Suggestion - S-DCRegistration to include AD Connect servers as DCs

[idnahacks]

I understand that AD Connect servers are not Domain Controllers, however the best practice advice is to protect these servers as if they are domain controllers.

Is there scope to include these server roles in the S-DCRegistration check for domains where they have been added to the Domain Controllers group rather than showing up as a misconfigured domain controller in the report?

[vletoux]

Can you share a concrete example at support@pingcastle ? As is, I don't know if I can point the AD Connect server. There is of course the MSOL account, but I'm waiting to see your concrete example and make sure a possible rule is working

[An-dir]

in my opinion it should be one or more new S-ADConnectServer but i am unsure what kind of checks you would need then.

How would the automated detection work? Reading the "MSOL_*" users Description and extract the name from there? The Checks and description of S-DCRegistration are not what i would expect for an AD Connect server, but @thegoatreich you are right that you should "Treat Azure AD Connect the same as a domain controller" as Microsoft states in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#harden-your-azure-ad-connect-server Also there are some hardening information for AADConnect server on that mentioned MS website.

Regarding your "misconfigured domain controller in the report", i guess that is what you might currently have - a misconfigured ADDC server or AADConnect server. It should not be detected as a ADDC. As far as i can see i would not change the S-DCRegistration check.

I got no wrong detection error in environments with AADConnect Server so you might want to share more details with us.