Special thanks to Raman in the Active Directory team for this one.

Ever want to audit the creation of new domain controllers in your environment?  Yeah, me neither :-)  However if you ever want to, here's how.

1. The default SACL on Active Directory should suffice.  However, if you have changed the default SACL, here it is again, in SDDL:
S:(AU;SA;WDWOWP;;;WD)
(AU;SA;CR;;;BA)
(AU;SA;CR;;;DU) 
<-- this ACE is probably doing most of the work for you
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

2. Enable DS Access audit policy for success events in the Default Domain Controllers policy.

3. Look for the following event 566 in your security event log (yours will differ slightly because this example comes from Longhorn Server):

An operation was performed on an object.

 

Subject :

      Security ID:      YOURDOMAIN\Administrator

      Account Name:     Administrator

      Account Domain:   YOURDOMAIN

      Logon ID:         0x201d29

 

Object:

      Object Server:    DS

      Object Type:      domainDNS

      Object Name:      DC=yourdomain,DC=com

      Handle ID:        0x0

 

Operation:

      Operation Type:   Object Access

      Accesses:         Control Access

                 

      Access Mask:      0x100

      Properties:       Control Access

            {9923a32a-3607-11d2-b9be-0000f87a36b2}   <-- this is the "DS-Install-Replica" control access right

      domainDNS

 

 

Additional Information:

      Parameter 1:            -

      Parameter 2:     

 

 

Some notes:

 

1.  There is no audit generated for the first domain controller in a new forest (there is no context within which to perform DS audting).

 

2.  For the first domain controller in a new domain in an existing forest, you'll see a slightly different event:

 

DS Access:  (here's the Longhorn version of the DS Access event, the Windows Server 2003 version [566] is very similar):

An operation was performed on an object.

 

Subject :

                Security ID:     MYDOMAIN\Administrator

                Account Name:    Administrator

                Account Domain:  MYDOMAIN

                Logon ID:        0x3213d7

 

Object:

                Object Server:   DS

                Object Type:     crossRefContainer  <-- when you see this

                Object Name:     CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                Handle ID:       0x0

 

Operation:

                Operation Type:  Object Access

                Accesses:        Create Child

                Access Mask:     0x1

                Properties:      Create Child

                {bf967a8d-0de6-11d0-a285-00aa003049e2} 

 

Additional Information:

                Parameter 1:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                                    ^-- along with a new domain for the first time

                Parameter 2:     CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

 

DS Change: (this is the new Longhorn-only DS Change event):

 

A directory service object was created.

               

Subject:

                Security ID:                MYDOMAIN\Administrator

                Account Name:               Administrator

                Account Domain:             MYDOMAIN

                Logon ID:                   0x3213d7

               

Directory Service:

                Name:                        mydomain.nttest.microsoft.com

                Type:                        Active Directory Domain Services

               

Object:

                DN:                          CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

                GUID:                        CN=NEWDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain, DC=com

                Class:                       crossRef

               

Operation:

                Correlation ID:              {a991c256-d7f2-4654-bf68-76ef5ebe69b4}

                Application Correlation ID:  -

 

HTH