G.2 Event Monitoring

The content of the Event Monitor Partial Replica (PR) is not currently being limited by the explicitly set scope. However, the PR content is limited by the internal scope that the Event Monitor constructs and populates with explicit exclude filter elements for the CN=Builtin,<domain-ldap-fdn> container and for all of the “[Other] Well Known Objects” containers except the “Users”, “Computers” and “Domain Controllers” containers.

The suppression of Event Record Entry (ERE) creation is limited by the scope.

Given a constant scoping filter, the following behavior is expected as the Partial Replica is built and maintained over time:

  • Objects that are within scope when created or deleted will have Partial Replica Entries (PREs) created and maintained for them, with appropriate Event Record Entries (EREs) being created and made available for use.

  • If an object is created while out of scope and is then moved in scope, the Event Monitor will process the move as if it was a create for a new object.

  • If an object is created while in scope and is then moved out of scope, the PRE will be updated and an ERE will be created for the object move, after which no other EREs will be created for the object for as long as it remains out of scope. Additionally, the PRE for the object will not be maintained while it is out of scope.

  • If an object that was previously in scope and had a PRE create for it is deleted after it was moved out of scope, the PRE will be marked as being a stub that represents a tombstone, but no EREs will be generated related to the object being deleted.

When the scope changes (e.g. the portion that affects the content of the PR) after the PR has been created, then the following behavior can be expected as the PR is maintained over time:

  • A partial rebuild or full rebuild of the partial replica will be initiated when the Event Monitor receives the updated scope and determines that it is different from the previous scope that it had been using. This rebuild happens only if the portions of the filter that affect the PR have changed; changes to the portions of the scope that affect only ERE filtering will go into effect immediately without triggering a PR rebuild.

  • If an object was created when it was out of scope, and then the scope is altered so that the object is now in scope, then the next time that the object is modified, it will be handled as if it was just created.

  • If an object was created when it was in scope, and then the scope is altered so that the object is now out of scope, then no further EREs will be generated for the object and its PRE will not be maintained, for as long as it remains out of scope. If the object is deleted while it is out of scope, the PRE will be marked as being a stub that represents a tombstone, but no EREs will be generated related to the object being deleted.