Microsoft-Windows-ActiveDirectory_DomainService
41 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1000 | Event ID 1000 | Directory Service | Y |
| 1004 | Event ID 1004 | Directory Service | Y |
| 1138 | Event ID 1138 | Directory Service | Y |
| 1139 | Event ID 1139 | Directory Service | Y |
| 1162 | Event ID 1162 | Directory Service | Y |
| 1215 | Event ID 1215 | Directory Service | Y |
| 1220 | Event ID 1220 | Directory Service | Y |
| 1221 | Event ID 1221 | Directory Service | Y |
| 1257 | Event ID 1257 | Directory Service | Y |
| 1258 | Event ID 1258 | Directory Service | Y |
| 1394 | Event ID 1394 | Directory Service | Y |
| 1404 | Event ID 1404 | Directory Service | Y |
| 1463 | Event ID 1463 | Directory Service | Y |
| 1535 | Event ID 1535 | Directory Service | Y |
| 1539 | Event ID 1539 | Directory Service | Y |
| 1644 | Event ID 1644 | Directory Service | Y |
| 1869 | Event ID 1869 | Directory Service | Y |
| 1898 | Event ID 1898 | Directory Service | Y |
| 1917 | The shadow copy backup for Active Directory Domain Services was successful. | Directory Service | Y |
| 2013 | Event ID 2013 | Directory Service | Y |
| 2014 | Event ID 2014 | Directory Service | Y |
| 2041 | Event ID 2041 | Directory Service | Y |
| 2064 | Event ID 2064 | Directory Service | Y |
| 2065 | Event ID 2065 | Directory Service | Y |
| 2120 | Event ID 2120 | Directory Service | Y |
| 2121 | Event ID 2121 | Directory Service | Y |
| 2168 | Event ID 2168 | Directory Service | Y |
| 2172 | Event ID 2172 | Directory Service | Y |
| 2179 | Event ID 2179 | Directory Service | Y |
| 2405 | Event ID 2405 | Directory Service | Y |
| 2406 | Event ID 2406 | Directory Service | Y |
| 2886 | Event ID 2886 | Directory Service | Y |
| 2887 | During the previous 24 hour period, some clients attempted to perform LDAP binds … | Directory Service | Y |
| 2961 | Event ID 2961 | Directory Service | Y |
| 2962 | Event ID 2962 | Directory Service | Y |
| 3027 | Event ID 3027 | Directory Service | Y |
| 3033 | Event ID 3033 | Directory Service | Y |
| 3040 | During the previous 24 hour period: 12 Unprotected LDAPS binds were performed. | Directory Service | Y |
| 3041 | Event ID 3041 | Directory Service | Y |
| 3051 | Event ID 3051 | Directory Service | Y |
| 3054 | Event ID 3054 | Directory Service | Y |
Event ID 1000
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:33:02.4803066+00:00",
"event_record_id": 313,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 504
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "Microsoft Active Directory Domain Services startup complete"
}
Event ID 1004
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-06-13T05:22:34.6273401+00:00",
"event_record_id": 332,
"correlation": {},
"execution": {
"process_id": 852,
"thread_id": 1840
},
"channel": "Directory Service",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Active Directory Domain Services was shut down successfully."
