You still need to create access control entries (ACEs) explicitly in the SACLs of an
object before any auditing will be performed. This is done by design to ensure that logging
is enabled only for those objects in which you are actually interested.
TIP Some SACL ACEs are created by default. When enabling auditing, you may want to remove
some of these ACEs if you think you??™re logging too much.
Schema
This advanced method of controlling auditing allows you to exclude an attribute from
being audited at the schema level. This is done by setting bit 8 in the searchFlags
property of an attribute. When this is done, this attribute will not be audited for all objects
that contain this attribute.
TIP The searchFlags property of an attribute also controls whether it is indexed, replicated to
the GC, marked as confidential, or, in this case, not logged in the event log.
Read-Only Domain Controller
When Active Directory was introduced in Windows 2000 Server, it completely changed
the way we thought about domain controller deployment. In the NT domain model,
we had a single writable instance of the domain database that was stored in the PDC.
To provide load balancing and a relative amount of redundancy, you could deploy additional
backup domain controllers (BDCs), but these had only a read-only copy of the
domain database.
Active Directory domain controllers follow a multi-master model, where all domain
controllers are writable and changes can be made to any domain controller.
Pages:
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183