This section describes how to enable near real-time Active Directory auditing and begin capturing changes across your environment.
The setup process consists of:
-
Creating a forest client
-
Enabling auditing for the forest
-
Enabling auditing on domain controllers
-
Configuring audit policies
Once completed, your environment will begin streaming Active Directory changes and authentication activity for visibility, investigation, and recovery.
Overview
Active Directory Auditing provides near real-time visibility into:
-
Directory object changes (users, groups, policies, permissions)
-
Authentication and logon activity
-
Security-relevant configuration changes
After onboarding, auditing continuously captures activity across domain controllers and presents it in a unified timeline for analysis and response.
Create a forest client
Create a forest client that represents your Active Directory environment within the console.
Important
The backup plan selected during the configuration is used for Active Directory protection and recovery. It is not used for audit event storage.
After submission:
-
The forest is registered
-
Domain topology is discovered
-
The environment becomes available for auditing configuration
Enable auditing
Once the forest client is created, auditing must be explicitly enabled.
-
From the Command Center navigation pane, go to Protect > Active Directory.
-
Click the Forests tab, and then click the forest.
-
On the Auditing tab, click Enable Auditing.
This process performs several actions:
-
Creates an audit plan for the environment
-
Provisions required backend resources for audit data processing
-
Saves tenant configuration details
-
Initializes the auditing service
After completion, the system is ready to begin receiving audit data from domain controllers.
Configure agent on domain controllers
Install Commvault Cloud software on domain controllers.
Enable auditing on domain controllers
Auditing must be enabled on domain controllers to begin collecting data.
-
From the Auditing workflow, open the Domain Controllers view
-
Select the domain controllers you want to enable
-
Click Enable Auditing.
This step:
-
Deploys and activates auditing components on selected domain controllers
-
Begins collection of change and authentication events
-
Connects domain controllers to the audit pipeline
Important:
Auditing must be enabled on each domain controller you want included.
If a domain controller is not enabled, activity from that server will not be captured.
Configure audit policies
Active Directory auditing relies on Windows audit policies being enabled on domain controllers.
Without these policies, important security events will not be captured. For more information, see Audit policies and SACL configuration.
What happens next
Once auditing is enabled:
-
Domain controllers begin streaming audit data
-
Events are processed and correlated in near real time
-
Activity appears in the Auditing dashboard
You will be able to:
-
View all changes across the forest in a unified timeline
-
Identify suspicious activity and privileged changes
-
Filter by user, object, or event type
-
Investigate incidents with full context (who, what, when, where)
-
Initiate rollback for supported changes
Next steps
After enabling auditing, you can:
-
Explore the Auditing dashboard
-
Filter and search for specific changes or users
-
Identify high-risk or critical events
-
Begin using rollback for supported scenarios
Troubleshooting tips
If no audit data or incomplete audit data appears:
-
Verify auditing is enabled on domain controllers
-
Confirm audit policies are applied via GPO
-
Ensure agents are installed and running
-
Check that domain controllers are online and reachable