Domain Function Level Change.
Andy C
with an Active Directory Function level change form 2000 Mixed Mode to
Native mode? And can this happen automatically when adding a domain
controller?
jwgoe...@gmail.com
Raising a domain's funcntional level is a manual change and will not
happen automatically when new DCs come online. I have listed the event
log entries below. The Sam will write to the System event log
indicating that the domain operation mode has changed. NTDS will write
to the Directory Service log indicating that the level was raised.
Several security events will also occur as the user request is
processed.
Hope this helps,
J Wolfgang Goerlich
=> System Log
Event Type: Information
Event Source: SAM
Event Category: None
Event ID: 16408
User: N/A
Description:
Domain operation mode has been changed to Native Mode. The change
cannot be reversed.
=> Directory Service Log
Event Type: Information
Event Source: NTDS General
Event Category: Directory Access
Event ID: 2039
User: MYDOMAIN\administrator
Description:
The functional level of this domain has been raised.
Domain: DC=mydomain,DC=local
New domain functional level:2
=> Security Log
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
User: MYDOMAIN\administrator
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: domainDNS
Object Name: DC=mydomain,DC=local
Handle ID: -
Primary User Name:
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x36A45)
Accesses: Write Property
Properties:
Write Property
Default property set
nTMixedDomain
domainDNS
Additional Info:
Additional Info2:
Access Mask: 0x20
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
User: MYDOMAIN\administrator
Description:
Domain Policy Changed: - modified
Domain Name: MYDOMAIN
Domain ID: MYDOMAIN\
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Changed Attributes:
Min. Password Age: -
Max. Password Age: -
Force Logoff: -
Lockout Threshold: -
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 659
User: MYDOMAIN\administrator
Description:
Security Enabled Universal Group Changed:
Target Account Name: Enterprise Admins
Target Domain: MYDOMAIN
Target Account ID: MYDOMAIN\Enterprise Admins
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Changed Attributes:
Sam Account Name: -
Sid History: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 659
User: MYDOMAIN\administrator
Description:
Security Enabled Universal Group Changed:
Target Account Name: Schema Admins
Target Domain: MYDOMAIN
Target Account ID: MYDOMAIN\Schema Admins
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Changed Attributes:
Sam Account Name: -
Sid History: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 668
User: MYDOMAIN\administrator
Description:
Group Type Changed:
Security Enabled Global Group Changed to Security Enabled Universal
Group.
Target Account Name: Schema Admins
Target Domain: MYDOMAIN
Target Account ID: MYDOMAIN\Schema Admins
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 668
User: MYDOMAIN\administrator
Description:
Group Type Changed:
Security Enabled Global Group Changed to Security Enabled Universal
Group.
Target Account Name: Enterprise Admins
Target Domain: MYDOMAIN
Target Account ID: MYDOMAIN\Enterprise Admins
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
User: MYDOMAIN\administrator
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: domainDNS
Object Name: DC=mydomain,DC=local
Handle ID: -
Primary User Name:
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x36A45)
Accesses: Write Property
Properties:
Write Property
Default property set
msDS-Behavior-Version
domainDNS
Additional Info:
Additional Info2:
Access Mask: 0x20
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
User: NT AUTHORITY\SYSTEM
Description:
Service Ticket Request:
User Name: @MYDOMAIN.LOCAL
User Domain: MYDOMAIN.LOCAL
Service Name:
Service ID: MYDOMAIN\
Ticket Options: 0x40810000
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
Failure Code: -
Logon GUID: {bc411d29-c0b4-fe73-9c70-0dbd41250553}
Transited Services: -
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
User: NT AUTHORITY\SYSTEM
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: DC=mydomain,DC=local
Handle ID: 1677344
Operation ID: {0,316933}
Process ID: 392
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name:
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name:
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
Privileges: -
Properties:
---
domain
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
Domain Password & Lockout Policies
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
pwdHistoryLength
pwdProperties
Other Domain Parameters (for use by SAM)
serverState
serverRole
modifiedCount
uASCompat
forceLogoff
domainReplica
oEMInformation
Domain Administer Server
Access Mask: 0
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
User: MYDOMAIN\administrator
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: domainDNS
Object Name: DC=mydomain,DC=local
Handle ID: -
Primary User Name:
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x36A45)
Accesses: Write Property
Properties:
Write Property
Default property set
msDS-Behavior-Version
domainDNS
Additional Info:
Additional Info2:
Access Mask: 0x20
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
User: MYDOMAIN\administrator
Description:
Domain Policy Changed: - modified
Domain Name: MYDOMAIN
Domain ID: MYDOMAIN\
Caller User Name: administrator
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x36A45)
Privileges: -
Changed Attributes:
Min. Password Age: -
Max. Password Age: -
Force Logoff: -
Lockout Threshold: -
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: 2
OEM Information: -
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
User: NT AUTHORITY\SYSTEM
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: DC=mydomain,DC=local
Handle ID: 1675760
Operation ID: {0,317086}
Process ID: 392
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name:
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name:
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
Privileges: -
Properties:
---
domain
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
Domain Password & Lockout Policies
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
pwdHistoryLength
pwdProperties
Other Domain Parameters (for use by SAM)
serverState
serverRole
modifiedCount
uASCompat
forceLogoff
domainReplica
oEMInformation
Domain Administer Server
Access Mask: 0
Andy C
<jwgoe...@gmail.com> wrote in message
news:0bcd8530-adfb-4bcb...@e25g2000prg.googlegroups.com...