It sounds like the secondary DCs do not have the audit policies in place to create event logs for changes.
Please see this KB for information on configuring the Audit Policy:
To set Windows Audit Policy using Group Policy Object Editor:
- Expand Computer Configuration > Windows Settings > Security Settings > Local Policies and selectAudit Policy in the left pane.
- Select the policy you want to define in the right pane and click Properties on the Action menu.
- Select or clear Success and Failure according to the instructions below.
Default Domain Controllers Policy
Select Success and Failure for all policies except:
- Audit object access
- Audit privilege use
For these, only select Failure.
Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.For this policy, select Success and Failure for the following:
- Audit account logon events
- Audit account management
- Audit logon events
- Audit policy change
- Audit system events
Thanks for the response. The Windows Audit Policy is already set up using our GPO and I verified all the secondary DCs have the correct Audit Policy applied below. Now that I think about it, it could be our firewall.
Policy Setting Audit account logon events Success Audit account management Success, Failure Audit directory service access Failure Audit logon events Success, Failure Audit object access Failure Audit policy change Success, Failure Audit privilege use No auditing Audit process tracking Success, Failure Audit system events Success, Failure
1 of 1 people found this helpful
Did you also double check the event log rotation policy? If the logs are full and it's not set to "overwrite as needed", you might not see new events - Set Log Retention Policy. What you want is most likely 'overwrite as needed' with a larger log file size, especially for DCs.
Thanks! This lead me to check the Event Viewer and I was noticing Security Group Management was not showing up when changes were made, and found out the GPO was not being applied correctly.
I had to manually update the Local Policies individually and then they started working under Local Policy > Advanced Audit Polices > Account Management > Security Group Management: Success