Answered by:
Event id 1487 - 1490
Question
-
text/html 1/10/2013 12:21:05 PM tomas.kukan 0
Hi,
how can I force Win2k8 r2 domain controller to generate replication event ID 1487 - 1490 ? Do I have to enable some audit policy? I need this event ID's for my monitoring system.
Thanx
Tomas
Thursday, January 10, 2013 12:21 PM
Answers
-
text/html 1/15/2013 12:50:51 PM pbbergs [MSFT] 0
Are you sure you shouldn't be looking for 4932 and 4933?
--
http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.- Marked as answer by tomas.kukan Thursday, February 7, 2013 11:30 AM
Tuesday, January 15, 2013 12:50 PM
All replies
-
text/html 1/10/2013 12:51:51 PM pbbergs [MSFT] 0
I don't know what these events are and when I looked them up I couldn't find anything (eventid.net), I'm sure there is a site I could try and find them but I'm not going to hunt them down. If these are AD releated then you will need to enable auditing for AD.
Enable AD auditing
http://technet.microsoft.com/en-us/library/dd379006(v=WS.10).aspx
http://www.infotechguyz.com/server2008/auditserver2008.html--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
- Proposed as answer by Arthur_LiMicrosoft contingent staff Friday, January 11, 2013 5:16 AM
Thursday, January 10, 2013 12:51 PM -
text/html 1/10/2013 12:57:58 PM Sandesh Dubey 0
Event id 1487:This is an Active Directory internal event. Internal events appear in Event Viewer only when the default logging level is changed. Mostinternal events are for informational purposes only. This event is logged when Active Directory receives a request to begin inbound replication with the specified parameters.http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=1487&EvtSrc=Active
You can use the Directory Service event log for monitoring such events as the moments of replication request completion, the number, total size , and names of replicated attributes, and so on. The granularity level of logged events is set through the system registry:http://flylib.com/books/en/3.291.1.39/1/
How to configure Active Directory diagnostic event logging:http://support.microsoft.com/kb/314980
Log collection for Active Directory Replication issues
http://blogs.technet.com/b/msindiasupp/archive/2011/08/09/log-collection-for-active-directory-replication-issues.aspxManage Active Directory Replication
http://stuartconey.com/wp/?p=532AD Replication Status Tool is Live
http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspxTroubleshooting replication
http://technet.microsoft.com/en-us/library/bb727057.aspx
http://technet.microsoft.com/en-us/library/cc755349(v=ws.10).aspxBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed as answer by Arthur_LiMicrosoft contingent staff Friday, January 11, 2013 5:15 AM
Thursday, January 10, 2013 12:57 PM -
text/html 1/11/2013 7:23:52 AM tomas.kukan 0
Thanx for reply,
Based on this articke http://flylib.com/books/en/3.291.1.39/1/ I have set the following registry "5 Replication Events" to value "3"
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Still see no event ID 1487-1490 in "Directory service" event log. But I can see other interal replication events like 1060,1072,1360,1363,1364, ...
To explain the reason why I need event IDs 1487-1490. We have HP OM monitoring for active directory and specific policy (ADSPI_ReplicationActivities_sk8+) monitors this event IDs to know when/how replication has started and ended.
Any ideas?
Friday, January 11, 2013 7:23 AM -
text/html 1/11/2013 8:15:27 AM Christoffer Andersson 0
Note: The following events is only logged if the logging level for ‘Replication Events' is set to at least ‘Extensive’ level ’3':
http://technet.microsoft.com/en-us/library/cc961809.aspx1487 is only taking place when 'IDL_DRSReplicaSync' is called:
http://msdn.microsoft.com/en-us/library/cc228237.aspx
1490 is only taking placw when 'IDL_DRSGetNCChanges' is called:
http://msdn.microsoft.com/en-us/library/dd207691.aspx
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog- Edited by Christoffer Andersson Friday, January 11, 2013 8:20 AM
- Proposed as answer by bshwjt Monday, January 14, 2013 11:23 AM
Friday, January 11, 2013 8:15 AM -
text/html 1/11/2013 1:51:49 PM tomas.kukan 0What does it mean? I'm not sure to understand how works IDL_DRSReplicaSync and DL_DRSGetNCChanges? Can you explain it to me? I thought IDL_DRSReplicaSync is called whenever replication occures.Friday, January 11, 2013 1:51 PM
-
text/html 1/11/2013 1:58:04 PM Christoffer Andersson 0The a DC starts or resumes a replication cycle by sending an IDL_DRSGetNCChanges request to a specified DC (replication partner). If ulOptions contains DRS_ASYNC_OP, the server performs this operation asynchronously (IDL_DRSReplicaSync ).
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services BlogFriday, January 11, 2013 1:58 PM -
text/html 1/14/2013 11:22:28 AM tomas.kukan 0
Ok, I understand. But still no required event IDs in my logs. Any ideas why?
Are there any other requirements for generating this event IDs? Except editing registry values?
Monday, January 14, 2013 11:22 AM -
text/html 1/14/2013 11:25:53 AM bshwjt 0
In addition,
ADDS Audit
http://social.technet.microsoft.com/wiki/contents/articles/15232.adds-audit.aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
Monday, January 14, 2013 11:25 AM -
text/html 1/15/2013 11:27:11 AM tomas.kukan 0I have already enabled audit for Directory Service Replication and Detailed Directory Service Replication for Success and Failure. Still no required Event IDs in logs.Tuesday, January 15, 2013 11:27 AM
-
text/html 1/15/2013 12:50:51 PM pbbergs [MSFT] 0
Are you sure you shouldn't be looking for 4932 and 4933?
--
http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.- Marked as answer by tomas.kukan Thursday, February 7, 2013 11:30 AM
Tuesday, January 15, 2013 12:50 PM -
text/html 1/21/2013 1:57:22 AM Arthur_Li 0
Hi,
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
Arthur Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Arthur Li
TechNet Community Support
Monday, January 21, 2013 1:57 AM -
text/html 1/21/2013 8:51:47 AM tomas.kukan 0
Are you sure you shouldn't be looking for 4932 and 4933?
--
http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.Thanx. This events are logged. It looks like the HP OM logging policy is matching wrong event ID's. Maybe this event ID's are for W2k3 ??? Couldn't find answer on google.
The HP OM policy is looking for event ID's 1487-1490, but don't know why. Name of this policy is ADSPI_ReplicationActivities_2K8+
1487 - Log Start Inbound Replication
1488 - Log Stop Inbound Replication
1489 - Log Start Outbound Replication
1490 - Log Stop Outbound Replication
Are this events ever generated in Windows 2008 R2 Domain Controller? Which audit policy is neede for logging this events?
Monday, January 21, 2013 8:51 AM