A Common Misconception Regarding Security Logs

by Mitch Tulloch [Published on 27 Oct. 2005 / Last Updated on 27 Oct. 2005]

Do domain controllers share security logs?

Domain controllers host Active Directory, which manages the security of your Windows-based networks. If you have several domain controllers in the same domain, Active Directory information is automatically replicated between them so that they all contain identical (except for replication delay) copies of Active Directory and therefore contain identical security information. But do they also contain identical copies of the Security log?

No. That's a common misconception. Security logs are not replicated between domain controllers. To see why, remember that a user is always authenticated by some specific domain controller in a given situation, so if logon/logoff auditing is enabled on all domain controllers, a logon security event will only be logged to the actual domain controller that handles the authentication of the user.

So don't assume AD replication means Security log replication!

Mitch Tulloch

Featured Links