In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description

In ADAudit Plus, the DNS Changes reports profile provides insights into DNS record changes, including addition, removal, and modifications of DNS Node and DNS Zones within the Active Directory environment. However, in some instances, users may not find any data under the DNS Changes Reports profile. This issue typically arises due to misconfigurations in audit settings, insufficient privileges, or event data processing failures in ADAudit Plus. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites

• All domain controllers (DCs) must be added and configured in ADAudit Plus for auditing.

• Event collection should be happening successfully from all the configured DCs.

• Necessary audit policies (Advanced Audit Policy > DS Access > Directory Services Changes > Success), object-level auditing, and the security event log size must be configured.

• The Event Log retention size must be set to at least 4GB.

Possible causes

• All DCs might not be configured in ADAudit Plus.

• No communication from the product server to the respective machine.

• Required privileges are not provided for the service account.

• Audit policy or object-level auditing might not be enabled.

• The event log size is set too low.

• Files are stuck in the Installation Directory/ADAudit Plus/event data/raw or processed folders.

Resolution

Step 1: Verify all DCs are configured in ADAudit Plus  

1. Navigate to the Domain Settings tab in ADAudit Plus.

2. Confirm that all DCs are configured.

Note: Security logs do not replicate, so it's essential to configure all DCs in ADAudit Plus.

Step 2: Check for communication issues  

1. If log collection fails, check for RPC-related errors.

2. If encountering RPC Server Unavailable (Error Code 6ba), follow the troubleshooting guide here.

Step 3: Verify service account permissions  

To check the service account configured in ADAudit Plus:  

1. Go to Domain Settings.

2. Click the drop-down next to the domain name.

3. Select Modify Credentials.

Grant necessary permissions

1. Open Active Directory Users and Computers.

2. Navigate to Built-in > Event Log Readers.

3. Right-click Event Log Readers > Members and add the configured service account.

Step 4: Configure audit policies

1. Log in to any computer that has the Group Policy Management Console (GPMC) with domain admin credentials.

2. Open GPMC and right-click Default Domain Controllers Policy > Edit.

3. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy and double-click the relevant policy setting.

4. In the right pane, right-click the relevant Subcategory > Properties > Select Success, Failure, or both as directed in this document.

5. Under DS Access category, enable the Success check box beside Directory Services Changes.

Step 5: Configuring object-level auditing

1. Log in to any computer that has the Active Directory Service Interfaces snap-in. Open the ADSI Edit console. Click OK and right-click ADSI Edit > Connect to.

2. In the Connection Settings window under Select or type a Distinguished Name or Naming Context, type the distinguished name as per your domain name and the partition where the zone is stored.

3. Type DC=adap,DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default.)

4. Type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

5. Type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

6. In the left panel, click Default naming context and right-click MicrosoftDNS >  Properties > Security > Advanced > Auditing > Add.

7. In the Auditing Entry window, select a principal > Everyone > OK and type Success. Select the appropriate permissions as directed in the table below.

Note: Repeat steps for the remaining two default naming contexts.

Step 6: Configuring event log settings

The event log size needs to be defined to prevent audit data loss due to events being overwritten. To configure event log size and retention settings:

1. Log in to any computer that has the Group Policy Management Console (GPMC) with domain admin credentials. Open GPMC and right-click Default Domain Controllers Policy > Edit.

2. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. In the right pane, right-click Retention method for security log >  Properties > Overwrite events as needed.

4. In the right pane, right-click Maximum security log size > Define size (preferably 4GB).

Note: Ensure the security event log holds a minimum of 12 hours of data.

Step 7: Check for stuck files in the Event Data folder  

• If files are stuck in Installation Directory/ADAudit Plus/event data/raw or processed folders, contact ManageEngine support for assistance.

Related topics and articles  

• Event collection troubleshooting - General errors

 How to reach support