Microsoft Active Directory (AD) Service Log Configuration Guide

Transcription

1 Microsoft Active Directory (AD) Service Log Configuration Guide Document Release: October 2011 Part Number: LL ELS This manual supports LogLogic Microsoft AD Service Release 1.0 and above, and LogLogic Software Release 5.1 and above until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Ste 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring Microsoft Active Directory Service Prerequisites Configuring Microsoft Active Directory Installing and Configuring LogLogic s Collector Enabling the LogLogic Appliance to Capture Log Data Adding an Active Directory Device Configuring the LogLogic Appliance for Log Collection Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft AD Service How LogLogic Captures Active Directory Service Log Data LogLogic Real-Time LogLogic Search Filters Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft AD Service s Microsoft Active Directory Service Log Configuration Guide 3

4 4 Microsoft Active Directory Service Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Active Directory (AD) Service enables LogLogic Appliances to capture logs from machines running Microsoft AD Service. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft AD Service s operations. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Active Directory Service Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Active Directory Service Log Configuration Guide

7 Chapter 1 Configuring Microsoft Active Directory Service This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Microsoft AD Service logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft AD Service related log data. Prerequisites Configuring Microsoft Active Directory Installing and Configuring LogLogic s Collector Enabling the LogLogic Appliance to Capture Log Data Adding an Active Directory Device Configuring the LogLogic Appliance for Log Collection Verifying the Configuration Prerequisites Prior to integrating Active Directory with the LogLogic Appliance, ensure that you meet the following prerequisites: Specific prerequisites for Active Directory 2003: Active Directory Service running on Microsoft 2003 Enterprise Edition R2 with proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft 2003 support. Specific prerequisites for Active Directory 2008: Active Directory/Active Directory Domain services running on Microsoft Server 2008 Enterprise Edition with proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft 2008 support. General prerequisites: User account with administrator privileges Administrative access on the LogLogic Appliance Lasso Enterprise v2.0 or later installed locally on Server 2003/2008 or on a remote server that can be configured to listen to the Active Directory service logs generated from source. For more information about Lasso Enterprise, please refer to the Lasso Enterprise Users Guide. Microsoft Active Directory Service Log Configuration Guide 7

8 Configuring Microsoft Active Directory Microsoft AD Service logs are generated in Log format on the host machine configured for Active Directory. Lasso Enterprise is needed in order to send the logs generated on the machine (or other machines) to the LogLogic Appliance. Installing and Configuring LogLogic s Collector LogLogic s event collector, Lasso Enterprise v2.0 or later, is needed in order to send the Active Directory logs generated on the host machine (or other machines) to the LogLogic Appliance. Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft AD Service log data. Adding an Active Directory Device The following sections describe how to configure the LogLogic Appliance to capture Microsoft AD Service logs. Logs sent via syslog will be auto discovered by the LogLogic Appliance. Steps to enable auto-discovery are explained in the next section, Configuring the LogLogic Appliance for Log Collection. With the auto-identification feature, the LogLogic Appliance captures Active Directory log messages in syslog format using Lasso/Lasso Enterprise. As the syslog messages come into the Appliance, they are automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name. If you do not want to utilize the auto-identification feature, you can manually add Active Directory as a device to the LogLogic Appliance before you redirect the logs. To add Microsoft AD Service as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 8 Microsoft Active Directory Service Log Configuration Guide

9 4. Type in the following information for the device: Name Name for the Microsoft AD Service device Description (optional) Description of the Microsoft AD Service device Device Type Select Microsoft AD Service from the drop-down menu Host IP IP address of the Microsoft AD Service appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Manual Addition of Active Directory Service 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Juniper Networks Server (or remote Syslog Server depending on your environment), the LogLogic Appliance uses the device you just added if the IP address matches. Note: LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Active Directory Service Log Configuration Guide 9

