Microsoft Active Directory (AD) Service Log Configuration Guide

(1)

Microsoft Active Directory (AD) Service



Log Configuration Guide

Document Release: October 2011 Part Number: LL600011-00ELS090000

(2)

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors.  In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in 

the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

(3)

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

[email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

(6)

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

(7)

Chapter 1 – Configuring Microsoft Active Directory

Service

This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Microsoft AD Service logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft AD Service related log data.

Prerequisites . . . 7

Configuring Microsoft Active Directory. . . 8

Installing and Configuring LogLogic’s Event Collector . . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 8

Adding an Active Directory Device. . . 8

Configuring the LogLogic Appliance for Log Collection . . . 10

Verifying the Configuration . . . 10

Prerequisites

Prior to integrating Active Directory with the LogLogic Appliance, ensure that you meet the following prerequisites:

Specific prerequisites for Active Directory 2003:

Active Directory Service running on Microsoft 2003 Enterprise Edition R2 with proper access permissions to make configuration changes

LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft 2003 support.

Specific prerequisites for Active Directory 2008:

Active Directory/Active Directory Domain services running on Microsoft Server 2008 Enterprise Edition with proper access permissions to make configuration changes

LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft 2008 support.

General prerequisites:

User account with administrator privileges Administrative access on the LogLogic Appliance

(8)

Configuring Microsoft Active Directory

Microsoft AD Service logs are generated in Event Log format on the host machine configured for Active Directory. Lasso Enterprise is needed in order to send the logs generated on the machine (or other machines) to the LogLogic Appliance.

Installing and Configuring LogLogic’s Event Collector

LogLogic’s event collector, Lasso Enterprise v2.0 or later, is needed in order to send the Active Directory logs generated on the host machine (or other machines) to the LogLogic Appliance.

Enabling the LogLogic Appliance to Capture Log Data

The following sections describe how to enable the LogLogic Appliance to capture Microsoft AD Service log data.

Adding an Active Directory Device

The following sections describe how to configure the LogLogic Appliance to capture Microsoft AD Service logs. Logs sent via syslog will be auto discovered by the LogLogic Appliance. Steps to enable auto-discovery are explained in the next section, “Configuring the LogLogic Appliance for Log Collection”.

With the auto-identification feature, the LogLogic Appliance captures Active Directory log messages in syslog format using Lasso/Lasso Enterprise. As the syslog messages come into the Appliance, they are automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name.

If you do not want to utilize the auto-identification feature, you can manually add Active Directory as a device to the LogLogic Appliance before you redirect the logs.

To add Microsoft AD Service as a new device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices. The Devices tab appears.

3. Click Add New.

(9)

4. Type in the following information for the device:

 Name—Name for the Microsoft AD Service device

 Description (optional)—Description of the Microsoft AD Service device  Device Type—Select Microsoft AD Service from the drop-down menu  Host IP—IP address of the Microsoft AD Service appliance

 Enable Data Collection—Select the Yes radio button

 Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

Figure 1 Manual Addition of Active Directory Service

5. Click Add.

6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Juniper Networks Management Server (or remote Syslog Server depending on your environment), the LogLogic Appliance uses the device you just added if the IP address matches.

(10)

Configuring the LogLogic Appliance for Log Collection

LogLogic captures Active Directory logs using the syslog listener. When auto-discovery is enabled on the LogLogic Appliance, the logs are automatically identified as belonging to Active Directory and a new device is created by the LogLogic Appliance itself.

To enabling Auto Discovery in the LogLogic Appliance:

1. Log into your LogLogic Appliance.

2. From the navigation tree, click Administration > System Settings. The General tab appears.

3. Select Yes for the “Auto-identify Log Sources” option. 4. Click the Update button.

After enabling the Auto-discovery, the LogLogic Appliance will auto-discover the Active Directory Service device whenever logs are sent to the Appliance.

Verifying the Configuration

The section describes how to verify that the configuration changes made to Microsoft AD Service and the LogLogic Appliance are applied correctly.

To verify the configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears.

(11)

Figure 2 Log Source Status Tab Displaying Active Directory Entry

If the device name (Active Directory) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Active Directory Service logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Lasso Enterprise configuration, and the LogLogic Appliance configuration.

(12)

Chapter 2 – How LogLogic Supports Microsoft AD

Service

This chapter describes LogLogic’s support for Microsoft AD Service. LogLogic enables you to capture event log data to monitor Microsoft AD Service events.

How LogLogic Captures Active Directory Service Log Data . . . 12 LogLogic Real-Time Reports . . . 14 LogLogic Search Filters . . . 14

How LogLogic Captures Active Directory Service Log Data

LogLogic’s Windows Event Collector Lasso Enterprise can be used to collect Active Directory service logs from the Windows server where the service is installed. The Windows Event Collector Lasso Enterprise is an application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance.

