返回
-
标题
ODM Dirsync - SIDHistory Error: "Write: The operation requires that destination domain auditing be enabled I have verified Auditing has been enabled in the target environment" -
说明
- We receive the following error when syncing SIDHistory:
Error: Write: The operation requires that destination domain auditing be enabled I have verified Auditing has been enabled in the target environment.
- Auditing is configured as per the documentation (success and failure) for source and target environments.
-
原因
A GPO is enabled that can be overriding the DC policies, or a configuration step was missed. -
解决办法
- Confirm the domain policy is not overriding the domain controller policy for auditing:
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy
- Active Directory SID History Synchronization Quick Start Guide:
Enable Auditing and Advanced Auditing following the sections
Audit Policy
below for both the Target & Source Domains:- Log on as an administrator to any domain controller in the domain.
- Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
- Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy
- Right-click Default Domain Controllers Policy and click Edit.
- In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
- In the details pane, right-click Audit account management, and then click Properties.
- Click Define these policy settings, and then click Success and Failure.
- Click Apply, and then click OK.
- In the details pane, right-click Audit directory service access and then click Properties.
- Click Define these policy settings and then click Success.
- Click Apply, and then click OK.
Note: If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force.
Advanced Audit Policy- In the Domain Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management
- In the details pane, right click on Audit Application Group Management subcategory and then click Properties.
- Click Configure the following audit events and then slick Success and failure.
- Click Apply, and then click OK.
- Repeat above steps for the following Subcategory Audit Events.
- Audit Computer Account Management
- Audit Distribution Group Management
- Audit User Account Management
- Audit Other Account Management Events
- Audit Security Group Management
Note: If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force.
For further details please check out our product page.
https://www.quest.com/products/on-demand-migration/
- Confirm the domain policy is not overriding the domain controller policy for auditing: