Browsing Posts published by Huw

In this example I am creating a Certificate Signing Request on a Windows 2008 R2 server.

Choose “create custom request” and set the options as below.

Note if installing on a TMG server you may need to change the above template to “legacy”.

On the next window click on “details” and then “properties”

You will need to enter the certificate details.

In the general section enter a friendly name for the certificate – this can be anything you want.

In the subject name section enter the below under the “type” drop down menu

  • Common name.  In the Value field, enter the primary name of your certificate – e.g.  
  • Organization
  • State
  • Country
  • Email (Optional)

In the Alternative name drop down box, enter subject alternative names if you need them.  

You may need to change the below settings depending on the type of server you are adding the certificate to.



On the private key tab enter the details below.


Click apply


Above I have selected “make private key exportable”.  This step is only required if you will use this certificate on another computer (e.g. in a clustered environment), or with an application that does not use the Windows certificate store (e.g. Mozilla Firefox).  

Click “ok” then “next”. Choose the location to store the CSR and click finish.


In this example I am creating an access list to restrict access to the “main” network from a “guest” vlan. The exception to this is the DHCP server that the guests will need to connect to pick up an address.

Main network subnets

Guest network subnet

DHCP server


Note that you will need to explicitly block every vlan. Any future vlans created will need to be added to this list.

Dell PowerConnect 6000 Series

Create access list:-

access-list Guest permit tcp eq 67

access-list Guest deny ip

access-list Guest deny ip

access-list Guest deny ip

access-list Guest permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest

Dell Force10 S4810 Switches

Create ACL:-

ip access-list extended Guest

seq 10 permit tcp eq 67

seq 20 deny ip

seq 30 deny ip

seq 40 deny ip

seq 100 permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest in


This should now work. Don’t forget to use copy run start to save your changes!

When installing a new SSL certificate you may find that you need to change the URLs used by Exchange as you can no longer get SSL certificates with non-internet FQDNs. E.g. You can’t use exch2010.mycompany.local as .local is not an internet domain. You will need to configure your Exchange server to use an FQDN – e.g. internally. This article explains how to change the URLs used by Exchange 2010.

Note that you will need the relevant DNS entries setup for this to work. You may need a “split brain” setup – i.e. where autodiscover.mycompany.local resolves to the internal IP of your exchange server. This is outside of the scope of this article. Also outside is assigning services to your new certificate.

Change URLs in EMC

The External URLs to change are:-

  • (Outlook Web App)
  • (Exchange Control Panel)
  • (ActiveSync)
  • (Offline Address Book)

Open the EMC and navigate to the below.

Double click on each tab and change the URL used.

Change URLs in Powershell

The two URLs to change are:-

  • (Autodiscover)
  • (Exchange Web Services, Availability, Out of Office)

Open Powershell (run as administrator) and enter the below changing the FQDN:-

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl ‘’

I would recommend running an IISRESET.


This article explains how to update the X710 & XL710 series of network adaptors on ESXi 6

I had to do this to fix a Purple Screen Of Death (PSOD) issue when using 10GB Intel X710 adaptors.

Check Current Version of Drive and Firmware

You can check this via the shell with the command ethtool -i vmnic0

[root@esxi-03:~] ethtool -i vmnic0

driver: i40e

version: 1.2.22

firmware-version: f4.33.31377 a1.2 n5.06 e1863

bus-info: 0000:01:00.0


Method 1 – Intel NVM Software

Go to the below website and download the update utility.

