我的Active Directory林有6个子域.作为安全控制的一部分,当有人触发域名更改时,我们需要收到警报(例如使用SCOM).
我的问题:当管理员执行域重命名时,是否有Microsoft Windows 2008生成的事件ID?我理解,对于服务器/计算机重命名,我们可以通过事件ID 4742或6011跟踪它,但域重命名是否会共享相同的ID?
至于看到域名重命名操作发生了,是的.
Event ID: 1875 Level: Warning Source: ActiveDirectory_DomainService Log: Directory Service Active Directory Domain Services has detected that the replication epoch (as indicated by the msDS-ReplicationEpoch attribute of the following object) of the local domain controller has been changed. This typically occurs as part of the domain rename process. Object: CN=NTDS Settings,CN=CONTOSO01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=com Old replication epoch: 0 New replication epoch: 1 As a result,replication between this domain controller and domain controllers that are using the old replication epoch is no longer allowed. Replication can occur only with those domain controllers using the new replication epoch.
Event ID: 1882 Level: Information Source: ActiveDirectory_DomainService Log: Directory Service Active Directory Domain Services is shutting down the system to complete the domain rename operation.
至于看谁做了……这有点棘手.希望你没有超过一小部分可以做到的人.基本上,通过组策略启用对象访问审核,并监视对DC = Domain,DC = com对象的更改.
编辑:只是想在最后一部分澄清一点.
使用
repadmin /showobjMeta . "CN=NTDS Settings,DC=Com"
如果属性msDS-ReplicationEpoch已更改,它将显示来自哪个域控制器的更改源(“Originating DSA”)以及何时.从那里,您需要检查该原始DC上的安全日志,以查看当时登录的用户.