Event id 1487 - 1490

locked
Event id 1487 - 1490 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    how can I force Win2k8 r2 domain controller to generate replication event ID 1487 - 1490 ? Do I have to enable some audit policy? I need this event ID's for my monitoring system.

    Thanx

    Tomas

    Thursday, January 10, 2013 12:21 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Are you sure you shouldn't be looking for 4932 and 4933?
    http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by tomas.kukan Thursday, February 7, 2013 11:30 AM
    Tuesday, January 15, 2013 12:50 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    I don't know what these events are and when I looked them up I couldn't find anything (eventid.net), I'm sure there is a site I could try and find them but I'm not going to hunt them down.  If these are AD releated then you will need to enable auditing for AD.

    Enable AD auditing
    http://technet.microsoft.com/en-us/library/dd379006(v=WS.10).aspx
    http://www.infotechguyz.com/server2008/auditserver2008.html

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 10, 2013 12:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Event id 1487:This is an Active Directory internal event. Internal events appear in Event Viewer only when the default logging level is changed. Mostinternal events are for informational purposes only. This event is logged when Active Directory receives a request to begin inbound replication with the specified parameters.http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=1487&EvtSrc=Active

    You can use the Directory Service event log for monitoring such events as the moments of replication request completion, the number, total size , and names of replicated attributes, and so on. The granularity level of logged events is set through the system registry:http://flylib.com/books/en/3.291.1.39/1/

    How to configure Active Directory diagnostic event logging:http://support.microsoft.com/kb/314980

    Log collection for Active Directory Replication issues
    http://blogs.technet.com/b/msindiasupp/archive/2011/08/09/log-collection-for-active-directory-replication-issues.aspx

    Manage Active Directory Replication
    http://stuartconey.com/wp/?p=532

    AD Replication Status Tool is Live
    http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx

    Troubleshooting replication
    http://technet.microsoft.com/en-us/library/bb727057.aspx
    http://technet.microsoft.com/en-us/library/cc755349(v=ws.10).aspx

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, January 10, 2013 12:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanx for reply,

    Based on this articke http://flylib.com/books/en/3.291.1.39/1/ I have set the following registry "5 Replication Events" to value "3"

    HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

    Still see no event ID 1487-1490 in "Directory service" event log. But I can see other interal replication events like 1060,1072,1360,1363,1364, ...

    To explain the reason why I need event IDs 1487-1490. We have HP OM monitoring for active directory and specific policy (ADSPI_ReplicationActivities_sk8+) monitors this event IDs to know when/how replication has started and ended. 

    Any ideas?


    Friday, January 11, 2013 7:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Note: The following events is only logged if the logging level for ‘Replication Events' is set to at least ‘Extensive’ level ’3':
    http://technet.microsoft.com/en-us/library/cc961809.aspx

    1487 is only taking place when 'IDL_DRSReplicaSync' is called:
    http://msdn.microsoft.com/en-us/library/cc228237.aspx

    1490 is only taking placw when 'IDL_DRSGetNCChanges' is called:
    http://msdn.microsoft.com/en-us/library/dd207691.aspx

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Friday, January 11, 2013 8:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    What does it mean? I'm not sure to understand how works IDL_DRSReplicaSync and DL_DRSGetNCChanges? Can you explain it to me? I thought IDL_DRSReplicaSync is called whenever replication occures.
    Friday, January 11, 2013 1:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The a DC starts or resumes a replication cycle by sending an IDL_DRSGetNCChanges request to a specified DC (replication partner). If ulOptions contains DRS_ASYNC_OP, the server performs this operation asynchronously (IDL_DRSReplicaSync ).

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Friday, January 11, 2013 1:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Ok, I understand. But still no required event IDs in my logs. Any ideas why?

    Are there any other requirements for generating this event IDs? Except editing registry values?

    Monday, January 14, 2013 11:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    In addition,

    ADDS Audit

    http://social.technet.microsoft.com/wiki/contents/articles/15232.adds-audit.aspx

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Monday, January 14, 2013 11:25 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I have already enabled audit for Directory Service Replication and Detailed Directory Service Replication for Success and Failure. Still no required Event IDs in logs.
    Tuesday, January 15, 2013 11:27 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Are you sure you shouldn't be looking for 4932 and 4933?
    http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by tomas.kukan Thursday, February 7, 2013 11:30 AM
    Tuesday, January 15, 2013 12:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

     

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Arthur Li

    TechNet Community Support

    Monday, January 21, 2013 1:57 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Are you sure you shouldn't be looking for 4932 and 4933?
    http://technet.microsoft.com/en-us/library/dd772741(v=WS.10).aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thanx. This events are logged. It looks like the HP OM logging policy is matching wrong event ID's. Maybe this event ID's are for W2k3 ??? Couldn't find answer on google.

    The HP OM policy is looking for event ID's 1487-1490, but don't know why. Name of this policy is ADSPI_ReplicationActivities_2K8+

    1487 - Log Start Inbound Replication

    1488 - Log Stop Inbound Replication

    1489 - Log Start Outbound Replication

    1490 - Log Stop Outbound Replication

    Are this events ever generated in Windows 2008 R2 Domain Controller? Which audit policy is neede for logging this events? 

    Monday, January 21, 2013 8:51 AM