In this article:

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

This article provides troubleshooting guidance for scenarios where no data is displayed under AD Replication Audit reports in ADAudit Plus. It covers common causes, verification steps, and solutions to ensure accurate tracking and logging of AD replication activities.

Prerequisites  

Before proceeding, ensure the following requirements are met:

• All domain controllers (DCs) are properly configured in ADAudit Plus.

• There is seamless communication between the product server and the respective machines.

• The service account has the necessary privileges assigned to avoid access denial errors.

• The audit policies required for AD replication auditing are enabled.

• The event log size is configured adequately to prevent the overwriting of logged events in Event Viewer.

Possible causes  

• The DCs might not all be configured in ADAudit Plus.

• There is no communication between the product server and the respective machine (an RPC error).

• The required privileges are not assigned to the service account (an access denied error).

• A security-package-specific error occurred.

• The audit policies required for AD replication auditing are disabled.

• The event log size is not adequate, leading to the overwriting of events getting logged in Event Viewer.

• Files are stuck under <Installation_Directory>/ADAudit Plus/event data/raw or <Installation_Directory>/ADAudit Plus/event data/processed.

Resolution  

Step 1: Configure all DCs

1. Log in to ADAudit Plus.

2. Navigate to Domain Settings and ensure all the DCs in your environment are configured.

3. To verify, click Managed Domain Computers.

Note: Security logs do not replicate, so it is essential to configure all DCs in ADAudit Plus.

Step 2: Ensure communication from the product server to the respective machine  

1. Configure the necessary ports and firewall rules.

Step 3: Assign the required privileges to the service account  

1. Log in to the DC or a machine where Active Directory Users and Computers is accessible.

2. Click Builtin, right-click Event Log Readers, and select Members.

3. Add the configured service account (used under Domain Settings in ADAudit Plus) to this group.

Step 4: Resolve the security-package-specific error

This is a native error due to conflicting IPs or multiple machines having the same Service Principal Name (SPN).

1. Ensure that the corresponding DC has forward and reverse lookup entries in DNS.

Step 5: Configure the audit policies  

1. Log in to a system with Group Policy Management Console (GPMC) access using Domain Admin credentials.

2. Open the GPMC (gpmc.msc).

3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

4. Locate and enable the Audit Detailed Directory Service Replication policy under the DS Access category.

5. Set the policy to audit Success and Failure.

6. Open Command Prompt as an administrator and execute the gpupdate /force command to force the Group Policy application.

7. To verify the applied policies, run the following command:
   auditpol /get /category*

Note: This command will display the resultant set of audit policies configured on the machine. Verify that the configured policy has been applied.

Step 6: Event IDs logged for replication activities  

If specific reports are empty, it suggests that either the events were not logged in the Event Viewer or the events collected have not yet been processed by the ADAudit Plus application. Below are the key event IDs associated with replication activities. Check for these events in the Event Viewer.

Step 7: Configure the event log settings  

To prevent audit data loss due to event overwrites, define the event log size and retention settings:

1. Open the GPMC.

2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. Configure the following:

• Retention method for security log: Set this to Overwrite events as needed.

• Maximum security log size: Set this to 4GB.

• Maximum directory service (under application and service logs category) log size: Set this to at least 2GB.

Note: Ensure that the security event log holds a minimum of 12 hours of data.

Step 8: Handle stuck event data files  

1. If files are stuck under <Installation_Directory>/ADAudit Plus/event data/raw or processed, contact the ADAudit Plus support team for further assistance.

Related topics and articles

• Audit Detailed Directory Service Replication

• General errors | Troubleshooting | ADAudit Plus

• Understanding Windows security log event ID 521

    How to reach support      

• If replication logs are still missing after you've followed the above steps, contact our support team here.