Active Directory monitoring on Windows Domain Controllers involves tracking a wide range of events from the Security log (audit events such as logons and account management) and the Directory Service log (AD DS operational events like replication issues). Below, we provide tables of relevant Windows Event IDs, their provider/source, which Event Log they appear in, and a brief description of each event. These events can be forwarded from DCs and used to trigger alerts in the InfraSOS portal with our Active Directory Monitoring solution.
Security Log Events (Audit Events on Domain Controllers)
The Security log (Source Microsoft-Windows-Security-Auditing unless otherwise noted) records authentication attempts and AD changes when auditing is enabled. All events listed here are found in the Security event log on DCs, except where indicated. Each event’s description explains its significance for AD monitoring:
| Event ID | Provider Name | Log | Description |
|---|---|---|---|
| 4608 | Microsoft-Windows-Security-Auditing | Security | Windows is starting up (system startup audit). Logged at boot on all systems (DCs, servers, workstations). |
| 4609 | Microsoft-Windows-Security-Auditing | Security | Windows is shutting down (system shutdown audit). Logged when the OS is shutting down on DCs/servers/PCs. |
| 4611 | Microsoft-Windows-Security-Auditing | Security | A trusted logon process was registered with the Local Security Authority (LSA). Indicates a logon process (e.g. Winlogon) was registered on the system. |
| 4614 | Microsoft-Windows-Security-Auditing | Security | A notification package was loaded by the Security Account Manager (SAM). (Informational event about a SAM password filter/notification DLL being loaded into LSA). |
| 4616 | Microsoft-Windows-Security-Auditing | Security | The system time was changed on the computer. Monitors time changes, which can affect Kerberos and replication. |
| 4622 | Microsoft-Windows-Security-Auditing | Security | A security package has been loaded by the LSA. Logged when an authentication package (e.g. Negotiate, Kerberos) is loaded on the system. |
| 4624 | Microsoft-Windows-Security-Auditing | Security | An account was successfully logged on. This is the successful logon event (credentials validated) on a DC or system. It includes logon type and account details. |
| 4625 | Microsoft-Windows-Security-Auditing | Security | An account failed to log on. This indicates a failed logon attempt (bad password or other logon failure) on a DC or computer. Includes failure reason codes. |
| 4634 | Microsoft-Windows-Security-Auditing | Security | An account was logged off. This event logs a user session logoff (and will have a corresponding Logon ID that logged off). |
| 4647 | Microsoft-Windows-Security-Auditing | Security | User-initiated logoff. This event is logged when a user actively logs off (initiates logoff) on a system. |
| 4648 | Microsoft-Windows-Security-Auditing | Security | A logon was attempted using explicit credentials. This occurs when one process uses RunAs or similar to log on with another account’s credentials. |
| 4672 | Microsoft-Windows-Security-Auditing | Security | Special privileges assigned to new logon. Logged whenever an account logs on with admin-equivalent rights (SeTCBPrivilege, etc.), indicating a privileged logon session. |
| 4673 | Microsoft-Windows-Security-Auditing | Security | A privileged service was called. Indicates a process attempted to perform a privileged system operation (requiring advanced privileges). |
| 4674 | Microsoft-Windows-Security-Auditing | Security | An operation was attempted on a privileged object. This means a process tried to access an object in a way that requires higher privileges. |
| 4688 | Microsoft-Windows-Security-Auditing | Security | A new process has been created. Logged when a process starts on the system. Monitoring this on DCs can detect unexpected software execution. |
| 4689 | Microsoft-Windows-Security-Auditing | Security | A process has exited. Logged when a process terminates on the system. (Often paired with Event 4688 for process tracking.) |
| 4697 | Microsoft-Windows-Security-Auditing | Security | A service was installed in the system. This means a new Windows service was added (which could indicate software installation or malware persistence). |
| 4698 | Microsoft-Windows-Security-Auditing | Security | A scheduled task was created. Logged when a new scheduled task is created (via Task Scheduler) on the system. |
| 4699 | Microsoft-Windows-Security-Auditing | Security | A scheduled task was deleted. Logged when a scheduled task is removed on the system. |
| 4700 | Microsoft-Windows-Security-Auditing | Security | A scheduled task was enabled. Logged when a task’s status is set to enabled. |
| 4701 | Microsoft-Windows-Security-Auditing | Security | A scheduled task was disabled. Logged when a scheduled task is disabled. |