You will want the XL710_NVMUpdatePackage_v4_50_ESX.tar.gz

Copy this onto a datastore accessible by the ESXi server and extract with the command tar -zxvf XL710_NVMUpdatePackage_v4_50_ESX.tar.gz

Change into the directory

[root@xxx-esxi-03:/vmfs/volumes/52c59127-f0806a72-fafa-bc305bd7326f/Drivers/IntelXL710/XL710/ESXi_x64] chmod 755 nvmupdate64e

[root@xxx-esxi-03:/vmfs/volumes/52c59127-f0806a72-fafa-bc305bd7326f/Drivers/IntelXL710/XL710/ESXi_x64] ./nvmupdate64e -l nvmupdatelog01.txt

Note that this did not work in my example, hence I used method 2 below…

Method 2 – Via Update Manager


Download driver

Note although its for ESXi 5.5 it is also compatible with v6 – “VMware ESXi 5.5 i40e 1.2.48 NIC Driver for Intel Ethernet Controllers X710 and XL710

The ESXi 5.5 driver package, also compatible with ESXi 6.0″

Install into repository

Create baseline

Attach baseline, scan and remediate

Verify Update

[root@cap-esxi-03:~] ethtool -i vmnic0

driver: i40e

version: 1.2.48

firmware-version: f4.33.31377 a1.2 n4.41 e1863

bus-info: 0000:01:00.0

[root@cap-esxi-03:~] ethtool -i vmnic1

driver: i40e

version: 1.2.48

firmware-version: f4.33.31377 a1.2 n4.41 e1863

bus-info: 0000:01:00.1






DCB allows switches to prioritise different types of traffic via either a lossless queue or Priority Flow Control (PFC). This permits to the switch to pause non-priority traffic when congested. Traffic is paused according to the 802.1p priority. You can also divide available bandwidth between different traffic types by setting parameters known as Enhanced Transmission Selection (ETS).


This article gives an example of configuring DCB on a pair of Force10 MXL’s connected to an Equallogic SAN.


Configure Equallogic

From version 6 of the Equallogic firmware the array can automatically detect if there is an invalid DCB configuration on the switch. If there is you will see the below error.

To specify the DCB vlan go to the advanced tab as shown below. In my example I am using vlan 3000

Save your changes.


Configure MXL

In my example I am configuring DCB with Force10 MXL switches. You can find instructions for other switches here.


You will need to enter the below commands on BOTH MXL switches. The red commands may need to be changed based on your config.

  1. Disable flow control on all ports (note the port ranges may change depending on what interfaces are set to quad mode)

    Interface range te0/1-32, te0/41-56

    No flowcontrol rx on tx off


    Interface range fo0/33, fo0/37

    No flowcontrol rx on tx off


  2. Check DCB is enabled with the show dcb command. If not enabled you will need to enable and reload the switch (after saving the config of course).
  3. Create tagged VLAN for all iSCSI ports and port-channels. In my setup po100 is the VLT port channel.

        Interface vlan 3000

        No shutdown

        Tagged te0/1-15

        Tagged te0/41-56

        Tagged po100


  4. Configure DCB policies

    dcb-map CP-DCB

    priority-group 0 bandwidth 50 pfc off

    priority-group 1 bandwidth 50 pfc on

    priority-pgid 0 0 0 0 1 0 0 0


  5. Apply policies to switch ports used for iSCSI

    Int range te0/1-15, te0/41-56

    Dcb-map CP-DCB

    Int range fo0/33,fo0/37

    Dcb-map CP-DCB



  6. Save the config!


Check DCB Settings on Equallogic

Right click on the iSCSI interface of the member and select DCB details. Please then check:-

  • In the traffic class group (Group 1 in this example) only iSCSI is present
  • ETS Bandwidth is set from 1-100% (50% in this example)
  • Recommended priority for iSCSI is 4
  • Lossless in on foe the iSCSI group


This article explains how to recover a file from dropbox when it has been encrypted by Cryptolocker. As cryptolocker changes the file extension for all files to “.encrypted” the original file can be found in deleted items.

On a non-infected PC logon to the dropbox website. Navigate to the folder required and click on the “show deleted files” icon

You should now be able to view the file and restore. I suggest restoring from a previous version first.

Click on a link to download the file


This article explains how to update a standalone (i.e. not managed by vCenter) ESXi host to a later version.

Enable Remote Shell Access

In this example I am connecting to the ESXi server remotely. Alternatively you could run this from the ESXi shell via the console. Logon to the ESXi server via the vi client and go to configuration – security. Firstly start the SSH service.

