Some applications must maintain consistency between specific
data stored in the Microsoft® Active Directory® directory service
and other data. The other data might be stored in Active Directory,
in a SQL Server table, in a file, or in the registry. When data
stored in Active Directory changes, the other data may be required
to change in order to remain consistent. Applications that have
this requirement include:
This section does not cover mechanisms used by monitoring
applications. These are applications that monitor directory
changes not for the purpose of maintaining consistent data between
separate stores, but as a system management tool. Although
monitoring applications can use the same mechanisms that support
change-tracking applications, the following mechanisms are
specifically tailored for monitoring applications:
Security auditing. By modifying the system
access-control list (SACL) portion of an object security
descriptor, you can cause accesses to the object on a given domain
controller to generate audit records in the security event log on
that DC. You can audit reads, writes, or both; you can audit the
entire object or specific attributes. For more information, see
Retrieving an
Object's SACL and Audit Generation.
Event logging. By modifying registry settings on a given
domain controller you can change the kinds of events logged to the
directory service event log. Specifically, to log all
modifications, set the "8 Directory Access" value under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
key to 4. For more information, see Event Logging.
Event tracing. Windows® 2000 provides an Event
Tracing API for tracing and logging interesting events in software
or hardware. The Windows 2000 operating system, and Active
Directory in particular, support the use of event tracing for
capacity planning and detailed performance analysis. For more
information, see Event Tracing.