The LogLogic Appliance automatically captures Active Directory service log messages via syslog using conventional UDP port 514. Log files since the last pull are automatically filtered out from collecting the next set of logs to eliminate duplication.

Also, Lasso Enterprise collector can be configured to work in two modes:

Agent Mode – Logs are collected and forwarded from the server where it is installed. Collector Mode – Logs are collected and forwarded remotely from a single server.

Note: Lasso Enterprise does not support Log collection for 2008 platform in the Collector mode.

(13)

Figure 3 Microsoft 2003/2008 Server with Active Directory Running; LogLogic Lasso Enterprise in Agent Mode, and the LogLogic Appliance Components and Processes

Figure 4 Microsoft 2003 Server with Active Directory Running; LogLogic Lasso Enterprise in Collector Mode, and the LogLogic Appliance Components and Processes

The above displayed figures illustrate the event flow diagram of the Active Directory Service logs from the point of their inception from the server through the syslog event collector (Lasso

Enterprise) to the LogLogic Appliance and then finally to be outputted in the form of reports and alerts.

Lasso Enterprise can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the machine where it is installed and from other systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the Collector and then forwarded to the LogLogic Appliance’s Syslog Listener via UDP or TCP. For more information about Lasso Enterprise, please refer to the Lasso Enterprise Users Guide.

(14)

LogLogic Real-Time Reports

LogLogic provides pre-configured Real-Time Reports for Microsoft AD Service log data. The following Real-Time Reports are available:

All Unparsed Events – Displays data for all unparsed Microsoft AD Service events during a specified time interval.

Permission Modification – Displays events related to permission modifications performed on user and server objects.

User Access – Displays data access and changes done to data during a specified time interval

User Last Activity – Displays user specific details and is used to track user activity during a specified time interval

Windows Events – Displays Windows event information served during a specified time interval

To access LMI 5 Real-Time Reports:

1. In the top navigation pane, click Reports. 2. Select Access Control.

The following Real-Time Reports are available:  Permission Modification

 User Access  User Last Activity  Windows Events 3. Select Operational.

The following Real-Time Report is available:  All Unparsed Events

You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic Users Guide.

LogLogic Search Filters

LogLogic provides pre-configured Search Filters for Microsoft AD Service log data. Search Filters are used to filter report data and create alerts.

To access Search Filters:

1. From the navigation menu, select Search. 2. Select Search Filters.

The following Search Filters are available for 2003/2008 Active Directory:

Active Directory: Backup Error – Displays information about Active Directory backup errors

(15)

Active Directory: Backup Starting – Displays information when an Active Directory backup started

Active Directory: Can't Recover – Displays information about events where Active Directory cannot be recovered

Active Directory: Delete – Displays information about Active Directory-related delete operations

Active Directory: Disk Space Mgmt – Displays information about disk space issues Active Directory: Exception Errors – Displays information about Active Directory

exception and internal errors

Active Directory: Failed to Restore – Displays information about events where Active Directory failed to restore from a backup

Active Directory: Initialize – Displays information about Active Directory initialization Active Directory: Memory Management – Displays information about Active Directory

memory issues

Active Directory: Missing Information – Displays information about events where Active Directory is missing information

Active Directory: Replication Completed – Displays information when an Active Directory replication successfully completed

Active Directory: Replication Error – Displays information about Active Directory replication errors and warnings

Active Directory: Shutdown – Displays information when Active Directory performs a shutdown

Active Directory: Startup – Displays information about when Active Directory performs a startup

Active Directory: Synchronization – Displays information about when Active Directory or the domain controller performs a synchronization operation

Active Directory: Unable to Restore – Displays information when Active Directory cannot be restored

The following Search Filters are available for only Active Directory 2008.

Active Directory: Auditing Errors – It will search for errors related to initialization of auditing or when the maximum storage limit for audit events is reached.

Active Directory: Trial Version Errors – It will search for events related to ADDS trial version expiry.

Active Directory: RODC Errors – It will search for events related to failures encountered during promotion of a Read-only Domain controller.

Active Directory: Invalid Replication Authentication – It will search for events related to invalid replication authentication mode for a forest

Active Directory: Invalid Up-To-Dateness Vector – It will search for events related to invalid Up-to-Dateness vector of a directory partition or the Active directory database. Active Directory: Directory Services Uninstall – It will search for events related to the

uninstall operations in Active Directory Domain Services.

Active Directory: System Error – It will search for the event that tells about a system error. Active Directory: KCC Failures – It will search for events related to the failures encountered

(16)

Active Directory: DSA Errors – It will search for events related to errors encountered by the Directory Service Agent during its operations.

Active Directory: Service Account Issues – It will search for events related to Service account errors.

Active Directory: Kerberos And Negotiate-Pass Authentication Errors – It will search for events related to Kerberos and negotiate-pass authentication errors.

