Windows 2008 DC not logging security events with auditing enabled

1 of our 7 Domain Controllers is not logging any security events, except for the single entries when we clear the logs or restart the Window Event Log service. We've made sure that auditing is enabled in GPO and have disabled it,  ran GPUpdate on the affected DC, enabled it again, ran GPUpdate again, but it had no effect.

We've made sure there is ample disk space, we've made sure NT Service\EventLog has rights to the folder.

The other 6 DC's are logging security events without issue.

Here are the audit settings:

Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Success
Audit system events Success, Failure

Please advise on possible actions to take or what to look for.
AblSysadminSenior Systems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
run this command and post results

 auditpol /get /category:"account management"

please check if there is an entry named CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\ on the DC.

What do you have there

Compare with other DC's that are working
AblSysadminSenior Systems EngineerAuthor Commented:
Thank you for the feedback.

Affected DC:
Account Management
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
  User Account Management                 No Auditing

All other DC's:
Account Management
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
  User Account Management                 Success and Failure

Out of the 7 DC's, 2 have the CustomSD set and they and the others without this set are logging fine. The affected one does not have this set.
Thomas GrassiSystems AdministratorCommented:
Sounding like your GPO is not applying the settings.

run gpresult /r  to show what policies are assigned

Are you updating the Default Domain Policy for this?

run gpedit.msc on the DC and you can check the settings also

Check event log  on DC after running the gpupdate /force see if you are getting any gpo errors

HTH
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

AblSysadminSenior Systems EngineerAuthor Commented:
C:\t>gpresult /r
INFO: The user "UNIZA\user" does not have RSOP data.

C:\t>gpresult /r /scope user
INFO: The user "UNIZA\user" does not have RSOP data.

C:\t>gpresult /r /scope computer
INFO: The user "UNIZA\user" does not have RSOP data.

GPEdit.msc shows that the settings are all set to No Auditing.

Doing a GPUpdate /force creates the events in the attached file.
AblSysadminSenior Systems EngineerAuthor Commented:
Trying to view RSOP via mmc gives the attached message.
Thomas GrassiSystems AdministratorCommented:
Hello

Both of your last posted did not have the attachment

Post if you can

Off to work now will check back later
AblSysadminSenior Systems EngineerAuthor Commented:
Files attached.
events.txt
rsop.png
Will SzymkowskiSenior Solution ArchitectCommented:
How is your replication between the DC's?

try the following...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Also has this DC been rebooted?

when you run rsop.msc on the DC (not generating security events) do you see the default domain controller policy?

Is this DC in the Domain Controllers OU?

So you see any event errors or warnings in the Direcotry Service Event Logs?

Will.
Thomas GrassiSystems AdministratorCommented:
Hello

For the RSOP issue

see this
https://technet.microsoft.com/en-us/library/cc775785(v=ws.10).aspx

The event Error 1053   see this
https://technet.microsoft.com/en-us/library/cc727337(v=ws.10).aspx



Also check DNS on this server GPO requires DNS working correctly

Run these commands post results

dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt


HTH
AblSysadminSenior Systems EngineerAuthor Commented:
Will,

All of those commands returned successful results. No errors. The DC has not been rebooted yet. It is in the Domain Controllers OU.

The only warning appearing repeatedly in the Directory Service Event Logs is:

"During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 2842
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3217"

Screenshot attached of error when running rsop.msc.
rsop2.png
AblSysadminSenior Systems EngineerAuthor Commented:
Thomas,

I've attached the results of the commands you gave me to run.
dclogx.txt
Thomas GrassiSystems AdministratorCommented:
Hello

1. This command needs to be corrected
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt

FQDN is to be replaced with your Fully Qualified Domain Name  not FDQN

If you do an ipconfig /all you can find the FQDN  look for Primary DNS Suffix

Run again with that value

2.  You have many DNS errors in the DCDIAG report


This is pointing to a DNS problem, and  is beyond the scope of the original question

You should open a new question
AblSysadminSenior Systems EngineerAuthor Commented:
I've run the command:

   Starting test: RegisterInDNS

      DNS configuration is sufficient to allow this domain controller to

      dynamically register the domain controller Locator records in DNS.
     
      The DNS configuration is sufficient to allow this computer to dynamically

      register the A record corresponding to its DNS name.
     
      ......................... MPWADCP2 passed test RegisterInDNS


--------------------------

Thank you. Please clarify: Are you saying that the issue we're experiencing is because of DNS and therefore I should post another question? Or can we still try to address the RSOP issue with this question?
Thomas GrassiSystems AdministratorCommented:
Can you run all the commands again and post

dcdiag >>dclogx.txt
 dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt
 dcdiag /c /v >>dclogx.txt
 dcdiag /test:dns >>dclogx.txt


Remember to change FQDN to yours


They first report showed many DNS errors

Now that your are using the correct FQDN it may change lets see first
AblSysadminSenior Systems EngineerAuthor Commented:
As requested.
dclogx.txt
Thomas GrassiSystems AdministratorCommented:
Thanks

As you can see in the report you have many DNS errors

You need to look at your DNS configuration on this and the other DC servers

As I stated above GPO requires DNS working properly

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AblSysadminSenior Systems EngineerAuthor Commented:
Thank you, we'll attempt to address the DNS issues. Appreciate your time.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.