Auditing the Creation of Domain Controllers

Special thanks to Raman in the Active Directory team for this one.

Ever want to audit the creation of new domain controllers in your environment?  Yeah, me neither 🙂  However if you ever want to, here's how.

1. The default SACL on Active Directory should suffice.  However, if you have changed the default SACL, here it is again, in SDDL:
<-- this ACE is probably doing most of the work for you

2. Enable DS Access audit policy for success events in the Default Domain Controllers policy.

3. Look for the following event 566 in your security event log (yours will differ slightly because this example comes from Longhorn Server):

An operation was performed on an object.


Subject :

      Security ID:      YOURDOMAIN\Administrator

      Account Name:     Administrator

      Account Domain:   YOURDOMAIN

      Logon ID:         0x201d29



      Object Server:    DS

      Object Type:      domainDNS

      Object Name:      DC=yourdomain,DC=com

      Handle ID:        0x0



      Operation Type:   Object Access

      Accesses:         Control Access


      Access Mask:      0x100

      Properties:       Control Access

            {9923a32a-3607-11d2-b9be-0000f87a36b2}   <-- this is the "DS-Install-Replica" control access right




Additional Information:

      Parameter 1:            -

      Parameter 2:     



Some notes:


1.  There is no audit generated for the first domain controller in a new forest (there is no context within which to perform DS audting).


2.  For the first domain controller in a new domain in an existing forest, you'll see a slightly different event:


DS Access:  (here's the Longhorn version of the DS Access event, the Windows Server 2003 version [566] is very similar):

An operation was performed on an object.


Subject :

                Security ID:     MYDOMAIN\Administrator

                Account Name:    Administrator

                Account Domain:  MYDOMAIN

                Logon ID:        0x3213d7



                Object Server:   DS

                Object Type:     crossRefContainer  <-- when you see this

                Object Name:     CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                Handle ID:       0x0



                Operation Type:  Object Access

                Accesses:        Create Child

                Access Mask:     0x1

                Properties:      Create Child



Additional Information:

                Parameter 1:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                                    ^-- along with a new domain for the first time

                Parameter 2:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com


DS Change: (this is the new Longhorn-only DS Change event):


A directory service object was created.



                Security ID:                MYDOMAIN\Administrator

                Account Name:               Administrator

                Account Domain:             MYDOMAIN

                Logon ID:                   0x3213d7


Directory Service:


                Type:                        Active Directory Domain Services



                DN:                          CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                GUID:                        CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain, DC=com

                Class:                       crossRef



                Correlation ID:              {a991c256-d7f2-4654-bf68-76ef5ebe69b4}

                Application Correlation ID:  -



Comments (0)

Skip to main content