10 Configuring the LogLogic Appliance for Log Collection LogLogic captures Active Directory logs using the syslog listener. When auto-discovery is enabled on the LogLogic Appliance, the logs are automatically identified as belonging to Active Directory and a new device is created by the LogLogic Appliance itself. To enabling Auto Discovery in the LogLogic Appliance: 1. Log into your LogLogic Appliance. 2. From the navigation tree, click Administration > Settings. The General tab appears. 3. Select Yes for the Auto-identify Log Sources option. 4. Click the Update button. After enabling the Auto-discovery, the LogLogic Appliance will auto-discover the Active Directory Service device whenever logs are sent to the Appliance. Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft AD Service and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Active Directory device. 10 Microsoft Active Directory Service Log Configuration Guide

11 Figure 2 Log Source Status Tab Displaying Active Directory Entry If the device name (Active Directory) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Active Directory Service logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Lasso Enterprise configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Active Directory Service by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 14. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 17 for more information. Microsoft Active Directory Service Log Configuration Guide 11

12 Chapter 2 How LogLogic Supports Microsoft AD Service This chapter describes LogLogic s support for Microsoft AD Service. LogLogic enables you to capture event log data to monitor Microsoft AD Service events. How LogLogic Captures Active Directory Service Log Data LogLogic Real-Time LogLogic Search Filters How LogLogic Captures Active Directory Service Log Data LogLogic s Windows Collector Lasso Enterprise can be used to collect Active Directory service logs from the Windows server where the service is installed. The Windows Collector Lasso Enterprise is an application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. The LogLogic Appliance automatically captures Active Directory service log messages via syslog using conventional UDP port 514. Log files since the last pull are automatically filtered out from collecting the next set of logs to eliminate duplication. Also, Lasso Enterprise collector can be configured to work in two modes: Agent Mode Logs are collected and forwarded from the server where it is installed. Collector Mode Logs are collected and forwarded remotely from a single server. Note: Lasso Enterprise does not support Log collection for 2008 platform in the Collector mode. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft AD Service. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help. 12 Microsoft Active Directory Service Log Configuration Guide

13 Figure 3 Microsoft 2003/2008 Server with Active Directory Running; LogLogic Lasso Enterprise in Agent Mode, and the LogLogic Appliance Components and Processes Figure 4 Microsoft 2003 Server with Active Directory Running; LogLogic Lasso Enterprise in Collector Mode, and the LogLogic Appliance Components and Processes The above displayed figures illustrate the event flow diagram of the Active Directory Service logs from the point of their inception from the server through the syslog event collector (Lasso Enterprise) to the LogLogic Appliance and then finally to be outputted in the form of reports and alerts. Lasso Enterprise can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the machine where it is installed and from other systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the Collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. For more information about Lasso Enterprise, please refer to the Lasso Enterprise Users Guide. Please note that the Host device can be either local or remote to the Microsoft Server. You must make sure to configure Lasso Enterprise Collector with the IP address of the LogLogic Appliance in order for the LogLogic Appliance to capture the log messages from the host. Microsoft Active Directory Service Log Configuration Guide 13

14 LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft AD Service log data. The following Real-Time are available: All Unparsed s Displays data for all unparsed Microsoft AD Service events during a specified time interval. Permission Modification Displays events related to permission modifications performed on user and server objects. User Access Displays data access and changes done to data during a specified time interval User Last Activity Displays user specific details and is used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 5 Real-Time : 1. In the top navigation pane, click. 2. Select Access Control. The following Real-Time are available: Permission Modification User Access User Last Activity Windows s 3. Select Operational. The following Real-Time Report is available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic Users Guide. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft AD Service log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available for 2003/2008 Active Directory: Active Directory: Backup Error Displays information about Active Directory backup errors Active Directory: Backup Failed Displays information about Active Directory backup failures 14 Microsoft Active Directory Service Log Configuration Guide

