Forum Discussion
Capture DFS activity
Hello, did you have a best pratice baseline to capture DFS activity specially the one done avia a remote console.
For example removing and DFS-N or DFS-Target or modify ACL on it ?
Thanks you
2 Replies
here you go
1.Enable DFS Auditing via Event Logs
To capture DFS-N and DFS-Target changes:
- Audit DFS Management Events:
- DFS changes are logged under Event Viewer > Applications and Services Logs > DFS Replication and DFS Management logs.
- Key Event IDs:
- 14503 – DFS-N configuration change
- 14506 – DFS Target added/removed
- 6006/6008 – Unexpected shutdowns (optional if investigating broader issues)
- Use Event ID 4663 from Security Logs for ACL changes
Action: Enable Object Access auditing via Group Policy:
- Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Object Access – set to Success and Failure
2.Enable Advanced Auditing (Windows Server 2012+)
- Navigate to:
GPO > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System - Enable Success and Failure
Restart the DFS Namespace server after applying GPO changes.
Thanks you for this input, unfortunaly its not working when you do a remote console change.
Thats my point and need
