Configuration and Schema changes are being duplicated for all monitored domains in a forest and reported as made by System

Email It to Me Print this Page
Typical Scenario:

NetWrix Auditor is set to monitor several domains in the same forest (for example one root and several child).  The configuration (or schema) has been changed in one of the child domains but Netwrix Auditor reported several types of configuration changes (in separate change reports for each of the monitored domains) and only one report indicates who changed the configuration (other reports contain system).   
   
 
For example: environment consist of 3 domains (DomainZ.domainx.local, DomainY.domainx.local, domainx.local), the Hub Transport settings (Exchange) were changed in the child domain DomainY.domainx.local, but the Newrix Auditor included these changes in reports for each monitored domain. The report for the DomainY.domainx.local  domain, indicates the user account which the change was made under, but the other two report indicate the change as made by System.    

Child domain:  DomainY.domainx.local
-------------------------------------------------------
Change TypeObject TypeWhen ChangedWho ChangedWhere ChangedObject NameDetails
ModifiedHub Transport/Receive Connector12/20/2013 12:37:16 PMDomainY\AdministratorDC02.DomainY.domainx.local\domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\InternalReceive mail from remote servers that have these IP addresses: Added: "192.168.70.0"
 
Child domain:  DomainZ.domainx.local
-------------------------------------------------------
Change TypeObject TypeWhen ChangedWho ChangedWhere ChangedObject NameDetails
ModifiedHub Transport/Receive Connectorunknownsystemunknown\domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\InternalReceive mail from remote servers that have these IP addresses: Added: "192.168.70.0"
 
Root domain: domainx.local
-------------------------------------------------------
Change TypeObject TypeWhen ChangedWho ChangedWhere ChangedObject NameDetails
ModifiedHub Transport/Receive Connectorunknownsystemunknown\domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\InternalReceive mail from remote servers that have these IP addresses: Added: "192.168.70.0"

 
This is a normal behavior and which can be explained with the architecture of Active Directory.  The Configuration and Schema are being shared between all domains which exist in the same forest. Changes made to the configuration in one domain are being replicated to others, but since the corresponding Security events (which are used as source for WHO CHANGED information) are being generated locally in a domain the change was made,  the reports for other domains indicate “System” as a user is not performing the replication.
 
Netwrix Auditor collects events only  from all domain controllers in the child domain (plus domain controllers in the root domain) specified as the managed object (in the Netwrix Auditor console) and ignores domain controllers in others child domains.  

Applying   this workflow for the example above: Netwrix Auditor collected changes and Security events separately for each managed domain.  Each domain has configuration changes (because of the replication) but only one of them has corresponding Security events for the configuration change.     
 
For more information regarding Active Directory architecture please refer to the following Microsoft kb article:  http://technet.microsoft.com/en-us/library/bb727030.aspx

 
Was this information helpful?