Active Directory: Server Object Not Found – It will search for the event that tells about a missing sever object for an ADDS.

Active Directory: Attributes Replicated – It will search for the security events related to Active Directory object's attribute replication completion.

(17)

Chapter 3 – Troubleshooting and FAQ

This chapter contains troubleshooting regarding the configuration and/or use of log collection for Active Directory. It also contains an FAQ, providing quick answers to common questions.

Troubleshooting . . . 17 Frequently Asked Questions . . . 17

Troubleshooting

If Microsoft AD Service events are not appearing on the LogLogic Appliance.

Make sure that you have properly installed and configured Lasso Enterprise. Also the Event viewer can be checked for errors and warnings logged under the Application name “LogLogic Event Collector”. For details about configuration and all the events that can be logged for Lasso Enterprise please refer to the Lasso Enterprise User’s Guide.

Also make sure that the Appliance is properly auto-identifying the device (whether auto- identification is enabled or not). If not, then try to add the device to the Appliance manually. For more information, see Configuring the LogLogic Appliance for Log Collection on page 10 on and

Adding an Active Directory Device on page 8.

If events are not displaying on the LogLogic Appliance even after configuring

Microsoft AD Service and Lasso Enterprise correctly.

Active Directory service sends the logs via UDP or TCP in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the server where Active Directory has been installed. For more information on supported protocols and ports, see the Lasso Enterprise User’s Guide for Lasso Enterprise’s configuration details.

Frequently Asked Questions

How does the LogLogic Appliance collect logs from Microsoft AD Service?

For log collection, Lasso Enterprise is required in order to read the .evt files from the machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog Server. For more information, see How LogLogic Captures Active Directory Service Log Data on page 12.

What access permissions are required?

(18)

(19)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Microsoft AD Service events. The Microsoft AD Service event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic’s Syslog Listener.

LogLogic Support for Microsoft AD Service Events

The following list describes the contents of each of the columns in the table below.

Event ID—This field is used to display the Active Directory event IDs

Operating System—OS version that Microsoft AD Service is running on where the event is triggered. In some instances,

duplicate Event IDs exist for different Active Directory Service servers.

Title/Comments—Description of the Event

Agile Reports/Search—Defines whether the Active Directory event is available through the LogLogic Agile Reporting

engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Event Category—Category of events such as User Activity, Security, etc. Event Type—Type of event such as Success or Failure

(20)

Table 1 Microsoft AD Service Events Event ID Agile Reports /Search Operating System Title/Comment Event Category

Event Type Report Appears in Sample Log Message

1 698 Agile 2003 DSRM password set Security Success Audit User Access, User Last

Activity, Windows Events, Permission Modifications

<13>Aug 10 13:07:31 192.168.135.207 MSWinEventLog 0 Security 74649 Thu Aug 10 10:35:10 2006 698 Security Administrator User Success Audit PC-P32832 Account Management An attempt to set the Directory Services Restore Mode administrator password has been made. 1000

2 1113 Agile 2003/2008 Replication Inbound replication

Change Management

Warning User Access, User Last Activity, Windows Events

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 1899 Fri Jul 28 12:10:40 2006 1113 NTDS General PC-P32832$ User Warning PC-P32262 Replication Inbound replication has been disabled by the user. 109065

3 1114 Agile 2003/2008 Replication Inbound replication

Change Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 1900 Fri Jul 28 12:10:40 2006 1114 NTDS General PC-P32832$ User Warning PC-P32262 Replication Inbound replication has been enabled by the user. 109065

4 1115 Agile 2003/2008 Replication Outbound replication

Change Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 1899 Fri Jul 28 12:10:40 2006 1115 NTDS General PC-P32832$ User Warning PC-P32262 Replication Outbound replication has been disabled by the user. 109065

5 1116 Agile 2003/2008 Replication Outbound replication

Change Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 1899 Fri Jul 28 12:10:40 2006 1116 NTDS General PC-P32832$ User Warning PC-P32262 Replication Outbound replication has been enabled by the user. 109065

6 1119 Agile 2003/2008 Global Catalog Change Management

Informational User Access, User Last Activity, Windows Events, Permission Modifications

<13>Aug 1 14:05:05 192.168.135.207 MSWinEventLog 0 Directory Service 215 Fri Jul 14 15:33:51 2006 1119 NTDS General ANONYMOUS LOGON Well Known Group Information PC-P32832 Global Catalog This domain controller is now a global catalog. 215

7 1123 Agile 2003/2008 Connection object

deleted

Change Management

Informational User Access, User Last Activity, Windows Events

<13>Aug 1 14:18:49 192.168.135.207 MSWinEventLog 0 Directory Service 95656 Fri Jul 28 12:11:08 2006 1123 NTDS KCC ANONYMOUS LOGON Well Known Group Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) deleted the following Connection object because the source domain controller that it referenced has been deleted. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers,