Secondly make sure the “SSH server” service is running.


Update the ESXi server

You should now be able to SSH to the ESXi server. In this example I am using putty as an SSH client.

Allow outbound HTTP access

esxcli network firewall ruleset set -e true -r httpClient

To view a list of ESXi versions to download enter the command

esxcli software sources profile list -d

Choose the version you want to install. In this example we want the latest version – ESXi-5.5.0-20140704001-standard. Enter the below command to download and install (substituting the version as appropriate

esxcli software profile update -d -p ESXi-5.5.0-20140704001-standard

Once complete you will be prompted to reboot. Once you have rebooted the system is ready to use.


This article explains how to update the firmware of a Dell N200 or N3000 series switch. To be specific this will work on N2024/N2024P/N2048/N2048P/N3024/N3024F/N3024P/N3048/N3048P switches.


  • It is assumed that the switch is on the network and has an IP address configured (this is needed to copy the firmware file onto the switch). You will need to download the updated firmware from the dell website and extract the contents.
  • You will need to have a TFTP server running and accessible from the switch. If you do not already have TFTP you can download a basic server from here
  • Copy the firmware file (.stk) into the TFTP directory (in this example


Step 1 – Backup Existing Config

Connect to the switch either via a console connection or telnet/putty.

copy running-config tftp://YYYYYY/backup-stackX

Where YYYY is the IP address of your TFTP server

conf t

enable password XXXXXXXXX

Where XXXXXXXX is your password

copy running-config-startup-config

Verify the current firmware version by running

Show ver

Below shows the steps taken in a real world upgrade…


Step 2 – Copy New Firmware onto Switch

In this step we are copying the new firmware onto the backup config.

copy tftp://YYYYYYYY/ZZZZZZZZ.stk backup

Where ZZZZZ is the name of the firmware update file. For firmware the file is N3000_N2000v6.1.0.6

show ver

Verify that the new firmware is shown in the backup config. Assuming all ok then we want to then boot off the backup config.

boot system backup


Once the switch has rebooted. Connect to the switch and enter a show ver to verify the active firmware


Step 3 – Update Bootcode

We then need to update the bootcode to ensure the system always boots with the new firmware.

update bootcode


Then issue a show ver to verify the active firmware version.

Note if connected via serial cable you can verify the bootcode version on switch reload. For this firmware (only) look for “U-Boot 2012.10-00077-g89d3a3e (Mar 18 2014 – 13:11:33)”

For further information look at the pdf’s including with the firmware .zip file.


In this example I am setting up a very basic DFS infrastructure for a company with one head office and one branch office. The DFS server in head office is called Training-DC1, the DFS server in the branch office is called Training-DC2. We want to create a folder that is available and replicated to both sites.


  • DFS is not going to play nice is there are communication and/or Active Directory issues. Please check that all is well – I recommend running ping tests and “dcdiag” on all servers to check for issues.
  • Install DFS Role on all servers that will be holding DFS shares. This is done from server manager


Setup Namespace

Microsoft’s definition of a DFS Namespaces – “Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous file shares that are located on different servers and in multiple sites.”

On your main DFS server (e.g. the one in head office) open the DFS Tool from server manager and create a new namespace

Select the local server


Click on edit settings and enter the below. For the local path I recommend creating a folder referencing the server name (in this instance DFS-DC1). I have seen DFS replication problems caused by different servers having the same folder name.

Click next and finish.


Add Other Servers to Namespace

In the DFS management tool click on add namespace server

Select your second DFS server (in this example the branch office server).

Click on edit settings and set folder access as appropriate. Again I recommend choosing a unique name for the folder (DFS-DC2 in this example).


Create Replication Group

In DFS management console right click on “replication” and select “new replication group”

Select a multipurpose replication group and click next.

Add your servers

Select your chosen topology

Choose schedule and primary member. Then chose the folder to replicate on the primary server (DFS-DC1).

