#ports

?

If yes, open a support case, so  they can increase the trace level on your workspace to tell you more about when it fails.

@Eli Ofek you mean Office365 support ?

I will try that, thank you!

@Eli Ofek Can you confirm the frequency with which the sensor runs this "name resolution" process?

@mesaqee 
For every connection opened to the DC, if there wasn't a connection from this endpoint already in the past 30 sec.
This is current implementation and might change without notice, so do not rely on  it in any way.

@Eli Ofek Can we the timeout settings for the name resolution( set to 500 ms), if we put up a request with the support team for our tenant? Also, please confirm if 500 ms timeout is the existing configuration from Microsoft side?

@mesaqee 
Yes, currently the default is still 500ms. can change without notice.

We have the technical means to change it, but only if investigation shows this is needed and there is no other way. Why do you want to change it  and to what number ?

감사합니다

@Eli Ofek MS Support provided me with a sample list of IP adresses failing NNR and we were able to make the necessary changes on the network, so this helped.

www.000webhost.com