(21)

8 1174 Agile 2003/2008 User privileged operation Security Informational User Access, User Last

Activity, Windows Events

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 1899 Fri Jul 28 12:10:40 2006 1174 NTDS General PC-P32832$ User Information PC-P32262 ARIEL A privileged operation (rights required = 0x) was successfully performed on object S-1-5-21-606747145-920026266-1801674531-4695. 109065

9 1176 Agile 2003/2008 Connection rejected Security Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1176 NTDS Database Unknown User N/A Information PC-P32832 None A client process has attempted an anonymous bind to an interface that Active Directory is configured not to accept. As a result, this connection was rejected. 1

10 1177 Agile 2003/2008 Object modified Change

Management & Security

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1177 NTDS Security Unknown User N/A Information PC-P32832 None The security attributes on object

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC were modified. 1

11 1196 Agile 2003/2008 Granting rights to

Domain Administrators

Change Management

Error User Access, User Last Activity, Windows Events

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1196 NTDS Security Unknown User N/A Error PC-P32832 None Internal error: An error occurred while granting rights to the Domain Administrators group for administering the following Server object. Object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC User Action An enterprise administrator needs to manually grant Full Control rights for this object to the Domain Administrators group. 1

12 1209 Agile 2003 Security checks fail Security Error User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1209 NTDS Security Unknown User N/A Error PC-P32832 None Active Directory was unable to set appropriate privileges to enable security auditing.As a result, all security checks will fail and security auditing will be unavailable. Additional data: Error value: -501 0 1

Event ID Agile Reports /Search Operating System Title/Comment Event Category

(22)

13 1209 Agile 2008 Security checks fail Security Error User Access, User Last

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 000 Fri Jul 28 12:10:40 2009 1209

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None Active Directory Domain Services was unable to set appropriate privileges to enable security auditing.As a result, all security checks will fail and security auditing will be unavailable. Additional Data Error value: -501 0 1

14 1219 Agile 2003/2008 Bind Authentication Security Warning User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1219 NTDS General Unknown User N/A Warning PC-P32832 None Active Directory was unable to initialize simple bind authentication. As a result, simple bind authentication against this LDAP interface will result in binding as an unauthenticated user. 1

15 1264 Agile 2003 Replication agreement Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1264 NTDS KCC Unknown User N/A Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) successfully added a replication agreement for the following directory partition. Directory partition: CN=Configuration,DC=tmsinet,DC=com Source domain controller: CN=NTDS

Settings,CN=USWAL1-IMGSDC2,CN=Servers,CN=Default-First-Si te-Name,CN=Sites,CN=Configuration,DC=tmsinet,DC=com 1

16 1264 Agile 2008 Replication agreement Change Management

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) successfully added a replication agreement for the following directory partition. Directory partition: CN=Configuration,DC=tmsinet,DC=com Source directory service: CN=NTDS Settings,CN=USWAL1-IMGSDC2,CN=Servers,CN=Default-First-Si te-Name,CN=Sites,CN=Configuration,DC=tmsinet,DC=com 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(23)

17 1270 Agile 2003/2008 Directory partition

removed

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1270 NTDS General Unknown User N/A Information PC-P32832 None The following directory partition has been removed from the Active Directory forest. As a result, the following directory partition is no longer replicated from the source domain controller at the following network address. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller:

object_GUID_for_source_domain_controller's_NTDSD SA_object. _Msdcs.forest Network address:

62d85225-76bf-4b46-b929-25a1bb295f51. _Msdcs.corp.hay-buv.com 1

18 1282 Agile 2003 Authentication to DC Identity and

Access

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1282 NTDS General Unknown User N/A Information PC-P32832 None The wizard could not authenticate to domain controller PC-P32832 using the supplied credentials. 1

19 1282 Agile 2008 Authentication to DC Identity and

Access

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 None The wizard could not

authenticate to Active Directory Domain Controller PC-P32832 using the supplied credentials. 1

20 1286 Agile 2003 Remote DC

unsuccessful

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1286 NTDS General Unknown User N/A Information PC-P32832 None The attempt at remote domain controller PC-P32832 to remove domain controller PC-P32332 from the forest was unsuccessful. 1

21 1286 Agile 2008 Remote DC

unsuccessful

Change Management

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 None The attempt at remote directory server PC-P32832 to remove directory server PC-P32332 was unsuccessful. 1

22 1302 Agile 2003/2008 AD could not add objects User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1302 NTDS General Unknown User N/A Information PC-P32832 None Active Directory could not add objects to the Active Directory database. 1

(24)

23 1325 Agile 2003/2008 Master roles removed by

local DC

Security Informational User Access, User Last Activity, Windows Events

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1325 NTDS General Unknown User N/A Information PC-P32832 None Removing all operations master roles owned by the local domain controller. 1