}
Event ID 1138
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Data_7 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1138,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:18.465925+00:00",
"event_record_id": 2624,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 4744
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "ldap_search",
"Data_1": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Data_2": "127.0.0.1:61365",
"Data_3": "571",
"Data_4": "",
"Data_5": "4823671",
"Data_6": "",
"Data_7": "",
"Binary": ""
},
"message": ""
}
Event ID 1139
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Data_7 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1139,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:18.465925+00:00",
"event_record_id": 2625,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 4744
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "ldap_search",
"Data_1": "16",
"Data_2": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Data_3": "127.0.0.1:61365",
"Data_4": "571",
"Data_5": "",
"Data_6": "4823671",
"Data_7": "4823687",
"Binary": ""
},
"message": ""
}
Event ID 1162
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1162,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-02-28T04:29:14.825169+00:00",
"event_record_id": 287,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 628
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "",
"Binary": ""
},
"message": ""
}
Event ID 1215
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1215,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:04.536946+00:00",
"event_record_id": 4079,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "c060273",
"Binary": ""
},
"message": ""
}
Event ID 1220
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1220,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T17:05:18.904081+00:00",
"event_record_id": 367,
"correlation": {},
"execution": {
"process_id": 908,
"thread_id": 3272
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "8009030e",
"Data_1": "No credentials are available in the security package",
"Binary": ""
},
"message": ""
}
Event ID 1221
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1221,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T20:17:39.781219+00:00",
"event_record_id": 453,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1068
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": ""
},
"message": ""
}
Event ID 1257
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1257,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:14.237882+00:00",
"event_record_id": 4484,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 1084
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "CN=TESTPC02,CN=Computers,DC=ludus,DC=domain",
"Binary": ""
},
"message": ""
}
Event ID 1258
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1258,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:14.238473+00:00",
"event_record_id": 4485,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 1084
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "CN=TESTPC02,CN=Computers,DC=ludus,DC=domain",
"Data_1": "1",
"Binary": ""
},
"message": ""
}
Event ID 1394
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 1394,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:33:32.4803370+00:00",
"event_record_id": 314,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted."
}
Event ID 1404
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 1404,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:15:15.717005+00:00",
"event_record_id": 54,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 2552
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1463
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1463,
"version": 0,
"level": 3,
"task": 7,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:12:33.388787+00:00",
"event_record_id": 24,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 5696
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1535
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1535,
"version": 0,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:08:20.338916+00:00",
"event_record_id": 2975,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 3104
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "00002121: SvcErr: DSID-03120701, problem 5012 (DIR_ERROR), data 8995\n",
"Binary": ""
},
"message": ""
}
Event ID 1539
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1539,
"version": 0,
"level": 3,
"task": 12,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-06T19:18:38.145706+00:00",
"event_record_id": 331,
"correlation": {
"ActivityID": "028C3802-AD9E-0001-6538-8C029EADDC01"
},
"execution": {
"process_id": 908,
"thread_id": 912
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "c:",
"Binary": ""
},
"message": ""
}
Event ID 1644
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Data_7 | |
Data_8 | |
Data_9 | |
Data_10 | |
Data_11 | |
Data_12 | |
Data_13 | |
Data_14 | |
Data_15 | |
Data_16 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1644,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:09:04.886148+00:00",
"event_record_id": 4101,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Data_0": "DC=ludus,DC=domain",
"Data_1": " (servicePrincipalName=*/*) ",
"Data_2": "4159",
"Data_3": "6",
"Data_4": "10.2.10.11:63108",
"Data_5": "subtree",
"Data_6": "servicePrincipalName",
"Data_7": "",
"Data_8": "DNT_index:2317:N;",
"Data_9": "30585",
"Data_10": "0",
"Data_11": "0",
"Data_12": "0",
"Data_13": "0",
"Data_14": "16",
"Data_15": "none",
"Data_16": "ludus\\domainadmin",
"Binary": ""
},
"message": ""
}
Event ID 1869
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 1869,
"version": 0,
"level": 4,
"task": 18,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T23:48:03.4158053+00:00",
"event_record_id": 317,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "\\\\telemetry-DC-a.cell-a.ludus.domain",
"Data_1": "Default-First-Site-Name"
},
"message": "Active Directory Domain Services has located a global catalog in the following site. \r\n \r\nGlobal catalog:\r\n\\\\telemetry-DC-a.cell-a.ludus.domain \r\nSite:\r\nDefault-First-Site-Name"
}
Event ID 1898
#Fields #
| Name | Description |
|---|---|
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 1898,
"version": 0,
"level": 4,
"task": 24,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:12:40.147333+00:00",
"event_record_id": 32,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 5696
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data": [
"CN=sam-domain,CN=Schema,CN=Configuration,DC=sigma,DC=fr"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1917: The shadow copy backup for Active Directory Domain Services was successful.