15 Active Directory: Backup Starting Displays information when an Active Directory backup started Active Directory: Can't Recover Displays information about events where Active Directory cannot be recovered Active Directory: Delete Displays information about Active Directory-related delete operations Active Directory: Disk Space Mgmt Displays information about disk space issues Active Directory: Exception Errors Displays information about Active Directory exception and internal errors Active Directory: Failed to Restore Displays information about events where Active Directory failed to restore from a backup Active Directory: Initialize Displays information about Active Directory initialization Active Directory: Memory Displays information about Active Directory memory issues Active Directory: Missing Information Displays information about events where Active Directory is missing information Active Directory: Replication Completed Displays information when an Active Directory replication successfully completed Active Directory: Replication Error Displays information about Active Directory replication errors and warnings Active Directory: Shutdown Displays information when Active Directory performs a shutdown Active Directory: Startup Displays information about when Active Directory performs a startup Active Directory: Synchronization Displays information about when Active Directory or the domain controller performs a synchronization operation Active Directory: Unable to Restore Displays information when Active Directory cannot be restored The following Search Filters are available for only Active Directory Active Directory: Auditing Errors It will search for errors related to initialization of auditing or when the maximum storage limit for audit events is reached. Active Directory: Trial Version Errors It will search for events related to ADDS trial version expiry. Active Directory: RODC Errors It will search for events related to failures encountered during promotion of a Read-only Domain controller. Active Directory: Invalid Replication Authentication It will search for events related to invalid replication authentication mode for a forest Active Directory: Invalid Up-To-Dateness Vector It will search for events related to invalid Up-to-Dateness vector of a directory partition or the Active directory database. Active Directory: Directory Services Uninstall It will search for events related to the uninstall operations in Active Directory Domain Services. Active Directory: Error It will search for the event that tells about a system error. Active Directory: KCC Failures It will search for events related to the failures encountered by the Knowledge Consistency Checker while performing its operations. Microsoft Active Directory Service Log Configuration Guide 15

16 Active Directory: DSA Errors It will search for events related to errors encountered by the Directory Service Agent during its operations. Active Directory: Service Account Issues It will search for events related to Service account errors. Active Directory: Kerberos And Negotiate-Pass Authentication Errors It will search for events related to Kerberos and negotiate-pass authentication errors. Active Directory: Server Object Not Found It will search for the event that tells about a missing sever object for an ADDS. Active Directory: Attributes Replicated It will search for the security events related to Active Directory object's attribute replication completion. For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. 16 Microsoft Active Directory Service Log Configuration Guide

17 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Active Directory. It also contains an FAQ, providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting If Microsoft AD Service events are not appearing on the LogLogic Appliance. Make sure that you have properly installed and configured Lasso Enterprise. Also the viewer can be checked for errors and warnings logged under the Application name LogLogic Collector. For details about configuration and all the events that can be logged for Lasso Enterprise please refer to the Lasso Enterprise User s Guide. Also make sure that the Appliance is properly auto-identifying the device (whether autoidentification is enabled or not). If not, then try to add the device to the Appliance manually. For more information, see Configuring the LogLogic Appliance for Log Collection on page 10 on and Adding an Active Directory Device on page 8. If events are not displaying on the LogLogic Appliance even after configuring Microsoft AD Service and Lasso Enterprise correctly. Active Directory service sends the logs via UDP or TCP in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the server where Active Directory has been installed. For more information on supported protocols and ports, see the Lasso Enterprise User s Guide for Lasso Enterprise s configuration details. Frequently Asked Questions How does the LogLogic Appliance collect logs from Microsoft AD Service? For log collection, Lasso Enterprise is required in order to read the.evt files from the machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog Server. For more information, see How LogLogic Captures Active Directory Service Log Data on page 12. What access permissions are required? To configure logging on Active Directory, the user must have administrative permissions. Microsoft Active Directory Service Log Configuration Guide 17

18 18 Microsoft Active Directory Service Log Configuration Guide

19 Appendix A Reference This appendix lists the LogLogic-supported Microsoft AD Service events. The Microsoft AD Service event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft AD Service s The following list describes the contents of each of the columns in the table below. This field is used to display the Active Directory event s OS version that Microsoft AD Service is running on where the event is triggered. In some instances, duplicate s exist for different Active Directory Service servers. s Description of the Defines whether the Active Directory event is available through the LogLogic Reporting engine or through the search capabilities. If the event is available through the Report engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. of events such as User Activity, Security, etc. Type Type of event such as Success or Failure Report Appears in Report categories on the LogLogic Appliance that the report appears in Sample Log Message Sample Microsoft AD Service log messages in text format Microsoft Active Directory Service Log Configuration Guide 19

