Jaa


Auditing the Creation of Domain Controllers

Special thanks to Raman in the Active Directory team for this one.

Ever want to audit the creation of new domain controllers in your environment?  Yeah, me neither :-)  However if you ever want to, here's how.

1. The default SACL on Active Directory should suffice.  However, if you have changed the default SACL, here it is again, in SDDL:
S:(AU;SA;WDWOWP;;;WD)
(AU;SA;CR;;;BA)
(AU;SA;CR;;;DU) <-- this ACE is probably doing most of the work for you
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

2. Enable DS Access audit policy for success events in the Default Domain Controllers policy.

3. Look for the following event 566 in your security event log (yours will differ slightly because this example comes from Longhorn Server):

An operation was performed on an object.

Subject :

Security ID: YOURDOMAIN\Administrator

Account Name: Administrator

Account Domain: YOURDOMAIN

Logon ID: 0x201d29

Object:

Object Server: DS

Object Type: domainDNS

Object Name: DC=yourdomain,DC=com

Handle ID: 0x0

Operation:

Operation Type: Object Access

Accesses: Control Access

Access Mask: 0x100

Properties: Control Access

{9923a32a-3607-11d2-b9be-0000f87a36b2} <-- this is the "DS-Install-Replica" control access right

domainDNS

Additional Information:

Parameter 1: -

Parameter 2:

Some notes:

1. There is no audit generated for the first domain controller in a new forest (there is no context within which to perform DS audting).

2. For the first domain controller in a new domain in an existing forest, you'll see a slightly different event:

DS Access: (here's the Longhorn version of the DS Access event, the Windows Server 2003 version [566] is very similar):

An operation was performed on an object.

Subject :

Security ID: MYDOMAIN\Administrator

Account Name: Administrator

Account Domain: MYDOMAIN

Logon ID: 0x3213d7

Object:

Object Server: DS

Object Type: crossRefContainer <-- when you see this

Object Name: CN=Partitions,CN=Configuration,DC=mydomain,DC=com

Handle ID: 0x0

Operation:

Operation Type: Object Access

Accesses: Create Child

Access Mask: 0x1

Properties: Create Child

{bf967a8d-0de6-11d0-a285-00aa003049e2}

Additional Information:

Parameter 1: CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

^-- along with a new domain for the first time

Parameter 2: CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

DS Change: (this is the new Longhorn-only DS Change event):

A directory service object was created.

Subject:

Security ID: MYDOMAIN\Administrator

Account Name: Administrator

Account Domain: MYDOMAIN

Logon ID: 0x3213d7

Directory Service:

Name: mydomain.nttest.microsoft.com

Type: Active Directory Domain Services

Object:

DN: CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

GUID: CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain, DC=com

Class: crossRef

Operation:

Correlation ID: {a991c256-d7f2-4654-bf68-76ef5ebe69b4}

Application Correlation ID: -

HTH