Chose the location of the folder to replicate on the other server (in this example DFS-DC2).



You have now setup a replicated folder accessible from both sites/offices via a non-server specific address (in this example \\training.local\DFS)

In the event of any problems check Windows firewall and server manager for event errors.


Some notes I’ve made whilst studying for 70-414. I’ve tried to keep them as concise as possible. Some of the screenshots are from older versions of windows but are included to show specific settings.

System Center 2012r2

  • Orchestrator – A workflow management solution for the data center that lets you automate the creation, monitoring and deployment of resources in your environment.
    • Service Provider Foundation – This enables service providers and hosters to design and implement multi-tenant self-service portals that integrate IaaS capabilities.
      • Stamp – a concept introduced in Service Provider Foundation, a stamp is a logical unit of a SCVMM, a HyperV host and a VM. As they must be monitoring SCOM is required also. For example a hosting company may have a “stamp” for each customer.
  • Service Manager – A platform for automating and adapting your organizations best practises (e.g. ITIL). Provides processes for change control, problem resolution, asset management etc.
  • App Controller provides a common self-service experience that can help you easily configure, deploy, and manage virtual machines and services across private and public clouds.
  • System Center Global Service Monitor (GSM) provides capability to monitor externally facing web sites and web services from geo-distributed location. There are two monitoring types
    • Web Application Availability
      Monitoring that monitors single URLs
    • Visual Studio Web Tests Monitoring that lets you to run multi-step, authenticated web tests from Microsoft-provided agents in the cloud.
  • The Self-Service Portal provides web-based access to the features of System Center 2012. It can be used by users to reset their own passwords.

System Center Configuration Manager (SCCM) –

  • Configuration Manager integrates with Windows Deployment Services to allow you to perform OS deployment and image capture.
  • Configuration baselines contain predefined configuration items and optionally, other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it.
  • You can have primary sites, secondary sites and distribution points. For sites with less than 500 nodes use distribution points. Each primary site can support up to 10 management points. A secondary site supports 1.

System Center Operations Manager (SCOM) –

  • A cross platform management and monitoring solution for PCs, Servers and Hypervisors (including VMWare).
  • Can be used in conjunction with SCVMM for reporting
  • Audit Collection Services – a means to collect records generated by an audit policy and store them in a centralized database
  • Gateway server – Used as a local hub for authenticating and communicating with clients.
  • Management Packs – contain the settings for monitoring applications and services as well as tasks, views, reports, run as profiles etc.
    • Overrides – allow you to change the default values – e.g. the severity of an alert
  • To setup email notification subscriptions, go to administration – notifications – subscriptions and create a subscription task

  • You can monitor Distribution Applications with Service Level Tracking

System Center Virtual Machine Manager (SCVMM)

  • To integrate VMM with SCOM you need to
    • Install powershell v3
    • Install an Operations Manager Operations console on the VMM management server
    • Install Operations Manager agents on the VMM management server and all hosts under management by VMM (managed hosts).
    • Import the necessary management packs
  • Host Groups – can be used to group Hyper-V hosts. You can then assign permissions to host groups.


VMM uses a number of architectural components

  • Logical network – e.g. LAN, WAN, DMZ, VLAN1, VLAN2 etc

  • Network Sites – allow the same logical network to have a difference address when in another site. E.g. the LAN for London may be different to Norwich.
  • Port Profiles – there are 2 types
    • Virtual Port Profiles – for use with VMs. You can specify offload settings, DHCP guard, guest teaming, QoS etc
    • Uplink Port Profiles – The connectivity of the virtual switch to the logical (actual) network
  • Port Classifications – a label that can be used to identify different classes of connection (.e.g “Gold” for fast fibre SAN, “Bronze” for NAS”)
  • Network Types
    • Internal – Communication between the host and the VMs only
    • External – Communication between the VMs and other systems (via a physical adaptor)
    • Private – Communication only between VMs

  • A Virtual IP (VIP) template – can be used for hardware load balancers. These contain load-balancer-related configuration settings for a specific type of network traffic.

