Events 5136, 5137, 5141 are only logged on the Master Domain Controller

Scorpion 5 Reputation points
2023-02-26T03:23:10.2533333+00:00

I have enabled the auditing of Directory Service Objects (DS Objects), essentially to monitor the creation, deletion and modification of GPOs. I have two domain controllers, DC1 and DC2, the DC! is the Master DC. I'm using Windows Server 2022, on premise

When I run, on DC2, a creation, deletion, or modification of a GPO, I assumed those would be logged on the same DC2; but when I looked for the evnets in the Event Viewer, security panel, there was nothing. However, those events had been logged on DC1.

Shouldn't changes applied to GPOs in a particular DC allow events to be logged on that DC? I need help with this.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,955 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,450 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,091 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thameur-BOURBITA 32,616 Reputation points
    2023-02-26T22:06:26.11+00:00

    Hi @Scorpion

    Check if the DC1 host the PDC role.

    By default GPMC console is connected to PDC when you try modify a GPO.

    Please don't forget to mark helpful answer as accepted