> Software > Protect > Identity > Active Directory > Auditing for Active Directory

System requirements for Active Directory Auditing

Verify that your environment meets the following system requirements before enabling Active Directory auditing.

Operating system

Supported domain controller operating systems:

  • Windows Server 2025

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

Hardware requirements

Minimum requirements for domain controllers running the auditing agent:

  • Memory: 8 GB minimum (16 GB recommended for production environments)

  • Disk space: 10 GB available (for installation of the software; see Disk sizing guidance for recommended capacity for audit events)

Network and connectivity

  • Domain controllers must be reachable by the Commvault agent.

  • Outbound connectivity to the control plane or gateway is required for uploading audit data.

  • If domain controllers do not have direct internet access, a gateway or proxy configuration must be used.

Security and permissions

The auditing agent requires sufficient privileges to:

  • Read Active Directory object and attribute data

  • Access replication metadata for directory changes

  • Read Windows Security Event Logs on domain controllers

The account used for deployment and operation must have permissions appropriate for directory read access and event log access.

Security auditing requirements

To provide complete visibility and user attribution for Active Directory activity, Windows security auditing must be enabled on domain controllers.

Active Directory auditing relies on security event logs to capture:

  • User and service account activity (who performed an action)

  • Source system or workstation (where the action originated)

  • Authentication and logon events associated with directory changes

At a minimum, audit policies should be configured to capture:

  • Account logon and logon events

  • Account management activity (user and group changes)

  • Directory service access and changes

  • Policy changes and privilege use

These settings are typically configured using Group Policy and applied to the Domain Controllers organizational unit.

Without these audit settings, certain activity—such as the originating user or system—may not be fully captured.

Detailed configuration guidance, including required audit policy settings, is provided in Getting started with Active Directory auditing page.

Time synchronization

All domain controllers should maintain accurate and consistent system time.

Time synchronization is required to ensure:

  • Correct sequencing of audit events

  • Accurate correlation between directory changes and authentication activity

Data collection scope

Auditing coverage depends on data collection from domain controllers across the environment.

  • Audit data is generated and collected locally on each domain controller

  • Missing domain controllers may result in incomplete visibility or gaps in activity tracking

Deployment guidance for agent placement and domain controller coverage is provided in Architecture and deployment Active Directory auditing.

Local data staging

Audit data is temporarily stored on each domain controller before it is uploaded to the control plane.

  • Data is written to the local filesystem as compressed audit files

  • Files are periodically uploaded by the uploader service

  • Successfully uploaded data is removed from the local system

If upload is delayed or interrupted, audit data will accumulate on disk until connectivity is restored.

Event volume considerations

Audit data volume is primarily driven by authentication activity.

In most environments:

  • Authentication (logon) events significantly outnumber directory changes

  • High-frequency logon activity (for example, service accounts or automated processes) can generate large volumes of audit data

As a result:

  • Audit data volume may be substantially higher than expected based on change activity alone

  • Disk usage on domain controllers can increase rapidly in high-activity environments

Event filtering and retention strategies are important to manage data volume and maintain performance.

Disk sizing guidance

The auditing agent stages data locally before upload. Disk requirements vary based on event volume.

Typical ranges:

  • Low activity environments: hundreds of MB per day

  • Moderate environments: 1–5 GB per day

  • High activity environments: 10+ GB per day (primarily driven by authentication events)

To prevent data loss or service disruption:

  • Ensure sufficient free disk space is available for temporary audit data storage

  • Monitor disk utilization on domain controllers running the auditing agent

  • Plan for additional capacity in environments with high authentication activity or limited network connectivity

Event log availability

Security event logs must be accessible on domain controllers for auditing to function correctly.

  • Audit data collection depends on the availability of relevant security events

  • Log retention and size settings should be configured to prevent rapid log rollover

For comprehensive auditing coverage, security event logs should be enabled and retained on all domain controllers.

×

Loading...