Integration with other Hypervisors

You can manage VMWare and Citrix XenServer hypervisors from SCVMM.

  • To manage citrix servers you must install the system center integration pack.


  • You can assign the below roles within VMM
    • Administrator – full rights to all objects
    • Fabric Administrator – a delegated administrator role, can perform all administrative tasks within their assigned host groups, clouds or library servers.
    • Read-Only Administrator – view only rights
    • Tenant Administrator – can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.
    • Application Administrator – Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.


Automatic Virtual Machine Placement

  • VMM Availability sets – can be used to specify VMs that should be kept on different hosts (e.g. DCs). Aka anti-affinity.
  • Custom Properties – can be used to customize placement via your own criteria. E.g. create a value called costcenter
  • Preferred Owner – Selected first where possible, Possible Owner – VMs can only be migrated to possible owners

  • P2V. As of System Center 2012 R2, you can no longer perform P2V conversions in VMM. You can use System Center 2012 SP1 as long as the source system:-
    • Have more than 512MB RAM
    • Have volumes smaller than 2040 G
    • Does not have encrypted volumes
  • Service Template – Contains the information required to create an instance of a service (e.g. multi—tier application).
    • A tier can contain up to 4 components
      • VIP template – a virtual IP address used with NLB
      • VM template
      • Application profile – reference application code or scripts
      • SQL profile – schema definitions and other SQL info
    • Each service template has a release number.
    • Each VM created from a service template maintains its connection to the template. Therefore if you update the template, the release number of the template is raised and the changes are pushed out to all VMs created from the template.
  • Dynamic Optimisation – migrates virtual machines to improve load balancing among hosts and to correct any placement constraint violations for virtual machines.
    • You can specify Dynamic Optimization settings for: CPU, memory, disk I/O, and network I/O.
    • Can be configured on a host group
    • Aggressiveness – determines the amount of load imbalance required to initiate a migration. VMs are migrated every 10 mins with the default (medium) aggressiveness.
    • Power Optimisation – turns off hosts when not needed to save power. They can then be turned back on when required
    • Host reserve – Set aside CPU, Memory, Disk I/O and Network I/O for the host OS.
  • The Replica Broker role must be installed if attempting to replica VMs that are in a cluster

Windows Powershell Desired State Configuration (DSC)

Installed as a feature, DSC is a new management platform in Powershell that can be used to:-

  • Enabling or disabling server roles and features
  • Managing registry settings
  • Managing files and directories
  • Starting, stopping, and managing processes and services
  • Managing groups and user accounts
  • Deploying new software
  • Managing environment variables
  • Running Windows PowerShell scripts
  • Fixing a configuration that has drifted away from the desired state
  • Discovering the actual configuration state on a given node

Use the cmds Set-DscLocalConfigurationManager and Get-DscLocalConfigurationManager


  • Cluster Aware Updating (CAU) – a new feature in windows 2012r2 to enable the update of Clustered servers
  • Data-duplication – Now supports VDI virtual machines on Cluster Shared Volumes (CSV)
  • When there are multiple networks Win2012r2 uses the below criteria when deciding what network to use for CSV traffic.
    • Metrics
      • These are automatically calculated based on speed and whether features such as RDMA and RSS are supported.
      • However, SMB multichannel takes precedence over network calculated metrics. To just rely on metrics you must disable SMB Multichannel.
  • A File Share Witness (FSW) is a file share that you may create on a completely separate server from the cluster to act like a disk for tie-breaker scenarios when quorum needs to be established. You would typically use a FSW as a tie-breaker when there are an even number of clustered servers.


  • DHCP failover – A new feature in Windows 2012r2 that allows multiple DHCP servers to be setup in an active/passive configuration. Should the active fail, the passive server will take over.

Windows Intune

A cloud management solution aimed at SMEs. Allows administrators to deploy updates, malware protection and manage inventory.

