Tracking Changes

Many applications need to maintain consistency between specific data stored in Active Directory™ and other data. The other data might be stored in Active Directory, in a SQL Server table, in a file, in the registry — anywhere. When data stored in Active Directory changes, the other data might need to change in order to remain consistent. Applications that have this requirement include the following:

• Directory synchronization applications. For instance, the Active Directory Connector (ADC) is an application that maintains consistency between Active Directory and the Exchange Directory.
• Offline address book applications. When information about a user changes in Active Directory, the offline address book should eventually change to reflect this.
• Service applications whose configuration information is stored in Active Directory. When a service's configuration changes in Active Directory, the service should reconfigure itself as quickly as possible.

Active Directory contains rich support for this class of applications, which we'll call change-tracking applications. This support is the topic of this chapter.

This chapter discusses the following topics:

• An overview of techniques for tracking changes to Active Directory
• How to register for and process change notifications
• How to poll for changes to Active Directory using the DirSync control
• How to poll for Active Directory changes using the USNChanged attribute
• How to retrieve information about deleted objects from a Deleted Objects container

Note that this chapter does not cover mechanisms used by monitoring applications. These are applications that monitor directory changes not for the purpose of maintaining consistent data between separate stores, but simply as a management technique. Although monitoring applications can use the same mechanisms that support change-tracking applications, the following mechanisms (documented elsewhere) are specifically tailored for monitoring applications:

• Security auditing. By modifying the SACL portion of an object's security descriptor, you can cause accesses to the object on a given domain controller to generate audit records in the security event log on that DC. You can audit reads, writes, or both reads and writes; you can audit the entire object or specific attributes. For more information, see Retrieving an Object's SACL and Audit Generation.
• Event logging. By modifying registry settings on a given domain controller you can change the kinds of events logged to the directory service event log. Specifically, to log all modifications, set the "8 Directory Access" value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics key to 4. For more information, see Event Logging.
• Event tracing. Windows® 2000 provides an Event Tracing API for tracing and logging interesting events in software or hardware. The Windows 2000 operating system, and Active Directory in particular, support the use of event tracing for capacity planning and detailed performance analysis. For more information, see Event Tracing.