I would like to know if it is possible to detect which clients access certain information in the AD database and when they are doing so.
The situation we are facing in detail is as follows:
We are about to raise the Domain Functional and Forest Functional Level in several Active Directory forest/domain from Windows Server 2003 to Windows Server 2008 R2 (better late than never).
We are aware of the issue discussed in KB2260240 and therefore want to mitigate the situation by monitoring if anyone are requesting the data stored in the attribute msDS-Behavior-Version on the object CN=Partitions,CN=Configuration,DC=contoso,DC=tld and CN=contoso,CN=Partitions,CN=Configuration,DC=contoso,DC=tld.
The idea behind this is that if we can identify client machines requesting the values stored in the above mentioned attributes then we have found the client machines who could potentially face the issue described in KB2260240.
I had two ideas in mind:
1) NetMon; but the issue is that Secure LDAP traffic probably can’t be detected. If it is easy to detect via monitoring of non Secure LDAP traffic that would however still help mitigate the risk but I am not sure how to make the right filter in NetMon
2) Logging level; maybe a logging level can be set so that it will enable us to get the information we seek from the eventlog.
Any help would be appreciated.
Identifying client machines accessing domain or forest functional level attribute in active directory database
- 168 Views
- Last Post 11 February 2016