| 4702 | Microsoft-Windows-Security-Auditing | Security | A scheduled task was updated**.** Logged when an existing scheduled task is modified (properties change). |
| 4704 | Microsoft-Windows-Security-Auditing | Security | A user right was assigned. This event logs when user privileges (user rights) are granted to an account (e.g. “Act as part of the OS”). Logged only on DCs for domain accounts. |
| 4705 | Microsoft-Windows-Security-Auditing | Security | A user right was removed. Logged when a user privilege is revoked from an account (e.g. removal of a logon right). |
| 4713 | Microsoft-Windows-Security-Auditing | Security | The Kerberos policy was changed. Indicates changes to Kerberos settings (e.g. ticket lifetimes) in domain policy. Logged on DCs. |
| 4714 | Microsoft-Windows-Security-Auditing | Security | The EFS (Encrypted File System) data recovery policy was changed. Logged when the recovery agent policy for EFS is modified (via Group Policy or local security policy). |
| 4717 | Microsoft-Windows-Security-Auditing | Security | System security access was granted to an account. A system-level access right (SeSecurityPrivilege, etc.) was granted to a user. |
| 4718 | Microsoft-Windows-Security-Auditing | Security | System security access was removed from an account. A sensitive system privilege was removed from a user account. |
| 4719 | Microsoft-Windows-Security-Auditing | Security | System audit policy was changed. This means the audit policy (what categories of events are audited) was modified on the system, which could affect security logging. |
| 4720 | Microsoft-Windows-Security-Auditing | Security | A user account was created. Logged when a new AD user is created (on DCs for domain accounts). |
| 4722 | Microsoft-Windows-Security-Auditing | Security | A user account was enabled. Logged when a disabled user or computer account is enabled. For users, appears on DCs (for domain accounts). |
| 4723 | Microsoft-Windows-Security-Auditing | Security | An attempt was made to change an account’s password. Logged when a user attempts to change their own password (password change initiated by the account owner). |
| 4724 | Microsoft-Windows-Security-Auditing | Security | An attempt was made to reset an account’s password. Logged when an administrator attempts to reset another user’s password. |
| 4725 | Microsoft-Windows-Security-Auditing | Security | A user account was disabled. Logged when a user or computer account is disabled. (For a computer account, only logged on DCs). |
| 4726 | Microsoft-Windows-Security-Auditing | Security | A user account was deleted. Logged when an AD user account is removed (on DCs for domain accounts). |
| 4727 | Microsoft-Windows-Security-Auditing | Security | A security-enabled global group was created. A new global security group (domain scope) was created in AD (logged on DCs). |
| 4728 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-enabled global group. Logged when a user/computer/group is added to a global security group such as ‘Domain Admins‘ (domain local groups use different IDs). |
| 4729 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-enabled global group. Logged when an account is removed from a global security group (DC only). |
| 4730 | Microsoft-Windows-Security-Auditing | Security | A security-enabled global group was deleted. Logged when a global security group is deleted in AD (DC only). |
| 4731 | Microsoft-Windows-Security-Auditing | Security | A security-enabled local group was created. This means a new domain local security group was created (logged on DCs). |
| 4732 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-enabled local group. Logged when an account is added to a domain local security group (DC only). |
| 4733 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-enabled local group. An account was removed from a domain local security group (DC only). |
| 4734 | Microsoft-Windows-Security-Auditing | Security | A security-enabled local group was deleted. Logged when a domain local security group is deleted (DC only). |
| 4735 | Microsoft-Windows-Security-Auditing | Security | A security-enabled local group was changed. This event logs modifications to the properties (name, description, etc.) of a domain local security group (DC only). |
| 4737 | Microsoft-Windows-Security-Auditing | Security | A security-enabled global group was changed. Logged when a global security group’s properties are modified (DC only). |
| 4738 | Microsoft-Windows-Security-Auditing | Security | A user account was changed. Logged when an existing user account’s attributes are modified (on DC for domain user changes). |
| 4739 | Microsoft-Windows-Security-Auditing | Security | Domain Policy was changed. Indicates a change to the Domain Policies (such as Password Policy or Kerberos Policy) in Active Directory. |
