Announcement

Collapse
No announcement yet.

2003 Domain controller Event log

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 Domain controller Event log

    Hello,

    I can't quite work out what is going on here. We have a single domain with 3 Windows 2003 R2 Service Pack2 DC's, two of which seem to be 'behaving' OK while the third is filling up the security event log with 'Success Audit' events (Directory Service Access event 565 and System Event 516).

    Although the other to DC's have a few 565 events they do not have event 516.

    The two DC's which are working have a maximum log size of 322048KB and 321088KB respectively while we have increased the size of the other to the maximum allowed (4194240KB)

    The Default Domain Controllers Policy, computer configuration, Windows Settings, Security Settings, local Policies is set to:

    - Audit account logon events Success, Failure
    - Audit account managemtnt Success, Failure
    - Audit directory service access Success
    - Audit logon events Success
    - Audit Object access Not defined
    - Audit policy change Success
    - Audit privilege use No auditing
    - Audit process tracking No auditing
    - Audit system events Success

    We occasionally use the logon / logoff events (to check logon times if managers have queries) so I need to keep some security auditing going.

    So two questions:
    - how do I stop event 565 being written while still allowing logon/logoff events to be recorded

    - how can the domain controller policy be being applied differently across the 3 domain controllers.

    Please can anyone answer these two questions

  • #2
    Re: 2003 Domain controller Event log

    If all you need is logon/logoff auditing, then trying disabling some of the other auditing. I usually keep things turned off unless I am diagnosing issues. Another thing to keep in mind is that Active Directory DC's each have different roles. It's not always a round-robin scenario. This means that all of your users might be authenticating with the one DC even though there are 3. Check your role assignments on the DC's.

    The 565 stems from the Object access auditing.

    - Audit Object access Not defined <- Set to No Audit
    - Audit process tracking No auditing
    - Audit directory service access Success <- Set to No Audit

    - Audit account managemtnt Success, Failure (Ask yourself if you really need this one) http://support.microsoft.com/kb/822703/en-us

    You can probably leave these as is.
    - Audit policy change Success
    - Audit privilege use No auditing
    - Audit system events Success
    Jake G

    Former Microsoft MVP - IIS ('02-'06)

    Comment


    • #3
      Re: 2003 Domain controller Event log

      Thanks Jake,

      I have changed the Audit Object access Not defined and Audit directory service access Success to No Audit.

      I will have a look at the Audit account managemtent Success, Failure tomorrow but I'm pleased the event log is behaving ....

      many thanks

      Alison

      Comment


      • #4
        Re: 2003 Domain controller Event log

        You're welcome. Audit trails can be a nightmare, especially when you turn them all on. Every little detail is logged, which for a high traffic DC can be in the thousands of entries. 99% of which you don't need to audit, unless you are having specific issues.
        Jake G

        Former Microsoft MVP - IIS ('02-'06)

        Comment

        Working...
        X