20 Table 1 Microsoft AD Service s Type Report Appears in Sample Log Message DSRM password set Security Success Audit Activity, Windows s, Permission Modifications <13>Aug 10 13:07: MSWinLog 0 Security Thu Aug 10 10:35: Security Administrator User Success Audit PC-P32832 Account An attempt to set the Directory Services Restore Mode administrator password has been made /2008 Replication Inbound replication Warning Service 1899 Fri Jul 28 12:10: NTDS General PC-P32832$ User Warning PC-P32262 Replication Inbound replication has been disabled by the user /2008 Replication Inbound replication Warning Service 1900 Fri Jul 28 12:10: NTDS General PC-P32832$ User Warning PC-P32262 Replication Inbound replication has been enabled by the user /2008 Replication Outbound replication Warning Service 1899 Fri Jul 28 12:10: NTDS General PC-P32832$ User Warning PC-P32262 Replication Outbound replication has been disabled by the user /2008 Replication Outbound replication Warning Service 1899 Fri Jul 28 12:10: NTDS General PC-P32832$ User Warning PC-P32262 Replication Outbound replication has been enabled by the user /2008 Global Catalog Activity, Windows s, Permission Modifications <13>Aug 1 14:05: MSWinLog 0 Directory Service 215 Fri Jul 14 15:33: NTDS General ANONYMOUS LOGON Well Known Group Information PC-P32832 Global Catalog This domain controller is now a global catalog /2008 Connection object deleted <13>Aug 1 14:18: MSWinLog 0 Directory Service Fri Jul 28 12:11: NTDS KCC ANONYMOUS LOGON Well Known Group Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) deleted the following Connection object because the source domain controller that it referenced has been deleted. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Microsoft Active Directory Service Log Configuration Guide

21 Type Report Appears in Sample Log Message /2008 User privileged operation Security /2008 Connection rejected Security Service 1899 Fri Jul 28 12:10: NTDS General PC-P32832$ User Information PC-P32262 ARIEL A privileged operation (rights required = 0x) was successfully performed on object S Service 1 Wed Jun 14 14:57: NTDS Database Unknown User N/A Information PC-P32832 None A client process has attempted an anonymous bind to an interface that Active Directory is configured not to accept. As a result, this connection was rejected /2008 Object modified & Security Service 1 Wed Jun 14 14:57: NTDS Security Unknown User N/A Information PC-P32832 None The security attributes on object CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC were modified /2008 Granting rights to Domain Administrators Error Service 1 Wed Jun 14 14:57: NTDS Security Unknown User N/A Error PC-P32832 None Internal error: An error occurred while granting rights to the Domain Administrators group for administering the following Server object. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC User Action An enterprise administrator needs to manually grant Full Control rights for this object to the Domain Administrators group Security checks fail Security Error Service 1 Wed Jun 14 14:57: NTDS Security Unknown User N/A Error PC-P32832 None Active Directory was unable to set appropriate privileges to enable security auditing.as a result, all security checks will fail and security auditing will be unavailable. Additional data: Error value: Microsoft Active Directory Service Log Configuration Guide 21