| 4740 | Microsoft-Windows-Security-Auditing | Security | A user account was locked out. Logged when AD locks a user due to too many failed logon attempts (account lockout). Important for tracking potential brute-force attacks. |
| 4741 | Microsoft-Windows-Security-Auditing | Security | A computer account was created. Logged when a new computer account (machine account) is created in the domain (e.g. when a server/workstation is joined to the domain). |
| 4742 | Microsoft-Windows-Security-Auditing | Security | A computer account was changed. Logged when a computer account’s properties (e.g. name reset or other attributes) are modified in AD. |
| 4743 | Microsoft-Windows-Security-Auditing | Security | A computer account was deleted. Logged when a computer account object is removed from AD. |
| 4744 | Microsoft-Windows-Security-Auditing | Security | A security-disabled local group was created. Logged when a new distribution group with domain local scope is created (DC only). (Security-disabled groups are distribution lists not used for permissions.) |
| 4745 | Microsoft-Windows-Security-Auditing | Security | A security-disabled local group was changed. Logged when a domain local distribution group is modified (DC only). |
| 4746 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-disabled local group. Logged when an account is added to a domain local distribution group (DC only). |
| 4747 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-disabled local group. Logged when an account is removed from a domain local distribution group (DC only). |
| 4748 | Microsoft-Windows-Security-Auditing | Security | A security-disabled local group was deleted. Logged when a domain local distribution group is deleted (DC only). |
| 4749 | Microsoft-Windows-Security-Auditing | Security | A security-disabled global group was created. Logged when a new global distribution group is created (DC only). |
| 4750 | Microsoft-Windows-Security-Auditing | Security | A security-disabled global group was changed. Logged when a global distribution (security-disabled) group’s properties are changed (DC only). |
| 4751 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-disabled global group. Logged when an account is added to a global distribution group (DC only). |
| 4752 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-disabled global group. Logged when an account is removed from a global distribution group (DC only). |
| 4753 | Microsoft-Windows-Security-Auditing | Security | A security-disabled global group was deleted. Logged when a global distribution group is deleted (DC only). |
| 4754 | Microsoft-Windows-Security-Auditing | Security | A security-enabled universal group was created. Logged when a new universal security group is created (DC only). |
| 4755 | Microsoft-Windows-Security-Auditing | Security | A security-enabled universal group was changed. Logged when a universal security group’s properties are modified (DC only). |
| 4756 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-enabled universal group. Indicates an account was added to a universal security group (DC only). |
| 4757 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-enabled universal group. An account was removed from a universal security group (DC only). |
| 4758 | Microsoft-Windows-Security-Auditing | Security | A security-enabled universal group was deleted. Logged when a universal security group is deleted (DC only). |
| 4759 | Microsoft-Windows-Security-Auditing | Security | A security-disabled universal group was created. Logged when a new universal distribution group is created (DC only). |
| 4760 | Microsoft-Windows-Security-Auditing | Security | A security-disabled universal group was changed. Logged when a universal distribution group’s properties are changed (DC only). |
| 4761 | Microsoft-Windows-Security-Auditing | Security | A member was added to a security-disabled universal group. An account was added to a universal distribution group (DC only). |
| 4762 | Microsoft-Windows-Security-Auditing | Security | A member was removed from a security-disabled universal group. An account was removed from a universal distribution group (DC only). |
| 4763 | Microsoft-Windows-Security-Auditing | Security | A security-disabled universal group was deleted. Logged when a universal distribution group is deleted (DC only). |
| 4764 | Microsoft-Windows-Security-Auditing | Security | A group’s type was changed. Logged when an existing group’s type or scope is changed (e.g. converting a security group to distribution, or global to universal). |
| 4765 | Microsoft-Windows-Security-Auditing | Security | SID History was added to an account. Logged when the SID History attribute is added to a user or group (typically during migrations). This could be a sign of privilege escalation if done unexpectedly. |
| 4766 | Microsoft-Windows-Security-Auditing | Security | An attempt to add SID History to an account failed. Logged when a SID History addition was attempted but did not succeed (possibly due to security settings). |