Network Load Balancing

Filtering Mode

  • Multiple host – traffic will be handled by multiple nodes
  • Single host – single host

Affinity –

  • Single – Used in most instances when clients originate from many different locations
  • None – If clients originate from the same IP (e.g. behind a NAT router).
  • Network – Request originating from the same class C network are directed to the same node

You will need to enable MAC address spoofing on the virtual adaptor of a VM in order to use NLB

The below network services can be load balanced by NLB:-

  • SQL server 2012 reporting services
  • Sharepoint Server 2010 front-end web server

Microsoft Desktop Optimization Pack

Contains a number of utiliies

  • Asset Inventory Service – helps you determine what software and hardware you have in your organization compared to your licensing agreements.

Virtual Disks

Resiliency Settings – When creating a virtual disk you have the following resiliency options

  • 2-way mirror – requires at least 2 disks
  • 3-way mirror – requires at least 5 disks
  • Parity – requires at least 3 disks


Email Encryption –

For 2 companies to encrypt emails sent between them you should

  • Exchange and install root CA certificates
  • Duplicate the enrolment certificate and install a template based on the new certificate
  • Request cross certification authorities

Constraints can be applied during the cross-certification process by using a policy.inf file. CApolicy.inf is used to apply constraints during the installation of a CA

Recovery of a CA

To restore certificate revocation checking in the event of a failed CA

  • Restore a copy of the CA’s private key and then retrieve a copy of the CRL
  • Use certutil to resign the CRL and extend the validity period of the CRL
  • Republish the CRL using Certutil


  • Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. When used with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
  • Online Responder – Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate.
  • Certificate Authority Web Enrollment – Provides a web interface to the CA role service


WAN bandwidth optimization technology that is included in Windows 2008R2 and Win7 and higher. To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from the remote servers and caches it locally for clients at branch offices to access.

  • In hosted mode data is cache on a local “server”
  • In distributed mode no server is required. Content is distributed amongst the client computers.


  • Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately.
  • Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.

Active Directory Rights Management Servicies (AD RMS)

An information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.


  • Designed for the data center, Windows Azure Pack integrates with System Center and Windows Server to help provide a self-service portal for managing services such as websites, Virtual Machines, and Service Bus; a portal for administrators to manage resource clouds; scalable web hosting; and more. Available for free.

Azure Site Recovery

Use Azure Site Recovery to protect virtual machines running on Hyper-V hosts located in System Center Virtual Machine Manager (VMM) clouds. To setup site recovery

  1. Get a certificate uploaded to the vault and set up on the source VMM server, and generate a vault key.
  2. Set up VMM servers—Install the Azure Site Recovery Provider on the source and target VMM server.
  3. Configure the VMM clouds—Configure protection settings for VMM clouds.
  4. Enable virtual machines—Enable protection for virtual machines.

Scale-Out File Server

Designed to provide continuously available file shares by sharing the same folder from a number of servers. Ideal for use where there is no SAN. It can be used in 2 scenarios

  1. Application data – e.g. HyperV VMs
  2. File Server – e.g. clustered file server


Top deploy bitlocker you need to setup one account with permission to decrypt encrypted drivers

  1. Install Bitlocker on a DC
  2. Copy, modify and publish the basic EFS template
  3. Request a new certificate for the user with “basic EFS”. Save as a .cer
  4. Deloy the data recovery agent in GPO


To have certificates automatically renew you need to edit the autoenrollment template

Then edit the GPO


  • Windows Server Gateway – like RRAS. Use it to connect to different networks
  • RDMA – aka SMB direct – SMB CPU processing if offloaded to the NIC
  • Receive-side scaling (RSS) – Enables a network adapter to distribute its network processing load across multiple virtual processors in multi-core virtual machines.
  • VHDX disks can store over 2TB of data.
  • When creating virtual disks:-
    • A 2 way mirror requires 2 disks
    • Parity requires 3 disks
    • A 3 way mirror requires 5 disks
  • To audit changes to active directory objects in an OU you must:-
    • From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.
    • Modify the audit settings on the OU