Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to monitor FSMO roles changes

Start your free trial

In Active Directory, FSMO roles define the responsibilities for each domain controller (DC) in a forest along with the domains under it. If a compromised user were to transfer the FSMO role from one DC to another, this could cause a huge security risk in the network. This newly attained authority from the FSMO role could be misused by users with admin access to that DC. This is why it's important to keep an eye on changes made to FSMO roles.

Steps to enable auditing using GPMC

In order to monitor FSMO role changes, you first need to enable auditing for these changes. To do this, perform the following actions on the DC:

  1. Go to Start > Group Policy Management Console. You can also run the command gpmc.msc with elevated privileges.
  2. How to monitor FSMO roles changes
  3. Right-click the domain or organizational unit (OU) where you want to audit FSMO role changes, select Create a GPO in this domain, and Link it here..., and name it.
  4. Note: If you want to link the auditing policy to an existing GPO, select Link an Existing GPO...

    How to monitor FSMO roles changes
  5. Right-click the GPO, and choose Edit. This opens up the Group Policy Management Editor.
  6. How to monitor FSMO roles changes
  7. In the left pane of the Group Policy Management Editor,navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
  8. How to monitor FSMO roles changes
  9. In the right pane, you will see the following policies that are under DS Access:
    • Audit Detailed Directory Service Replication
    • Audit Directory Service Access
    • Audit Directory Service Changes
    • Audit Directory Service Replication
  10. Double-click each of the audit policies, and check the boxes labeled Configure the following audit events, Success, and Failure.

    How to monitor FSMO roles changes
  11. Click Apply and then OK.

Steps to view FSMO role change events using Event Viewer:

Perform the following actions on the DC:

  1. Click Start, search for Event Viewer, right-click it, and select Run as administrator.
  2. On the left pane in the Event Viewer window, navigate to Applications and Services Logs > Directory Service.
  3. How to monitor FSMO roles changes
  4. On the right pane under Actions, click Filter Current Log....
  5. In the pop-up window, enter the Event ID 1458 in the field labeled <;All Event IDs>.
  6. How to monitor FSMO roles changes
  7. Click OK.This will give you a list of occurrences of Event ID 1458. Double-click on the Event ID to view its properties.
  8. How to monitor FSMO roles changes

Though Windows' native auditing allows you to look for changes in the FSMO roles, it becomes strenuous and often impossible to manually analyze and investigate changes on a large scale. In such scenarios, you need an intuitive and interactive solution that can monitor and alert you about the changes, and provide you with exhaustive reports on the change action.

ADAudit Plus is a real-time AD change auditing solution that comes with prebuilt reports for all AD changes including FSMO role changes.

Steps to check changes in FSMO roles using ManageEngine ADAudit Plus

Enable auditing and then perform the following actions.

  1. Download and install ADAudit Plus.
  2. Open the ADAudit Plus console, and log in as an administrator.
  3. Navigate to Reports > Active Directory > Configuration Auditing > FSMO Role Changes.
1
 

View who changed the role, when, and which DC the action was performed on along with details on the old and new values.

1
 

Get insightful reports for all changes made to the AD schema and its properties.

How to monitor FSMO roles changes

Get insightful reports for all changes made to the AD schema and its properties.

  • ADAudit Plus provides a central platform for monitoring all changes made to your AD objects and their attributes.
  • Its user behavior analytics (UBA) engine lets you weed out insider threats. By creating a baseline of typical user behavior, it detects any deviation from that behavior and alerts admins by email or SMS.
  • Generate out-of-the-box reports to meet compliance regulations such as SOX, HIPAA, GLBA, PCI DSS, FISMA, and the GDPR at your organization with ease.
 

ADAudit Plus Trusted By