24 1327 Agile 2003/2008 DS, SAM, LSA demoted Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1327 NTDS General Unknown User N/A Information PC-P32832 None Completing demotion for the Directory Service, SAM and LSA 1

25 1344 Agile 2003/2008 Creating Objects in AD User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1344 NTDS General Unknown User N/A Information PC-P32832 None Creating Active Directory objects on the local domain controller 1

26 1345 Agile 2003/2008 Moving objects in AD Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1345 NTDS General Unknown User N/A Information PC-P32832 None Moving existing users, groups, and computer objects to Active Directory 1

27 1346 Agile 2003/2008 Creating Objects in AD Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1346 NTDS General Unknown User N/A Information PC-P32832 None Creating new domain users, groups, and computer objects 1

28 1365 Agile 2003/2008 Creating Objects in AD User Activity Informational User Access, User Last Activity, Windows Events

<13>Jul 26 10:40:04 192.168.135.207 MSWinEventLog 0 Directory Service 2650 Thu Jul 20 15:00:04 2006 1365 NTDS Replication ANONYMOUS LOGON Well Known Group Information PC-P32832 Replication Internal event: The following object was created. Object:

CN=test\0ADEL:b9b9657d-a93c-4e8f-b840-ed4ddcff85b3,CN=Del eted Objects,DC=LOGLOGIC Object GUID:

b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 2650

29 1366 Agile 2003/2008 Updating Objects in AD User Activity Informational User Access, User Last

<13>Aug 1 14:05:15 192.168.135.207 MSWinEventLog 0 Directory Service 2101 Thu Jul 20 14:31:58 2006 1366 NTDS Replication ANONYMOUS LOGON Well Known Group Information PC-P32832 Replication Internal event: The following object was updated. Object: DC=LOGLOGIC Object GUID: e274adcf-ef4c-4bbb-b44d-2fb9739c2f2e 2101

30 1391 Agile 2003/2008 Active Directory could not configure

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1391 NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not configure the computer account PC-P34532 on the remote domain controller PC-P32832. 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(25)

31 1392 Agile 2003/2008 Demotion operation

could not remove the local DC

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1392 NTDS General Unknown User N/A Information PC-P32832 None The demotion operation could not remove the local domain controller from the forest. 1

32 1395 Agile 2003/2008 Active Directory has a

record of a domain controller that no longer exists

Security Informational User Access, User Last Activity, Windows Events

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1395 NTDS General Unknown User N/A Information PC-P32832 None Active Directory was unable to transfer the domain-wide operations master roles to another domain controller in this domain. Possible causes include: No other domain controllers are available to receive an operations master role, or Active Directory has a record of a domain controller that no longer exists. 1

33 1396 Agile 2003/2008 Active Directory has a

record of a domain controller that no longer exists

Security Error User Access, User Last Activity, Windows Events

1396 NTDS General Unknown User N/A Error PC-P32262 None Active Directory was unable to transfer the forest-wide operations master roles to another domain controller in the forest. Possible causes include: No other domain controllers are online to receive an operations master role, or Active Directory has a record of a domain controller that no longer exists. 109065

34 1399 Agile 2003/2008 Active Directory could

not move the default schema

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1399 NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not move the default schema to CN=msSFU-30-Top, CN=Schema, CN=Configuration, DC=mycompany, DC=local 1

35 1404 Agile 2003/2008 DC is now intersite

topology generator

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1404 NTDS KCC Unknown User N/A Information PC-P32832 NTDS KCC This domain controller is now the intersite topology generator and has assumed responsibility for generating and maintaining intersite replication topologies for this site. 1

36 1410 Agile 2003/2008 Active Directory could

not change the role of this server

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1410 NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not change the role of this server because of an incorrect product type registry key value. 1

(26)

37 1412 Agile 2003/2008 Active Directory

database

User Activity Informational User Access, User Last Activity, Windows Events

1412 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The following object changes were applied to the local Active Directory database. Property: 90296 Object: CN=Aggregate, CN=Schema, CN=Configuration,

DC=salfordsoftware, DC=co, DC=uk Object GUID:

916bdd05-fc96-415c-9e16-a58d143a2406 Remote version: 5474 Remote timestamp: 2006-05-00 10:00:00 Remote Originating USN: 20510 1

38 1413 Agile 2003/2008 Fail to apply changes to

AD

User Activity Error User Access, User Last Activity, Windows Events

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 189942 Fri Jul 28 12:10:40 2006 1413 NTDS General Unknown User N/A Error PC-P32262 None Internal event: The following object changes were not applied to the local Active Directory database because the local metadata for the object indicates that the change is redundant.Property:xxx

Object:CN=RID Manager$,CN=System,DC=LOGLOGIC Object GUID:45DDDE Local version number:100 200

