Auditing the Creation of Domain Controllers


Special thanks to Raman in the Active Directory team for this one.


Ever want to audit the creation of new domain controllers in your environment?  Yeah, me neither 🙂  However if you ever want to, here’s how.


1. The default SACL on Active Directory should suffice.  However, if you have changed the default SACL, here it is again, in SDDL:
S:(AU;SA;WDWOWP;;;WD)
(AU;SA;CR;;;BA)
(AU;SA;CR;;;DU) 
<– this ACE is probably doing most of the work for you
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)


2. Enable DS Access audit policy for success events in the Default Domain Controllers policy.


3. Look for the following event 566 in your security event log (yours will differ slightly because this example comes from Longhorn Server):


An operation was performed on an object.


 


Subject :


      Security ID:      YOURDOMAIN\Administrator


      Account Name:     Administrator


      Account Domain:   YOURDOMAIN


      Logon ID:         0x201d29


 


Object:


      Object Server:    DS


      Object Type:      domainDNS


      Object Name:      DC=yourdomain,DC=com


      Handle ID:        0x0


 


Operation:


      Operation Type:   Object Access


      Accesses:         Control Access


                 


      Access Mask:      0x100


      Properties:       Control Access


            {9923a32a-3607-11d2-b9be-0000f87a36b2}   <– this is the “DS-Install-Replica” control access right


      domainDNS


 


 


Additional Information:


      Parameter 1:            –


      Parameter 2:     


 


 


Some notes:


 


1.  There is no audit generated for the first domain controller in a new forest (there is no context within which to perform DS audting).


 


2.  For the first domain controller in a new domain in an existing forest, you’ll see a slightly different event:


 


DS Access:  (here’s the Longhorn version of the DS Access event, the Windows Server 2003 version [566] is very similar):


An operation was performed on an object.


 


Subject :


                Security ID:     MYDOMAIN\Administrator


                Account Name:    Administrator


                Account Domain:  MYDOMAIN


                Logon ID:        0x3213d7


 


Object:


                Object Server:   DS


                Object Type:     crossRefContainer  <– when you see this


                Object Name:     CN=Partitions,CN=Configuration,DC=mydomain,DC=com


                Handle ID:       0x0


 


Operation:


                Operation Type:  Object Access


                Accesses:        Create Child



                Access Mask:     0x1


                Properties:      Create Child


                {bf967a8d-0de6-11d0-a285-00aa003049e2} 


 


Additional Information:


                Parameter 1:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com


                                    ^– along with a new domain for the first time


                Parameter 2:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com


 


DS Change: (this is the new Longhorn-only DS Change event):


 


A directory service object was created.


               


Subject:


                Security ID:                MYDOMAIN\Administrator


                Account Name:               Administrator


                Account Domain:             MYDOMAIN


                Logon ID:                   0x3213d7


               


Directory Service:


                Name:                        mydomain.nttest.microsoft.com


                Type:                        Active Directory Domain Services


               


Object:


                DN:                          CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com


                GUID:                        CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain, DC=com


                Class:                       crossRef


               


Operation:


                Correlation ID:              {a991c256-d7f2-4654-bf68-76ef5ebe69b4}


                Application Correlation ID:  –


 


HTH

Comments (0)