22 Type Report Appears in Sample Log Message Security checks fail Security Error /2008 Bind Authentication Security Warning Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None Active Directory Domain Services was unable to set appropriate privileges to enable security auditing.as a result, all security checks will fail and security auditing will be unavailable. Additional Data Error value: Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Warning PC-P32832 None Active Directory was unable to initialize simple bind authentication. As a result, simple bind authentication against this LDAP interface will result in binding as an unauthenticated user Replication agreement Service 1 Wed Jun 14 14:57: NTDS KCC Unknown User N/A Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) successfully added a replication agreement for the following directory partition. Directory partition: CN=Configuration,DC=tmsinet,DC=com Source domain controller: CN=NTDS Settings,CN=USWAL1-IMGSDC2,CN=Servers,CN=Default-First-Si te-name,cn=sites,cn=configuration,dc=tmsinet,dc=com Replication agreement Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 Knowledge Consistency Checker The Knowledge Consistency Checker (KCC) successfully added a replication agreement for the following directory partition. Directory partition: CN=Configuration,DC=tmsinet,DC=com Source directory service: CN=NTDS Settings,CN=USWAL1-IMGSDC2,CN=Servers,CN=Default-First-Si te-name,cn=sites,cn=configuration,dc=tmsinet,dc=com 1 22 Microsoft Active Directory Service Log Configuration Guide

23 Type Report Appears in Sample Log Message /2008 Directory partition removed Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The following directory partition has been removed from the Active Directory forest. As a result, the following directory partition is no longer replicated from the source domain controller at the following network address. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller: object_gu_for_source_domain_controller's_ntdsd SA_object. _Msdcs.forest Network address: 62d bf-4b46-b929-25a1bb295f51. _Msdcs.corp.hay-buv.com Authentication to DC Identity and Access Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The wizard could not authenticate to domain controller PC-P32832 using the supplied credentials Authentication to DC Identity and Access Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 None The wizard could not authenticate to Active Directory Domain Controller PC-P32832 using the supplied credentials Remote DC unsuccessful Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The attempt at remote domain controller PC-P32832 to remove domain controller PC-P32332 from the forest was unsuccessful Remote DC unsuccessful Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 None The attempt at remote directory server PC-P32832 to remove directory server PC-P32332 was unsuccessful /2008 AD could not add objects User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Active Directory could not add objects to the Active Directory database. 1 Microsoft Active Directory Service Log Configuration Guide 23

24 Type Report Appears in Sample Log Message /2008 Master roles removed by local DC Security Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Removing all operations master roles owned by the local domain controller /2008 DS, SAM, LSA demoted Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Completing demotion for the Directory Service, SAM and LSA /2008 Creating Objects in AD User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Creating Active Directory objects on the local domain controller /2008 Moving objects in AD Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Moving existing users, groups, and computer objects to Active Directory /2008 Creating Objects in AD Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Creating new domain users, groups, and computer objects /2008 Creating Objects in AD User Activity /2008 Updating Objects in AD User Activity <13>Jul 26 10:40: MSWinLog 0 Directory Service 2650 Thu Jul 20 15:00: NTDS Replication ANONYMOUS LOGON Well Known Group Information PC-P32832 Replication Internal event: The following object was created. Object: CN=test\0ADEL:b9b9657d-a93c-4e8f-b840-ed4ddcff85b3,CN=Del eted Objects,DC=LOGLOGIC Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b <13>Aug 1 14:05: MSWinLog 0 Directory Service 2101 Thu Jul 20 14:31: NTDS Replication ANONYMOUS LOGON Well Known Group Information PC-P32832 Replication Internal event: The following object was updated. Object: DC=LOGLOGIC Object GU: e274adcf-ef4c-4bbb-b44d-2fb9739c2f2e /2008 Active Directory could not configure Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not configure the computer account PC-P34532 on the remote domain controller PC-P Microsoft Active Directory Service Log Configuration Guide

25 Type Report Appears in Sample Log Message /2008 Demotion operation could not remove the local DC Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The demotion operation could not remove the local domain controller from the forest /2008 Active Directory has a record of a domain controller that no longer exists /2008 Active Directory has a record of a domain controller that no longer exists Security Security Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Active Directory was unable to transfer the domain-wide operations master roles to another domain controller in this domain. Possible causes include: No other domain controllers are available to receive an operations master role, or Active Directory has a record of a domain controller that no longer exists NTDS General Unknown User N/A Error PC-P32262 None Active Directory was unable to transfer the forest-wide operations master roles to another domain controller in the forest. Possible causes include: No other domain controllers are online to receive an operations master role, or Active Directory has a record of a domain controller that no longer exists /2008 Active Directory could not move the default schema Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not move the default schema to CN=msSFU-30-Top, CN=Schema, CN=Configuration, DC=mycompany, DC=local /2008 DC is now intersite topology generator Service 1 Wed Jun 14 14:57: NTDS KCC Unknown User N/A Information PC-P32832 NTDS KCC This domain controller is now the intersite topology generator and has assumed responsibility for generating and maintaining intersite replication topologies for this site /2008 Active Directory could not change the role of this server Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Error PC-P32832 None Active Directory could not change the role of this server because of an incorrect product type registry key value. 1 Microsoft Active Directory Service Log Configuration Guide 25