39 1458 Agile 2003/2008 Transfer master role to

DC

User Activity Warning User Access, User Last Activity, Windows Events

<13>Jul 20 14:31:26 192.168.135.207 MSWinEventLog 0 Directory Service 2062 Thu Jul 20 14:31:25 2006 1458 NTDS General PC-P32262$ User Warning PC-P32832 None The operations master role represented by the following object has been transferred to the following domain controller at the request of a user. Object: CN=RID Manager$,CN=System,DC=LOGLOGIC Domain controller: LOGLOGIC Previous operations master role: CN=NTDS

Settings,CN=PC-P32262,CN=Servers,CN=Default-First-Site-Name ,CN=Sites,CN=Configuration,DC=LOGLOGIC 2031

40 1504 Agile 2003/2008 Creating Objects in AD Change Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 000 Fri Jul 28 12:10:40 2006 1504 NTDS Replication Unknown User N/A Information PC-P32832 DS RPC Server Internal event: Active Directory Domain Services completed the request to create objects. The following number of objects was created. Number of objects: 3 Additional Data Error value: 550 The operation completed successfully. 1

41 1518 Agile 2003 Creating groups memberships in AD

Change Management

<13>Aug 1 14:09:53 192.168.135.207 MSWinEventLog 0 Directory Service 29033 Tue Jul 25 20:39:26 2006 1518 NTDS Replication SYSTEM Well Known Group Information PC-P32832 DS RPC Server Internal event: Active Directory completed the request for group memberships. Additional data: Status: 0 29033 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(27)

42 1518 Agile 2008 Creating groups

memberships in AD

Change Management

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 DS RPC Server Internal event: Active Directory Domain Services completed the request for group memberships. Additional Data Status:0 1

43 1561 Agile 2003/2008 Directory Partitions User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1561 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The user has requested a full synchronization of the following directory partition from the source domain controller. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller:object_GUID_for_source_domain_controller' s_NTDSDSA_object. _Msdcs.forest Options:0x0 1

44 1575 Agile 2003/2008 Directory Partitions Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1575 NTDS General Unknown User N/A Information PC-P32832 None One or more new attributes has been added to the partial attribute set for the following directory partition. A full synchronization will be performed from the source domain controller on the next replication cycle. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller:

object_GUID_for_source_domain_controller's_NTDSD SA_object. _Msdcs.forest 1

45 1588 Agile 2003/2008 Incorrect attribute value Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1588 NTDS General Unknown User N/A Warning PC-P32832 None The following deleted object does not have the proper value for the following attribute. Object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GUID: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsRecord) An attempt is usually made to preserve the attribute values of deleted objects, even when incoming changes are more recent. However, in this case, the attribute value of the deleted object was not a proper value. As a result, the incoming attribute change was applied. 1

(28)

46 1684 Agile 2003/2008 Attribute Value Change

not applied

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1684 NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the following object has been deleted. Object GUID:

b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 1

47 1685 Agile 2003/2008 Attribute Value Change

not applied

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1685 NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the following object was not found. Object GUID:

b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsRecord) This operation will be tried again later. Objects will be reordered to increase the chance that this object will be included in the packet. 1

48 1686 Agile 2003/2008 Attribute Value Change not applied

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1686 NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the attribute value was not needed. Object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GUID: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsRecord) 1

49 1689 Agile 2003/2008 Attribute Value Changed User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1689 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The following attribute value change was applied. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GUID: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsRecord) Present time: 2006-05-00 10:00:00 1

(29)

50 1693 Agile 2003/2008 New Attribute Added to

AD

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1693 NTDS General Unknown User N/A Information PC-P32832 None Internal event: A request was made to add a value to an attribute. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Attribute: 9017e (dnsRecord) Deletion time: 2006-05-00 10:00:00 The value does not exist on this attribute in any form. The state of the value is absent. As a result, the new value was created. 1

51 1714 Agile 2003/2008 Attribute Value Updated Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1714 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The type of a group object was changed to universal. A member value was updated so that it will replicate to the global catalog. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers,

CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Attribute: 9017e (dnsRecord) Deletion time: 2006-05-00 10:00:00 1

52 1716 Agile 2003/2008 Attribute Value Updated User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1716 NTDS General Unknown User N/A Information PC-P32832 None Internal event: Active Directory updated the following attribute value on the following object. Object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC 1

53 1746 Agile 2003/2008 Domain removed from

forest

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1746 NTDS General Unknown User N/A Information PC-P32832 None The following domain has been removed from the forest and the domain objects will be removed from the global catalog. Domain: loglogic 1

54 1747 Agile 2003/2008 Domain removed from forest

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1747 NTDS General Unknown User N/A Warning PC-P32832 None The following domain has been removed from the forest and the attempt to remove the objects from the global catalog failed. Domain: LOGLOGIC This operation will be tried again later. Additional Data Error value: 2525 1908 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(30)

