Recommendations for Active Directory log monitoring

Steps

Monitoring can be done manually via Event Viewer or automated with tools like System Center Operations Manager (SCOM), third-party SIEM (Security Information and Event Management) solutions, or event forwarding to a central server.  Details below!

Below is a safe, enterprise‑grade guide on how to set up Active Directory log monitoring for:

• AD Replication Events
• LDAP Query / Bind Issues
• DNS Issues
• Large Volumes of AD Changes

This guide is tool‑agnostic and applies whether you monitor logs using:

• Windows Event Viewer
• SIEM (Splunk, QRadar, Sentinel, ArcSight, LogRhythm, Elastic)
• Sysmon + Event Forwarding

Third‑party AD audit tools samples: Quest, Semperis, ManageEngine, Varonis

1. Enable the Proper Audit Policies

You must ensure key auditing categories are enabled on Domain Controllers.

Recommended Advanced Audit Policy Configuration

Use Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration.

Directory Service Access

• ✔ Directory Service Access
• ✔ Directory Service Changes

Account Logon

• ✔ Kerberos Authentication Service
• ✔ Kerberos Service Ticket Operations
• ✔ Credential Validation

Account Management

• ✔ User Account Management
• ✔ Computer Account Management
• ✔ Group Management
• ✔ Security Group Management

Policy Change

• ✔ Audit Policy Change
• ✔ Authentication Policy Change

DS Replication

• ✔ Audit Directory Service Replication

How to apply via PowerShell:

PowerShell

auditpol /set /category:"DS Access" /subcategory:"Directory Service Changes" /success:enable /failure:enable

auditpol /set /category:"Account Logon" /subcategory:"Credential Validation" /success:enable /failure:enable

auditpol /set /category:"DS Access" /subcategory:"Directory Service Replication" /success:enable /failure:enable

Enable AD Diagnostic Event Logging for Replication, LDAP, and Changes

AD diagnostic logging captures detailed events in the Directory Service event log. This is controlled via registry settings on each DC. 

Relevant categories include Replication Events (for AD replication), LDAP Interface Events (for LDAP issues), and Directory Access (for tracking AD object accesses and modifications, which can indicate large changes).

Steps:

• Open Registry Editor as an administrator (run regedit).
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
• For each relevant category, double-click the entry and set the REG_DWORD value to a logging level (0-5, where 0 is none, 1 is minimal, and 5 is maximum verbosity—start with 2 or 3 to avoid overload):
  • 5 Replication Events: Set to 2-5 to log replication activities, such as synchronization failures or topology changes.
  • 16 LDAP Interface Events: Set to 2-5 to capture LDAP bind failures, query timeouts, or interface errors.
  • 8 Directory Access: Set to 2-5 to log accesses and modifications to AD objects, helping detect bulk changes.
• Exit Registry Editor and restart the DC or the Netlogon service for changes to take effect.
• Optionally, for advanced LDAP query monitoring (e.g., expensive or inefficient searches), set 15 Field Engineering to 5. These logs detailed query performance but should only be used temporarily.

2. Key Active Directory Event IDs to Monitor

A. AD REPLICATION ISSUES

Monitor on Domain Controllers (log: Directory Service)

Also monitor File Replication Service (FRS) or DFS Replication logs depending on your environment.

B. LDAP ISSUES

Monitor Directory Service and Security logs.

 163/1644                     LDAP query counts and details

 1317                            Timeouts

 1535                            Server errors

 4662                            Directory access/object access

C. DNS ISSUES (Active Directory–Integrated DNS)

Monitor on DNS servers (usually DCs).

Also consider enabling DNS Debug Logging (use sparingly).

D. Monitor Large Volumes of AD Changes

Changes are logged under Security with Directory Service Changes enabled.

To detect bulk changes, set SIEM thresholds such as:

• >20 group changes in 5 minutes
• >50 password resets in 10 minutes
• >1000 attribute modifications from a single admin

3. Forward Logs to a Central Location

Recommended approaches

Option A: Windows Event Forwarding (WEF)

• Built into Windows
• No agent needed
• Recommended for small/medium AD forests

Option B: Forward to a SIEM

Most enterprises use:

• Microsoft Sentinel (via Log Analytics Agent)
• Splunk Universal Forwarder
• IBM QRadar WinCollect
• Elastic Agent
• ArcSight SmartConnector

Forward at minimum:

• Security
• System
• Application
• Directory Service
• DNS Server
• DFS Replication (if used)

Additional Recommended Monitoring

Track “Privileged Group Changes”

• Domain Admins
• Enterprise Admins
• Schema Admins
• DNS Admins

Events:

• 4728, 4729 — Global group member added/removed
• 4732, 4733 — Local group member added/removed

Monitor for Rogue Domain Controllers

Event ID:

• 4742 – Computer object changes (DC promotion often shows here)
• 2886/2887 LDAP insecure binds from unknown machine

KCC-related errors you could monitor: