我的Active Directory林有6个子域.作为安全控制的一部分,当有人触发域名更改时,我们需要收到警报(例如使用SCOM).
我的问题:当管理员执行域重命名时,是否有Microsoft Windows 2008生成的事件ID?我理解,对于服务器/计算机重命名,我们可以通过事件ID 4742或6011跟踪它,但域重命名是否会共享相同的ID?
至于看到域名重命名操作发生了,是的.
Event ID: 1875 Level: Warning Source: ActiveDirectory_DomainService Log: Directory Service Active Directory Domain Services has detected that the replication epoch (as indicated by the msDS-ReplicationEpoch attribute of the following object) of the local domain controller has been changed. This typically occurs as part of the domain rename process. Object: CN=NTDS Settings,CN=CONTOSO01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=com Old replication epoch: 0 New replication epoch: 1 As a result,replication between this domain controller and domain controllers that are using the old replication epoch is no longer allowed. Replication can occur only with those domain controllers using the new replication epoch.
Event ID: 1882 Level: Information Source: ActiveDirectory_DomainService Log: Directory Service Active Directory Domain Services is shutting down the system to complete the domain rename operation.
至于看谁做了……这有点棘手.希望你没有超过一小部分可以做到的人.基本上,通过组策略启用对象访问审核,并监视对DC = Domain,DC = com对象的更改.
编辑:只是想在最后一部分澄清一点.
使用
repadmin /showobjmeta . "CN=NTDS Settings,DC=Com"
如果属性msDS-ReplicationEpoch已更改,它将显示来自哪个域控制器的更改源(“Originating DSA”)以及何时.从那里,您需要检查该原始DC上的安全日志,以查看当时登录的用户.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。