26 Type Report Appears in Sample Log Message /2008 Active Directory database /2008 Fail to apply changes to AD /2008 Transfer master role to DC User Activity User Activity Error User Activity Warning 1412 NTDS General Unknown User N/A Information PC-P32832 None Internal event: The following object changes were applied to the local Active Directory database. Property: Object: CN=Aggregate, CN=Schema, CN=Configuration, DC=salfordsoftware, DC=co, DC=uk Object GU: 916bdd05-fc96-415c-9e16-a58d143a2406 Remote version: 5474 Remote timestamp: :00:00 Remote Originating USN: Service Fri Jul 28 12:10: NTDS General Unknown User N/A Error PC-P32262 None Internal event: The following object changes were not applied to the local Active Directory database because the local metadata for the object indicates that the change is redundant.property:xxx Object:CN=R Manager$,CN=,DC=LOGLOGIC Object GU:45DDDE Local version number: <13>Jul 20 14:31: MSWinLog 0 Directory Service 2062 Thu Jul 20 14:31: NTDS General PC-P32262$ User Warning PC-P32832 None The operations master role represented by the following object has been transferred to the following domain controller at the request of a user. Object: CN=R Manager$,CN=,DC=LOGLOGIC Domain controller: LOGLOGIC Previous operations master role: CN=NTDS Settings,CN=PC-P32262,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=LOGLOGIC /2008 Creating Objects in AD Service 000 Fri Jul 28 12:10: NTDS Replication Unknown User N/A Information PC-P32832 DS RPC Server Internal event: Active Directory Domain Services completed the request to create objects. The following number of objects was created. Number of objects: 3 Additional Data Error value: 550 The operation completed successfully Creating groups memberships in AD <13>Aug 1 14:09: MSWinLog 0 Directory Service Tue Jul 25 20:39: NTDS Replication SYSTEM Well Known Group Information PC-P32832 DS RPC Server Internal event: Active Directory completed the request for group memberships. Additional data: Status: Microsoft Active Directory Service Log Configuration Guide

27 Type Report Appears in Sample Log Message Creating groups memberships in AD Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Information PC-P32832 DS RPC Server Internal event: Active Directory Domain Services completed the request for group memberships. Additional Data Status: /2008 Directory Partitions User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: The user has requested a full synchronization of the following directory partition from the source domain controller. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller:object_gu_for_source_domain_controller' s_ntdsdsa_object. _Msdcs.forest Options:0x /2008 Directory Partitions Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None One or more new attributes has been added to the partial attribute set for the following directory partition. A full synchronization will be performed from the source domain controller on the next replication cycle. Directory partition: DC=cggs, DC=act, DC=edu, DC=au Source domain controller: object_gu_for_source_domain_controller's_ntdsd SA_object. _Msdcs.forest /2008 Incorrect attribute value Warning Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Warning PC-P32832 None The following deleted object does not have the proper value for the following attribute. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsrecord) An attempt is usually made to preserve the attribute values of deleted objects, even when incoming changes are more recent. However, in this case, the attribute value of the deleted object was not a proper value. As a result, the incoming attribute change was applied. 1 Microsoft Active Directory Service Log Configuration Guide 27

28 Type Report Appears in Sample Log Message /2008 Attribute Value not applied /2008 Attribute Value not applied /2008 Attribute Value not applied User Activity User Activity User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the following object has been deleted. Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 1 Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the following object was not found. Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsrecord) This operation will be tried again later. Objects will be reordered to increase the chance that this object will be included in the packet. 1 Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: An attribute value change was not applied because the attribute value was not needed. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsrecord) /2008 Attribute Value d User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: The following attribute value change was applied. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Object GU: b9b9657d-a93c-4e8f-b840-ed4ddcff85b3 Attribute: 9017e (dnsrecord) Present time: :00: Microsoft Active Directory Service Log Configuration Guide

