Event ID 611 – Removing Trusted Domain
Like event 610, event 611 too varies depending on the OS. When a trusted domain is removed on Win2000, event 611 gets logged twice by the domain controller. Unlike event 610 though, event 620 does not get logged along with 611.
On Windows 2003, this event is logged only once when a trusted domain is removed. The DC also logs events 565 and 564 if the directory service access auditing is on.
This log data provides the following information:
- Domain Name
- Domain ID
- Removed By
- User Name
- Logon ID
Why does event ID 611 need to be monitored?
All changes related to Active Directory domain trusts, such as removal of trust, should be monitored. If an unplanned change occurs, the reason for the change must be investigated.
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 611 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4707