Events are seen on domain controllers that have migrated to Symantec cloud. A TDAD policy is not enabled for these systems.
The Application log in the event viewer shows: Source: Symantec Threat Defense for Active Directory. Event ID 7003. Message: Enabled the collector for Endpoint Threat for Defense for AD.
Symantec Endpoint Security 14.3x.
Because the feature itself is still enabled on the SEP Client, the TDAD component will still load and conduct standard procedural operations. It will not apply a policy and execute protections, but will still be present.
The Feature set policy can be used to remove the TDAD feature. However, TDAD is not doing anything so the current configuration isn't causing any problems. But if needed apply the feature selection policy to the domain controllers and uncheck the option:
Apply this policy to Domain Controllers and any other system you do not want the TDAD agent applied on.