| 4767 | Microsoft-Windows-Security-Auditing | Security | A user account was unlocked. Logged when an administrator unlocks a locked-out user account (or the account automatically unlocks after duration). |
| 4768 | Microsoft-Windows-Security-Auditing | Security | A Kerberos authentication ticket-granting ticket (TGT) was requested. Logged on DCs every time a user tries to authenticate via Kerberos. A success indicates the DC issued a TGT (authentication succeeded). Failure will have an error code (pre-authentication failures generate event 4771). |
| 4769 | Microsoft-Windows-Security-Auditing | Security | A Kerberos service ticket (TGS) was requested. Logged on DCs when a Kerberos ticket for a specific service/resource is requested. It indicates a user is attempting to access a service and a TGS ticket was issued (or attempted). |
| 4770 | Microsoft-Windows-Security-Auditing | Security | A Kerberos service ticket was renewed. Logged when a TGS ticket is renewed by the user (reused without full re-authentication). |
| 4771 | Microsoft-Windows-Security-Auditing | Security | Kerberos pre-authentication failed. Logged on DCs when a Kerberos logon fails pre-auth (e.g., wrong password, expired password for a user). Contains error code specifying reason. This is a Kerberos login failure event. |
| 4776 | Microsoft-Windows-Security-Auditing | Security | The domain controller attempted to validate the credentials for an account (NTLM). This event is logged when a DC authenticates a user via NTLM instead of Kerberos (includes the account name and authentication result code). Both successful and failed NTLM authentications use event 4776 (with status codes). |
| 4780 | Microsoft-Windows-Security-Auditing | Security | The ACL was set on accounts which are members of administrators groups. This event indicates that the system applied AdminSDHolder protected permissions on administrative accounts (which happens periodically to secure admin accounts). |
| 4781 | Microsoft-Windows-Security-Auditing | Security | The name of an account was changed. Logged when the sAMAccountName (logon name) of a user or computer account is changed (on DCs for domain accounts). |
| 4794 | Microsoft-Windows-Security-Auditing | Security | An attempt was made to set the Directory Services Restore Mode (DSRM) administrator password. Logged when someone tries to set the DSRM local administrator password on a domain controller (which is a sensitive operation). |
| 4897 | Microsoft-Windows-Security-Auditing | Security | Role separation was enabled. Indicates that AD DS “role separation” (delegating different admin roles) was enabled on a Certification Authority (CA) or another service. This is a high-security configuration event. |
| 4964 | Microsoft-Windows-Security-Auditing | Security | Special groups have been assigned to a new logon. Logged when a user who is a member of certain “special groups” (configured in registry for auditing) logs on. It identifies if privileged group members log on. |
| 4976 | Microsoft-Windows-Security-Auditing | Security | During DPI (Deep Packet Inspection), a packet was dropped because it failed an IPsec integrity check. (Example of an IPsec audit event; 4960-4976 series cover IPsec violations or policy changes). |
| 4985 | Microsoft-Windows-Security-Auditing | Security | The state of a transaction changed (Transactional NTFS). (This is a less common event related to file system transactions.) |
| 5024 | Microsoft-Windows-Security-Auditing | Security | The firewall service started successfully. (Beginning of a series of Windows Firewall audit events; these track changes or startup of the Windows Filtering Platform.) |
| 5031 | Microsoft-Windows-Security-Auditing | Security | The Windows Firewall service blocked an application. (Indicates a blocked connection by firewall rules.) |
| 5038 | Microsoft-Windows-Security-Auditing | Security | Code integrity determined that an image (executable) hash is invalid and the file may have been tampered. This indicates potential malware (a system file failed signature check). |
| 5140 | Microsoft-Windows-Security-Auditing | Security | A network share object was accessed. Logged when a network share (e.g. \server\share) is accessed; useful to monitor DC’s shared SYSVOL access. |
| 5141 | Microsoft-Windows-Security-Auditing | Security | A directory service object was deleted. (Note: This is also listed under Directory Service Access category.) It means an AD object was deleted and was audited via DS Access auditing. |
Directory Service Log Events (ActiveDirectory_DomainService)
Domain Controllers have an event log Directory Service (source Microsoft-Windows-ActiveDirectory_DomainService) which records AD-specific operational events. These are crucial for monitoring AD health, replication, and configuration.
