In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the ADCS Auditing profile provides insights into all Active Directory Certificate Services (ADCS) activities, including certificate request status, recently modified requests, CA property changes, key retrievals, and certificate template modifications. However, in some cases, users may find that no data is available under the ADCS Auditing profile. This issue generally occurs due to misconfigurations, insufficient privileges, or event data processing failures within ADAudit Plus. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites  

Before troubleshooting, ensure that the following prerequisites are met:

• The ADCS server is correctly configured in ADAudit Plus.

• Required ports and firewall rules are enabled to allow communication between the ADCS server and ADAudit Plus.

• The service account used in ADAudit Plus is a member of the Event Log Readers group.

• Auditing policies and registry values are properly configured on the ADCS server.

• The Event Log retention size is at least 2 GB to prevent audit log overwrites.

Possible causes  

• The ADCS server is not configured in ADAudit Plus and is missing from the Domain Settings or Member Server list.

• Communication failure between ADAudit Plus and the ADCS server, leading to event collection issues.

• Insufficient permissions for the service account to collect security event logs.

• Auditing policies and registry settings on the ADCS server are not properly configured.

• Event log retention size is too small, causing logs to be overwritten.

• Files are stuck in the event data directories (event data/raw or processed) of ADAudit Plus.

Resolution  

Step 1: Verify ADCS server configuration in ADAudit Plus  

• If ADCS is installed on a domain controller:

1. Navigate to Domain Settings in ADAudit Plus.

2. Confirm that the domain controller is listed and configured.

• If ADCS is installed on a member server:

1. Navigate to Server Audit > Configured Servers > Member Servers.

2. Ensure that the ADCS server is correctly listed.

Step 2: Check for communication issues  

• If log collection fails, check for RPC-related errors.

• If encountering "RPC Server Unavailable Error Code 6ba", refer to the troubleshooting guide for RPC errors.

Step 3: Verify service account permissions  

1. Navigate to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

4. Ensure that an account is specified for authentication.

5. The account can be either a Domain Administrator or a service account with the necessary minimum privileges.

Step 4: Enable auditing on the ADCS server  

• Ensure Audit Certification Services policies are enabled:

• Log in to a computer with the Group Policy Management Console (GPMC) using Domain Admin credentials.

• Open GPMC and edit the appropriate Group Policy:

• If ADCS is on a domain controller, modify Default Domain Controllers Policy.

• If ADCS is on a Windows server, modify ADAuditPlusMSPolicy.

• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

• Double-click Object Access.

• Right-click Audit Certification Services and enable Success and Failure.

• Configure CA auditing:

• Log in to the ADCS server as a Domain Admin.

• Open the Certificate Authority management console.

• Right-click the CA, select Properties, and open the Auditing tab.

• Enable auditing for the following events:

• Change CA configuration

• Change CA security settings

• Issue and manage certificate requests

• Revoke certificates and publish CRLs

• Store and retrieve archived keys

• Enable certificate template auditing:

1. Open Command Prompt as Administrator.

2. Run the following command:

3. certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD

Step 5: Configure event log retention settings  

• Increase event log size to prevent audit data loss:

1. Log in to a computer with GPMC using Domain Admin credentials.

2. Open GPMC > Default Domain Controllers Policy > Edit.

3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. Set Retention method for security log to Overwrite events as needed.

5. Set Maximum security log size to 2 GB.

6. Ensure that security event logs hold at least 12 hours of data.

Step 6: Check for stuck files in event data folder  

• If files are stuck in event data/raw or processed, contact ManageEngine Support for assistance.

Related topics and articles  

• Configuring ADCS Auditing in ADAudit Plus

• Troubleshooting RPC Errors

• Increasing Event Log Size in Windows

How to reach support