55 1750 Agile 2003/2008 Directory Partition

deleted

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1750 NTDS General Unknown User N/A Information PC-P32832 None The following application directory partition has been deleted from the forest. Application directory partition: DC=cggs, DC=act, DC=edu, DC=au The objects in this application directory partition will be removed from the local domain controller. 1

56 1751 Agile 2003/2008 Directory Partition

deleted

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1751 NTDS General Unknown User N/A Information PC-P32832 None The following application directory partition has been deleted from the forest. An attempt to remove the objects from the local domain controller failed. Application directory partition: DC=cggs, DC=act, DC=edu, DC=au This operation will be tried again later. Additional Data Error value: -501 1

57 1758 Agile 2003/2008 Master Roles transferred Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1758 NTDS General Unknown User N/A Information PC-P32832 None Transferring operations master roles owned by this domain controller in directory partition DC=cggs, DC=act, DC=edu, DC=au to domain controller PC-P32832 1

58 1790 Agile 2003/2008 Global Catalog Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1790 NTDS General Unknown User N/A Error PC-P32832 None The system failed to promote this server into a Global Catalog 5 times. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 2525 8418 1

59 1804 Agile 2003/2008 FSMO Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1804 NTDS General Unknown User N/A Information PC-P32832 None Transferred FSMO roles owned by this server in partition DC=cggs, DC=act, DC=edu, DC=au to server PC-P32832 1

60 1831 Agile 2003/2008 FSMO Change Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 189942 Fri Jul 28 12:10:40 2006 1831 NTDS General Unknown User N/A Error PC-P32262 None The Domain Naming FSMO has been deleted. Seize the FSMO role using NTDSUTIL and retry the promotion 109065

(31)

61 1837 Agile 2003/2008 Master Roles transfer

failed

Change Management

<13>Jul 20 14:31:26 192.168.135.207 MSWinEventLog 0 Directory Service 2062 Thu Jul 20 14:31:25 2006 1837 NTDS Replication PC-P32262$ User Warning PC-P32832 Internal Configuration An attempt to transfer the operations master role represented by the following object failed. Object: CN=RID

Manager$,CN=System,DC=LOGLOGIC Current operations master role: CN=NTDS

Settings,CN=PC-P32832,CN=Servers,CN=Default-First-Site-Name ,CN=Sites,CN=Configuration,DC=LOGLOGIC Proposed operations master role: CN=NTDS

Settings,CN=PC-P32262,CN=Servers,CN=Default-First-Site-Name ,CN=Sites,CN=Configuration,DC=LOGLOGIC Additional Data Error value: 3 2031

62 1877 Agile 2003 Domain Rename

operation

User Activity & Security

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1877 NTDS General Unknown User N/A Error PC-P32832 None The user does not have the right to invoke a domain rename operation. Additional data: Error value: -501 0 1

63 1877 Agile 2008 Domain Rename

operation

User Activity & Security

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None The user does not have the right to invoke a domain rename operation. Additional Data Error value: -501 0 1

64 1888 Agile 2003/2008 AD moving an object User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1888 NTDS General Unknown User N/A Information PC-P32832 None Internal event: As part of running a script, Active Directory is moving the following object. Source object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Destination object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Additional Data Error value: 1908 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(32)

65 1889 Agile 2003/2008 Creating Objects in AD User Activity Informational User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1889 NTDS General Unknown User N/A Information PC-P32832 None Internal event: As part of running a script, Active Directory is creating the following object. Object:

CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC 1

66 1898 Agile 2003/2008 Schema object modified Change

Management

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 189942 Fri Jul 28 12:10:40 2006 1898 NTDS General Unknown User N/A Information PC-P32262 DS Schema Internal event: The following schema object was modified. Schema object: CN=msSFU-30-Top,CN=Schema,CN=Configuration,DC=mycompa ny,DC=local 109065

67 1899 Agile 2003/2008 Schema object added Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1899 NTDS General Unknown User N/A Information PC-P32832 DS Schema Internal event: The following schema object was added. Schema object: CN=test,CN=Schema,CN=Configuration,DC=wipro,DC=loglabs2,D C=com 1

68 1956 Agile 2003/2008 Directory partition

deleted

Change Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1956 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The following directory partition was deleted. Directory partition DN: DC=cggs, DC=act, DC=edu, DC=au Directory partition GUID: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Name changed 0 Garbage collect immediate 0 Additional Data Internal ID: 1

69 1964 Agile 2003 Replication denied Security Error User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1964 NTDS General Unknown User N/A Error PC-P32832 None The local domain controller has denied a replication attempt on the following directory partition. The following domain controller requested to replicate one or more objects from an unauthorized directory partition and the attempt failed. Domain controller: Pc-P32832 Directory partition: DC=cggs,DC=act,DC=edu,DC=au This might pose a security risk. 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(33)