| Event ID | Provider Name | Log | Description |
|---|---|---|---|
| 1084 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The Active Directory Domain Services database has been restored/recovered (or an operation regarding the AD database such as defragmentation occurred). (This event indicates AD startup and recovery status.) |
| 1311 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Replication topology problem: The Knowledge Consistency Checker (KCC) has detected that the replication topology is incomplete or broken. This often means not all DCs/sites are connected or a DC is unreachable, causing replication failures across sites. |
| 1388 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | A lingering object was introduced via replication. This indicates a destination DC (with loose replication consistency) accepted an object that had been deleted elsewhere (a lingering object). The object was re-created on the DC. This typically occurs if a DC was offline past tombstone lifetime and then replicates. |
| 1864 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | No recent replication (Time Skew): This DC has not received replication from a partner DC for an extended period. Event 1864 often indicates that a domain controller hasn’t replicated recently and may be out of sync (possible time mismatch or connectivity issue). |
| 1925 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Replication failed – partner unreachable: The DC could not contact a replication partner. This often means a DC attempted to replicate but the target could not be reached (due to network or DNS issues). (Event 1925 is logged with extended error info when a replication connection fails.) |
| 1988 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | A lingering object was detected and replication was blocked. This occurs on a destination DC with strict replication consistency when a source DC has an object that this DC considers deleted – replication is halted to prevent reintroducing a lingering object. Admin action is needed to remove lingering objects. |
| 2042 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Tombstone lifetime exceeded – replication stopped: It has been too long since this machine replicated with a partner (longer than tombstone lifetime). AD replication is halted with that partner to prevent possible lingering objects. This often means one DC was offline for too long (e.g. >60 or 180 days). User action: decommission or force sync with lingering object removal if necessary. |
| 2087 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | DNS lookup failure for replication: The DC could not resolve the DNS host name of its replication partner. This prevents AD changes from replicating between certain DCs. Until resolved, you may have inconsistent AD data. (Event 2087 is logged when all DNS lookup attempts to locate the partner fail). |
| 2088 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Replication failed after DNS found partner: Logged if the partner was found (DNS resolved) but replication still fails (e.g. RPC issue or partial connectivity). Often paired with 2087 – 2088 indicates the partner was contacted but replication attempt failed after initial contact. This usually signals communication or authentication issues between DCs. |
| 2089 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | AD Database Backup Alert: The directory partition has not been backed up within the backup latency interval. Event 2089 is a warning that you haven’t taken an AD backup for a while (half of tombstone lifetime). It lists partitions and the days since last backup. Ensuring regular system state backups will prevent this warning. |
| 2091 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | A partial replication topology was created. (Indicates the KCC could only partially build connections, often due to incomplete site link configuration.) |
| 2102 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Database inconsistency / patch: The AD database might have been modified or an attempt to change it failed. (Often related to AD database recovery events.) |
| 2886 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Insecure LDAP binds allowed: This DC is configured to not require LDAP signing or sealing. It’s a periodic reminder (logged every 24 hours) that “LDAP signing is not being enforced,” which is a security vulnerability. In other words, Event 2886 means the domain controller permits unsigned LDAP bind requests. Administrators should consider enabling LDAP signing requirements. |
| 2887 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Count of unsigned LDAP binds: Logged every 24 hours on DCs that allow unsigned binds and have had at least one such bind in the last day. The event indicates how many plaintext or unsigned LDAP binds occurred (so you can identify legacy applications using insecure binds). If this event appears, it provides the number of insecure bind attempts. |
| 2888 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Rejected unsigned LDAP bind (enforcement mode): Logged every 24 hours if the DC is set to require signing and it rejected at least one unsigned bind request. This means the DC refused an insecure LDAP connection from a client. |
