AblSysadmin
asked on
Windows 2008 DC not logging security events with auditing enabled
1 of our 7 Domain Controllers is not logging any security events, except for the single entries when we clear the logs or restart the Window Event Log service. We've made sure that auditing is enabled in GPO and have disabled it, ran GPUpdate on the affected DC, enabled it again, ran GPUpdate again, but it had no effect.
We've made sure there is ample disk space, we've made sure NT Service\EventLog has rights to the folder.
The other 6 DC's are logging security events without issue.
Here are the audit settings:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Success
Audit system events Success, Failure
Please advise on possible actions to take or what to look for.
We've made sure there is ample disk space, we've made sure NT Service\EventLog has rights to the folder.
The other 6 DC's are logging security events without issue.
Here are the audit settings:
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Success
Audit system events Success, Failure
Please advise on possible actions to take or what to look for.
ASKER
Thank you for the feedback.
Affected DC:
Account Management
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
User Account Management No Auditing
All other DC's:
Account Management
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
User Account Management Success and Failure
Out of the 7 DC's, 2 have the CustomSD set and they and the others without this set are logging fine. The affected one does not have this set.
Affected DC:
Account Management
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
User Account Management No Auditing
All other DC's:
Account Management
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
User Account Management Success and Failure
Out of the 7 DC's, 2 have the CustomSD set and they and the others without this set are logging fine. The affected one does not have this set.
Sounding like your GPO is not applying the settings.
run gpresult /r to show what policies are assigned
Are you updating the Default Domain Policy for this?
run gpedit.msc on the DC and you can check the settings also
Check event log on DC after running the gpupdate /force see if you are getting any gpo errors
HTH
run gpresult /r to show what policies are assigned
Are you updating the Default Domain Policy for this?
run gpedit.msc on the DC and you can check the settings also
Check event log on DC after running the gpupdate /force see if you are getting any gpo errors
HTH
ASKER
C:\t>gpresult /r
INFO: The user "UNIZA\user" does not have RSOP data.
C:\t>gpresult /r /scope user
INFO: The user "UNIZA\user" does not have RSOP data.
C:\t>gpresult /r /scope computer
INFO: The user "UNIZA\user" does not have RSOP data.
GPEdit.msc shows that the settings are all set to No Auditing.
Doing a GPUpdate /force creates the events in the attached file.
INFO: The user "UNIZA\user" does not have RSOP data.
C:\t>gpresult /r /scope user
INFO: The user "UNIZA\user" does not have RSOP data.
C:\t>gpresult /r /scope computer
INFO: The user "UNIZA\user" does not have RSOP data.
GPEdit.msc shows that the settings are all set to No Auditing.
Doing a GPUpdate /force creates the events in the attached file.
ASKER
Trying to view RSOP via mmc gives the attached message.
Hello
Both of your last posted did not have the attachment
Post if you can
Off to work now will check back later
Both of your last posted did not have the attachment
Post if you can
Off to work now will check back later
ASKER
How is your replication between the DC's?
try the following...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
Also has this DC been rebooted?
when you run rsop.msc on the DC (not generating security events) do you see the default domain controller policy?
Is this DC in the Domain Controllers OU?
So you see any event errors or warnings in the Direcotry Service Event Logs?
Will.
try the following...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
Also has this DC been rebooted?
when you run rsop.msc on the DC (not generating security events) do you see the default domain controller policy?
Is this DC in the Domain Controllers OU?
So you see any event errors or warnings in the Direcotry Service Event Logs?
Will.
Hello
For the RSOP issue
see this
https://technet.microsoft.com/en-us/library/cc775785(v=ws.10).aspx
The event Error 1053 see this
https://technet.microsoft.com/en-us/library/cc727337(v=ws.10).aspx
Also check DNS on this server GPO requires DNS working correctly
Run these commands post results
dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.tx
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt
HTH
For the RSOP issue
see this
https://technet.microsoft.com/en-us/library/cc775785(v=ws.10).aspx
The event Error 1053 see this
https://technet.microsoft.com/en-us/library/cc727337(v=ws.10).aspx
Also check DNS on this server GPO requires DNS working correctly
Run these commands post results
dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.tx
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt
HTH
ASKER
Will,
All of those commands returned successful results. No errors. The DC has not been rebooted yet. It is in the Domain Controllers OU.
The only warning appearing repeatedly in the Directory Service Event Logs is:
"During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds performed without SSL/TLS: 2842
Number of Negotiate/Kerberos/NTLM/Di
Screenshot attached of error when running rsop.msc.
rsop2.png
All of those commands returned successful results. No errors. The DC has not been rebooted yet. It is in the Domain Controllers OU.
The only warning appearing repeatedly in the Directory Service Event Logs is:
"During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds performed without SSL/TLS: 2842
Number of Negotiate/Kerberos/NTLM/Di
Screenshot attached of error when running rsop.msc.
rsop2.png
ASKER
Hello
1. This command needs to be corrected
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.tx
FQDN is to be replaced with your Fully Qualified Domain Name not FDQN
If you do an ipconfig /all you can find the FQDN look for Primary DNS Suffix
Run again with that value
2. You have many DNS errors in the DCDIAG report
This is pointing to a DNS problem, and is beyond the scope of the original question
You should open a new question
1. This command needs to be corrected
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.tx
FQDN is to be replaced with your Fully Qualified Domain Name not FDQN
If you do an ipconfig /all you can find the FQDN look for Primary DNS Suffix
Run again with that value
2. You have many DNS errors in the DCDIAG report
This is pointing to a DNS problem, and is beyond the scope of the original question
You should open a new question
ASKER
I've run the command:
Starting test: RegisterInDNS
DNS configuration is sufficient to allow this domain controller to
dynamically register the domain controller Locator records in DNS.
The DNS configuration is sufficient to allow this computer to dynamically
register the A record corresponding to its DNS name.
......................... MPWADCP2 passed test RegisterInDNS
--------------------------
Thank you. Please clarify: Are you saying that the issue we're experiencing is because of DNS and therefore I should post another question? Or can we still try to address the RSOP issue with this question?
Starting test: RegisterInDNS
DNS configuration is sufficient to allow this domain controller to
dynamically register the domain controller Locator records in DNS.
The DNS configuration is sufficient to allow this computer to dynamically
register the A record corresponding to its DNS name.
......................... MPWADCP2 passed test RegisterInDNS
--------------------------
Thank you. Please clarify: Are you saying that the issue we're experiencing is because of DNS and therefore I should post another question? Or can we still try to address the RSOP issue with this question?
Can you run all the commands again and post
dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt
Remember to change FQDN to yours
They first report showed many DNS errors
Now that your are using the correct FQDN it may change lets see first
dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt
Remember to change FQDN to yours
They first report showed many DNS errors
Now that your are using the correct FQDN it may change lets see first
ASKER
As requested.
dclogx.txt
dclogx.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, we'll attempt to address the DNS issues. Appreciate your time.
auditpol /get /category:"account management"
please check if there is an entry named CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\
What do you have there
Compare with other DC's that are working