70 1964 Agile 2008 Replication denied Security Error User Access, User Last

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None The local directory service has denied a replication attempt on the following directory partition. The following directory service requested to replicate one or more objects from an unauthorized directory partition and the attempt failed. directory service: Pc-P32832 Directory partition: DC=cggs,DC=act,DC=edu,DC=au This might pose a security risk. 1

71 1977 Agile 2003 Replication denied Security Informational User Access, User Last

<13>Jul 28 16:32:27 192.168.135.204 MSWinEventLog 0 Directory Service 189942 Fri Jul 28 12:10:40 2006 1977 NTDS Replication Unknown User N/A Error PC-P32262 Replication The following domain controller made a replication request for a writable directory partition that has been denied by the local domain controller. The requesting domain controller does not have access to a writable copy of this directory partition. Requesting domain controller: faff04ed-d41b-49f2-90eb-ac562414ceec Directory

partition:DC=mydomain,DC=com User Action: If the requesting domain controller must have a writable copy of this partition, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes All access right. You may also get this message during the transition period after a child partition has been removed. This message will cease when knowledge of the child partition removal has replicated throughout the forest. 1

72 1977 Agile 2008 Replication denied Security Informational User Access, User Last

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 Replication The following directory service made a replication request for a writable directory partition that has been denied by the local directory service. The requesting directory service does not have access to a writable copy of this directory partition. Requesting directory service:

faff04ed-d41b-49f2-90eb-ac562414ceec Directory

partition:DC=mydomain,DC=com User Action: If the requesting directory service must have a writable copy of this partition, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes All access right. You may also get this message during the transition period after a child partition has been removed. This message will cease when knowledge of the child partition removal has replicated throughout the forest.. 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(34)

73 1991 Agile 2003 Removing AD objects Change

Management

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1991 NTDS General Unknown User N/A Information PC-P32832 None Removing Active Directory objects from the domain naming master S-1-5-21-606747145-920026266-1801674531-4695 that refer to the local domain 1

74 1991 Agile 2008 Removing AD objects Change

Management

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 None Removing Active Directory objects from the naming master

S-1-5-21-606747145-920026266-1801674531-4695 1

75 1994 Agile 2003 AD failed to refresh

Kerbose

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 1994 NTDS General Unknown User N/A Error PC-P32832 None Internal event: Active Directory failed to refresh the Kerberos security tickets. This domain controller may be unable to gain proper authorization until the Kerberos security tickets automatically refresh. Additional data: Error value: -501 0 1

76 1994 Agile 2008 AD failed to refresh

Kerbose

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None Internal event: Active Directory Domain Services failed to refresh the Kerberos security tickets. This directory service may be unable to gain proper authorization until the Kerberos security tickets automatically refresh. Additional Data Error value: -501 0 1

77 2001 Agile 2003 Ntdsutil Security Error User Access, User Last

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 2001 NTDS General Unknown User N/A Error PC-P32832 None The default NTDS security settings have not been applied to Active Directory folders.User ActionAttempt to set default security settings again using the Ntdsutil command-line tool. Additional data: Error value: -501 8418 Internal ID: 11001c0 1 Event ID Agile Reports /Search Operating System Title/Comment Event Category

(35)

78 2001 Agile 2008 Ntdsutil Security Error User Access, User Last

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None The default NTDS security settings have not been applied to Active Directory Domain Services folders.User Action Attempt to set default security settings again using the Ntdsutil command-line tool. Additional Data Error value: -501 8418 Internal ID: 11001c0 1

79 2020 Agile 2003/2008 AD created an object on

remote DC

<13>Jul 26 10:39:52 192.168.135.207 MSWinEventLog 0 Directory Service 1 Wed Jun 14 14:57:38 2006 2020 NTDS General Unknown User N/A Information PC-P32832 None Internal event: Active Directory successfully created an object on a remote computer. Computer (blank = local computer): PC-P32832 Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GUID: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Additional Data Internal ID: 11001c0 1

80 2021 Agile 2003 AD Object creation failed

on remote DC

<13>Jul 26 10:43:04 192.168.135.207 MSWinEventLog 0 Directory Service 496 Tue Jul 25 18:21:14 2006 2021 NTDS Genaral Unknown User N/A Error PC-P32832 None Active Directory was unable to create an object on a remote domain controller. Domain controller (blank = local domain controller): Loglogic Object: <object> Object GUID: <GUID> Additional Data: Error value: <error> Extended error value: <message> Remote Internal ID: <ID> Internal ID: <ID> 496

81 2021 Agile 2008 AD Object creation failed on remote DC

Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None Active Directory Domain Services was unable to create an object on a remote directory service. directory service (blank = local directory service): Loglogic Object: <object> Object GUID: <GUID> Additional Data Error value: <error> Extended error value: <message> Remote Internal ID: <ID> Internal ID: <ID> 496

Microsoft Active Directory (AD) Service Log Configuration Guide