| 2889 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Client attempted unsigned LDAP (detailed): Logged when a client binds without signing on port 389 and Logging Level 2 is enabled. It provides details on the client that attempted the insecure bind (for troubleshooting which client is using insecure LDAP). |
| 2920 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The internal snapshot of the Active Directory database has completed. (Can be logged during certain operations like AD diagnostic or backup tasks.) |
| 2923 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Global Catalog promotion complete. (Logged when a DC has finished being promoted to a Global Catalog server.) |
| 2924 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Global Catalog demotion complete. (Logged when a DC is unflagged as a Global Catalog server.) |
| 2944 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The Active Directory Web Services service started successfully. (Indicates that the AD Web Services (ADWS) on the DC is running, which is required for PowerShell ActiveDirectory module and AD Administrative Center.) |
| 2945 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | Active Directory Web Services encountered an error and could not start. (If ADWS fails, features that rely on it will not function – this event gives error details.) |
| 3039 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | LDAP Channel Binding failure: A client’s LDAP over SSL/TLS connection failed channel binding token (CBT) validation. This is logged when CBT is required/supported and a client either doesn’t send it or sends an invalid token. It helps identify clients not compliant with LDAP channel binding. |
| 3040 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | LDAP bind with channel binding not required. (Part of channel binding events; may indicate a client connected without CBT when policy is set to “When Supported.”) |
| 3041 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | LDAP channel binding not configured. (This might log if no channel binding is attempted and policy is none – essentially indicating default behavior. Often not seen unless auditing at higher levels.) |
| 3686 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The DC’s replication queue is overloaded. (For example, this event can indicate that a large number of updates are queued for replication – sometimes logged as a warning if the queue length exceeds a threshold.) |
| 3687 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | A peak in replication latency was observed. (Used to notify if replication is taking unusually long.) |
| 4033 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | This domain controller has been denied replication due to an Outdated OS version. (For example, if an OS version compatibility issue arises in the domain/forest functional level.) |
| 5005 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The Active Directory Domain Services is shutting down. Logged during normal shutdown of AD DS service (for example, when a DC is shutting down or demoted). |
| 5008 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The Active Directory Domain Services has been restored from backup. (Indicates an AD restore operation was detected, which could lead to USN rollback if not done properly.) |
| 5120 | Microsoft-Windows-ActiveDirectory_DomainService | Directory Service | The directory services restore mode password was set. (This might be logged when the DSRM administrator password is configured/reset on a DC outside of normal install.) |
| 5136 | Microsoft-Windows-Security-Auditing | Security (Directory Service Access) | A directory service object was modified. This is audited when an AD object’s attributes are changed (and auditing for DS Access is enabled on that object). It provides the object, attributes changed, and the user who made the change. (This security event is generated under category “Directory Service Access.”) |
| 5137 | Microsoft-Windows-Security-Auditing | Security (Directory Service Access) | A directory service object was created. Audited when a new AD object (user, group, OU, etc.) is created and the SACL on the parent OU/domain is configured to audit creates. Contains the object name that was created. |
| 5138 | Microsoft-Windows-Security-Auditing | Security (Directory Service Access) | A directory service object was undeleted. Logged when an AD object is restored from tombstone (recycled) if auditing is enabled. (For example, an object reanimated or restored from AD Recycle Bin). |
| 5139 | Microsoft-Windows-Security-Auditing | Security (Directory Service Access) | A directory service object was moved. Logged when an object is moved from one OU/container to another (with DS Access auditing on the object’s containers). It includes the old and new locations. |
| 5141 | Microsoft-Windows-Security-Auditing | Security (Directory Service Access) | A directory service object was deleted. Audited when an AD object is deleted and the object’s SACL requests audit of deletions. (Often accompanies the Directory Service event 2089 if object is tombstoned for a while.) |
DNS Server Log Events
If your DCs also run DNS, the DNS Server log is crucial for tracking name resolution issues, zone transfers, and integration with AD.
