Windows Server 2012 - Replication Event on Secondary Domain Controller

%3CLINGO-SUB%20id%3D%22lingo-sub-1262827%22%20slang%3D%22en-US%22%3EWindows%20Server%202012%20-%20Replication%20Event%20on%20Secondary%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1262827%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20looking%20for%20a%20way%20to%20track%20when%20a%20user%20account%20was%20created%2Fdelete%2Fchanged%20on%20the%20secondary%20domain%20controller.%20When%20we%20make%20the%20change%20on%20the%20primary%2C%20I%20can%20see%20the%20event%20in%20the%20event%20log%20but%20we%20want%20to%20see%20that%20replication%20event%20on%20the%20secondary%20domain%20controller.%20I'm%20not%20sure%20what%20I'm%20looking%20for%20and%20we%20have%20so%20many%20logon%2Flogoff%20events%20that%20the%20event%20log%20only%20holds%202-3%20minutes%20of%20data%20before%20filling%20up.%20Since%20it%20takes%20time%20to%20replicate%2C%20I%20can't%20catch%20the%20event.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI've%20gone%20into%20the%20group%20policy%20settings%20for%20the%20domain%20controllers%20and%20turned%20on%20advanced%20audit%20for%20the%20replication%20service%20but%20it's%20really%20only%20showing%20me%20that%20it%20was%20able%20to%20talk%20to%20the%20other%20domain%20controller%2C%20not%20what%20was%20actually%20replicated.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI'm%20hoping%20there%20is%20a%20way%20that%20we%20can%20track%20the%20change%2C%20even%20if%20it%20is%20as%20simple%20as%20something%20like%20a%20change%20was%20made.%20It%20doesn't%20have%20to%20be%20in%20great%20detail.%20If%20maybe%20someone%20knows%20what%20event%20id%20is%20that%20I%20need%20to%20look%20for%20then%20I%20can%20filter%20through%20and%20find%20it.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EMaybe%20I'm%20looking%20in%20the%20wrong%20place%20all%20together%3F%20Any%20help%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1262827%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edomain%20controller%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EReplication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340820%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202012%20-%20Replication%20Event%20on%20Secondary%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340820%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20future%20knowledge%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20found%20that%20event%20id%204932%20and%204933%20showed%20the%20replication%20events%20beginning%20and%20ending%20between%20all%20of%20our%20domain%20controllers.%20This%20gave%20us%20the%20information%20we%20were%20looking%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We are looking for a way to track when a user account was created/delete/changed on the secondary domain controller. When we make the change on the primary, I can see the event in the event log but we want to see that replication event on the secondary domain controller. I'm not sure what I'm looking for and we have so many logon/logoff events that the event log only holds 2-3 minutes of data before filling up. Since it takes time to replicate, I can't catch the event.


I've gone into the group policy settings for the domain controllers and turned on advanced audit for the replication service but it's really only showing me that it was able to talk to the other domain controller, not what was actually replicated.


I'm hoping there is a way that we can track the change, even if it is as simple as something like a change was made. It doesn't have to be in great detail. If maybe someone knows what event id is that I need to look for then I can filter through and find it.


Maybe I'm looking in the wrong place all together? Any help would be greatly appreciated.

1 Reply
Highlighted

For future knowledge:

 

We found that event id 4932 and 4933 showed the replication events beginning and ending between all of our domain controllers. This gave us the information we were looking for.