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 1917,
"version": 0,
"level": 4,
"task": 14,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-30T02:25:40.8595072+00:00",
"event_record_id": 5632,
"correlation": {
"ActivityID": "{625775F5-6028-4F8C-BC9C-5A983F9F8178}"
},
"execution": {
"process_id": 1000,
"thread_id": 13092
},
"channel": "Directory Service",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "The shadow copy backup for Active Directory Domain Services was successful."
}
Event ID 2013
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2013,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-28T00:51:17.8559191+00:00",
"event_record_id": 61,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 4116
},
"channel": "Directory Service",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "3",
"Data_1": "link_base_and_data_v2_index +link_base link_bdnt_and_base_and_data_v2_index +backlink_DNT link_dnt_and_base_and_data_v2_index +link_DNT "
},
"message": "Active Directory Domain Services is rebuilding the following number of indices as part of the initialization process. \r\n \r\nNumber of indices: \r\n3 \r\nIndices: \r\nlink_base_and_data_v2_index +link_base link_bdnt_and_base_and_data_v2_index +backlink_DNT link_dnt_and_base_and_data_v2_index +link_DNT "
}
Event ID 2014
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2014,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-28T00:51:17.8559191+00:00",
"event_record_id": 62,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 4116
},
"channel": "Directory Service",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "3"
},
"message": "Active Directory Domain Services successfully completed rebuilding the following number of indices. \r\n \r\nIndices: \r\n3"
}
Event ID 2041
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS General",
"event_id": 2041,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-06T19:18:39.145732+00:00",
"event_record_id": 332,
"correlation": {
"ActivityID": "028C3802-AD9E-0001-6538-8C029EADDC01"
},
"execution": {
"process_id": 908,
"thread_id": 912
},
"channel": "Directory Service",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "80000603",
"Data_1": "2",
"Binary": ""
},
"message": ""
}
Event ID 2064
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2064,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:14:30.411027+00:00",
"event_record_id": 40,
"correlation": {
"ActivityID": "7AAB4249-4A57-0000-F449-AB7A574AD801"
},
"execution": {
"process_id": 648,
"thread_id": 652
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2065
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0e8478c5-3605-4e8c-8497-1e730c959516}",
"event_source_name": "NTDS Database",
"event_id": 2065,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:16:41.560674+00:00",
"event_record_id": 55,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 836
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2120
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2120,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3860867+00:00",
"event_record_id": 308,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "This Active Directory Domain Services server does not support the Recycle Bin. Deleted objects may be undeleted, however, when an object is undeleted, some attributes of that object may be lost. Additionally, attributes of other objects that refer to the object being undeleted may also be lost."
}
Event ID 2121
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2121,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3392078+00:00",
"event_record_id": 299,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time."
}
Event ID 2168
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2168,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3392078+00:00",
"event_record_id": 302,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "5033076077272944039"
},
"message": "The DC is running on a supported hypervisor. VM Generation ID is detected. \r\n \r\nCurrent value of VM Generation ID: 5033076077272944039"
}
Event ID 2172
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2172,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3392078+00:00",
"event_record_id": 303,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "5403859594421488123"
},
"message": "Read the msDS-GenerationId attribute of the Domain Controller's computer object. \r\n \r\nmsDS-GenerationId attribute value:\r\n5403859594421488123"
}
Event ID 2179
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2179,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3704520+00:00",
"event_record_id": 307,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "5033076077272944039"
},
"message": "The msDS-GenerationId attribute of the Domain Controller's computer object has been set to the following parameter: \r\n \r\nGenerationID attribute:\r\n5033076077272944039"
}
Event ID 2405
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2405,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3860867+00:00",
"event_record_id": 310,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "Privileged Access Management Feature"
},
"message": "This Active Directory Domain Services server does not support the \"Privileged Access Management Feature\" optional feature."
}
Event ID 2406
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2406,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.3392078+00:00",
"event_record_id": 301,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "Privileged Access Management Feature"
},
"message": "This Active Directory Domain Services server is disabling support for the \"Privileged Access Management Feature\" optional feature."