| Event ID | Provider | Log | Description |
|---|---|---|---|
| 4000 | Microsoft-Windows-DNSServer | DNS Server | DNS Server started successfully. |
| 4001 | Microsoft-Windows-DNSServer | DNS Server | DNS Server shutting down. |
| 4010 | Microsoft-Windows-DNSServer | DNS Server | The DNS server was unable to create a resource record. Often indicates a misconfigured dynamic registration or stale DNS zone data. |
| 4013 | Microsoft-Windows-DNSServer | DNS Server | DNS server is waiting for Active Directory Domain Services (AD DS) to signal readiness. Common during DC reboot — if persistent, it indicates issues with AD replication or DNS integration. |
| 4015 | Microsoft-Windows-DNSServer | DNS Server | DNS server encountered a critical error from Active Directory. Often caused by AD replication or database corruption. |
| 4521 | Microsoft-Windows-DNSServer | DNS Server | DNS server detected that it is not enlisted in the replication scope of the AD-integrated zone. Typically indicates misconfigured DNS replication. |
| 6001 | Microsoft-Windows-DNSServer | DNS Server | DNS zone transfer failed. Often due to replication or trust relationship issues between DNS servers. |
| 6702 | Microsoft-Windows-DNSServer | DNS Server | DNS server has updated its Active Directory infrastructure. Often seen during reboot or after changes to the DNS zone configuration. |
| 7504 | Microsoft-Windows-DNSServer | DNS Server | The DNS server has encountered a critical error while attempting to load, initialize, or create the zone. Could be corrupted zone files. |
Netlogon Service Events
To provide a comprehensive view of DC health, consider monitoring these additional logs and categories:
Log:
SystemProvider:
NETLOGONImportant for authentication and trust issues.
| Event ID | Provider Name | Log | Description |
| 5719 | NETLOGON | System | No domain controller available — client unable to contact DC. |
| 5781 | NETLOGON | System | Dynamic DNS update failed — Netlogon failed to register DC in DNS. |
Time Synchronization (W32Time):
Ensures Kerberos time sync (crucial for trust and logon)
| Event ID | Provider Name | Log | Description |
| 36 | Microsoft-Windows-Time-Service | System | Time service synchronized with a time source. |
| 47 | Microsoft-Windows-Time-Service | System | Time service failed to synchronize. |
| 50 | Microsoft-Windows-Time-Service | System | Time service detected a change and resync. |
| 134 | Microsoft-Windows-Time-Service | System | Time service has detected a large time jump. |
System-Level Errors:
Track disk, service startup failures, memory issues.
| Event ID | Provider Name | Log | Description |
| 55 | Microsoft-Windows-Ntfs | System | File system corruption detected. |
| 1001 | BugCheck | System | Server crash (BSOD) occurred. |
| 7001 | Service Control Manager | System | Netlogon or DNS service failed to start. |
NTDS Diagnostics
Very detailed — often used by enterprise environments for diagnosing deep replication issues.
| Event ID | Provider Name | Log | Description |
| 2089 | Microsoft-Windows-ActiveDirectory_DomainService | NTDS Replication | AD database has not been backed up within tombstone lifetime. |
| 2108 | Microsoft-Windows-ActiveDirectory_DomainService | NTDS Replication | Internal consistency check failed during replication. |
In summary, the above tables enumerate the key Windows Event IDs relevant to Active Directory monitoring. By forwarding these events from Domain Controller logs (Security and Directory Service logs) into InfraSOS, administrators can set up alerts for important conditions – such as account lockouts, group membership changes, replication failures, and other signs of potential issues or attacks in the AD environment. This comprehensive monitoring covers both security-related events (audit logs) and operational AD health events, providing a broad view of AD status and security.
