Active Directory events are not always captured from multi-forest environment where there is a common (shared) SQL database for the Coordinators in each Forest.
The ENTERPRISE object stored in Monitor.DirectoryContainer table typically contains an entry for:
ForestID = '00000000-0000-0000-0000-000000000000' WHERE ContainerID = '7601B523-FF1D-4E71-8A10-B6A1702CE379'
This entry is responsible for all forests and ensure multi-forest works as expected. The entry however may have become locked to one forest.
For example:
ForestID = 'A8EED1D2-0E24-4012-A41C-60A25A3C1DCE' WHERE ContainerID = '7601B523-FF1D-4E71-8A10-B6A1702CE379'
This can happen if the ENTERPRISE object was deleted and added back.
WORKAROUND
To restore the correct configuration to the ENTERPRISE object perform the following steps after taking backup of production DB.
UPDATE ChangeAuditor.Monitor.DirectoryContainer
SET ForestID = '00000000-0000-0000-0000-000000000000'
WHERE ContainerID = '7601B523-FF1D-4E71-8A10-B6A1702CE379'
2. Go to Administration Tasks in the Change Auditor Client
3. In Auditing select Active Directory
4. Delete the Enterprise Object and Re create the new Enterprise object.
5. Restart the Coordinator or wait ~15 minutes for the agents to pick-up the new configuration
STATUS
This still occurs occasionally.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center