}
Event ID 2886
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2886,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:33:02.4803066+00:00",
"event_record_id": 311,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 504
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. \r\n \r\nSome clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. \r\n \r\nFor more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. \r\n \r\nYou can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the \"LDAP Interface Events\" event logging category to level 2 or higher."
}
Event ID 2887: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL.
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2887,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-03-19T20:05:54.2754863+00:00",
"event_record_id": 5263,
"correlation": {},
"execution": {
"process_id": 984,
"thread_id": 1104
},
"channel": "Directory Service",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "0",
"Data_1": "8"
},
"message": "\r\nDuring the previous 24 hour period, some clients attempted to perform LDAP binds that were either: \r\n(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or \r\n(2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection \r\n \r\nThis directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. \r\n \r\nSummary information on the number of these binds received within the past 24 hours is below. \r\n \r\nYou can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the \"LDAP Interface Events\" event logging category to level 2 or higher. \r\n \r\nNumber of simple binds performed without SSL/TLS: 0 \r\nNumber of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 8"
}
Event ID 2961
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2961,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-28T00:51:17.8559191+00:00",
"event_record_id": 60,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 4116
},
"channel": "Directory Service",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "8"
},
"message": "Creating 8 optional system indices.\r\n"
}
Event ID 2962
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 2962,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-28T00:51:17.8559191+00:00",
"event_record_id": 63,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 4116
},
"channel": "Directory Service",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "8"
},
"message": "Created 8 optional system indices."
}
Event ID 3027
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3027,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T23:48:03.4001660+00:00",
"event_record_id": 316,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "3600"
},
"message": "Internal event: Online Defragment Start succeeded. \r\n \r\nDuration in seconds:3600 \r\n"
}
Event ID 3033
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3033,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T23:48:03.4001660+00:00",
"event_record_id": 315,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 1012
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "Internal event: Online Defragment Stop invoked but defrag was not running."
}
Event ID 3040: During the previous 24 hour period: 12 Unprotected LDAPS binds were performed.
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3040,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-03-19T20:05:54.2754863+00:00",
"event_record_id": 5262,
"correlation": {},
"execution": {
"process_id": 984,
"thread_id": 1104
},
"channel": "Directory Service",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {
"Data_0": "12",
"Data_1": "0",
"Data_2": "0",
"Data_3": "0"
},
"message": "During the previous 24 hour period: \r\n12 Unprotected LDAPS binds were performed. \r\n0 Channel Binding Token audit validations failed. \r\n0 Binds were performed by clients that do not support channel binding. \r\n0 Binds were performed by clients that support channel bindings but did not provide channel binding token. \r\n \r\nThis directory server is not currently configured to enforce validation of Channel Binding Tokens. The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. \r\n \r\nFor more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405."
}
Event ID 3041
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3041,
"version": 0,
"level": 3,
"task": 16,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:33:02.4803066+00:00",
"event_record_id": 312,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 504
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. \r\n \r\nFor more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405."
}
Event ID 3051
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3051,
"version": 0,
"level": 3,
"task": 2,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.1673299+00:00",
"event_record_id": 297,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. \r\n \r\nThis setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below. \r\n \r\nFor more information, please see https://go.microsoft.com/fwlink/?linkid=2174032."
}
Event ID 3054
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-ActiveDirectory_DomainService",
"guid": "{0E8478C5-3605-4E8C-8497-1E730C959516}",
"event_source_name": "",
"event_id": 3054,
"version": 0,
"level": 3,
"task": 2,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:52.1673299+00:00",
"event_record_id": 298,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Directory Service",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-7"
}
},
"event_data": {},
"message": "The directory has been configured to allow implicit owner privileges when initially setting or modifying the nTSecurityDescriptor attribute during LDAP add and modify operations. Warning events will be logged, but no requests will be blocked. \r\n \r\nThis setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below. \r\n \r\nFor more information, please see https://go.microsoft.com/fwlink/?linkid=2174032."
}