29 Type Report Appears in Sample Log Message /2008 New Attribute Added to AD User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: A request was made to add a value to an attribute. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Attribute: 9017e (dnsrecord) Deletion time: :00:00 The value does not exist on this attribute in any form. The state of the value is absent. As a result, the new value was created /2008 Attribute Value Updated Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: The type of a group object was changed to universal. A member value was updated so that it will replicate to the global catalog. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Attribute: 9017e (dnsrecord) Deletion time: :00: /2008 Attribute Value Updated User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: Active Directory updated the following attribute value on the following object. Object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC /2008 Domain removed from forest Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The following domain has been removed from the forest and the domain objects will be removed from the global catalog. Domain: loglogic /2008 Domain removed from forest Warning Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Warning PC-P32832 None The following domain has been removed from the forest and the attempt to remove the objects from the global catalog failed. Domain: LOGLOGIC This operation will be tried again later. Additional Data Error value: Microsoft Active Directory Service Log Configuration Guide 29

30 Type Report Appears in Sample Log Message /2008 Directory Partition deleted Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The following application directory partition has been deleted from the forest. Application directory partition: DC=cggs, DC=act, DC=edu, DC=au The objects in this application directory partition will be removed from the local domain controller /2008 Directory Partition deleted Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None The following application directory partition has been deleted from the forest. An attempt to remove the objects from the local domain controller failed. Application directory partition: DC=cggs, DC=act, DC=edu, DC=au This operation will be tried again later. Additional Data Error value: /2008 Master Roles transferred Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Transferring operations master roles owned by this domain controller in directory partition DC=cggs, DC=act, DC=edu, DC=au to domain controller PC-P /2008 Global Catalog Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Error PC-P32832 None The system failed to promote this server into a Global Catalog 5 times. If this issue persists, please contact Microsoft Product Support Services for assistance. Error /2008 FSMO Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Transferred FSMO roles owned by this server in partition DC=cggs, DC=act, DC=edu, DC=au to server PC-P /2008 FSMO Error Service Fri Jul 28 12:10: NTDS General Unknown User N/A Error PC-P32262 None The Domain Naming FSMO has been deleted. Seize the FSMO role using NTDSUTIL and retry the promotion Microsoft Active Directory Service Log Configuration Guide

31 Type Report Appears in Sample Log Message /2008 Master Roles transfer failed Warning <13>Jul 20 14:31: MSWinLog 0 Directory Service 2062 Thu Jul 20 14:31: NTDS Replication PC-P32262$ User Warning PC-P32832 Internal Configuration An attempt to transfer the operations master role represented by the following object failed. Object: CN=R Manager$,CN=,DC=LOGLOGIC Current operations master role: CN=NTDS Settings,CN=PC-P32832,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=LOGLOGIC Proposed operations master role: CN=NTDS Settings,CN=PC-P32262,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=LOGLOGIC Additional Data Error value: Domain Rename operation User Activity & Security Error Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Error PC-P32832 None The user does not have the right to invoke a domain rename operation. Additional data: Error value: Domain Rename operation User Activity & Security Error Service 000 Fri Jul 28 12:10: Microsoft-Windows-ActiveDirectory_DomainService Unknown User N/A Error PC-P32832 None The user does not have the right to invoke a domain rename operation. Additional Data Error value: /2008 AD moving an object User Activity Service 1 Wed Jun 14 14:57: NTDS General Unknown User N/A Information PC-P32832 None Internal event: As part of running a script, Active Directory is moving the following object. Source object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Destination object: CN=39c5bcfd-2e4f-4249-aeac-c87dca273d5c,CN=NTDS Settings, CN=PC-P32832, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=LOGLOGIC Additional Data Error value: Microsoft Active Directory Service Log Configuration Guide 31