Just to share this.. it’s good for us to enable the audit event in the group policy in order just to see who,when and what are the recent changes in our domain controllers.
In my example, I did enable all audit policy in my domain controller group policy.
Here, I must admit that, every activities in your domain controllers will be logged and will cost you the size of disk space as well.
I mostly picked important logs such as Audit Forest Functional level. Let’s say, if you have so many domain admins group in parent domain, people can go anywhere. When your domain controller still set to Windows 2003 functional level, yet the domain admin members can upgrade or raise this to upper level such as Windows Server 2008.
When you upgrade the forest functional level, it saves the logs in the event viewer. you will see this in Directory Services.
Usually, I can use SCOM Alert to monitor this Event ID 2040 if there is a change.
In the General Tabs, it tells you that the New forest Functional Level is equal to 3. This “3” means that the forest functional level is raised to Windows Server 2008. please see reference below:
0 = Forest functional level: Windows 2000
1 = Forest functional level: Windows Server 2003 interim
2 = Forest functional level: Windows Server 2003
3 = Forest functional level: Windows Server 2008
4 = Forest functional level: Windows Server 2008 R2
5 = Forest functional level: Windows Server 2012
Another Event ID 1968 will tell you the previous functional level and current functional level.
Thank you for viewing and reading this article. 🙂
reference URL :