我的 Active Directory 林有 6 个子域。作为安全控制的一部分,当有人触发域名更改时,我们需要收到警报(例如使用 SCOM)。
我的问题:当管理员执行域重命名时,Microsoft Windows 2008 是否会生成事件 ID?我了解,对于服务器/计算机重命名,我们可以通过事件 ID 4742 或 6011 进行跟踪,但域重命名会共享相同的 ID 吗?
答案1
至于看到发生了域名重命名操作,是的。
Event ID: 1875
Level: Warning
Source: ActiveDirectory_DomainService
Log: Directory Service
Active Directory Domain Services has detected that the replication
epoch (as indicated by the msDS-ReplicationEpoch attribute of the following object)
of the local domain controller has been changed.
This typically occurs as part of the domain rename process.
Object:
CN=NTDS Settings,CN=CONTOSO01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=com
Old replication epoch:
0
New replication epoch:
1
As a result, replication between this domain controller and domain controllers
that are using the old replication epoch is no longer allowed. Replication can
occur only with those domain controllers using the new replication epoch.
Event ID: 1882
Level: Information
Source: ActiveDirectory_DomainService
Log: Directory Service
Active Directory Domain Services is shutting down the system to
complete the domain rename operation.
至于看到WHO做到了……这有点棘手。希望你不会遇到太多人可以已经完成了。基本上,通过组策略启用对象访问审核并监视对象的更改DC=Domain,DC=com。
编辑:只是想澄清一下最后一部分。
使用
repadmin /showobjmeta . "CN=NTDS Settings,CN=CONTOSO01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=Com"
如果属性msDS-ReplicationEpoch已更改,它将向您显示该更改源自哪个域控制器(“原始 DSA”)以及发生的时间。从那里,您需要检查该原始 DC 上的安全日志以查看当时登录的用户。