Get answers to your security-related Windows 2003, XP, and Win2K questions
How can we identify any changes to trust relationships in our domains? Does the Security log track trust changes?
Yes, the Security log does audit trust changes with specific event IDs in the Policy Change Security log category, but Windows 2000 Server and Windows Server 2003 log the changes somewhat differently. In Win2K, any newly created trust relationship generates two identical instances of event ID 610 (New Trusted Domain). Both instances use the description New Trusted Domain, which is accurate for the trusted domain but misleading for the trusting domain. Event ID 610 logs the name of the domain at the other end of the trust relationship and identifies the system that established the trust. When you delete a trusted or trusting domain, Win2K logs one instance of event ID 611 (Removing Trusted Domain). Somewhat inconsistently, Win2K also logs event ID 620 (Trusted Domain Information Modified) when a new trusted or trusting relationship is created but not when trusts are deleted.
Windows 2003 also logs event IDs 610, 611, and 620 but provides more detailed information in the description and logs only one instance of event ID 610 for new trusts. Event IDs 610 and 620 include a field for the type of trust and its direction; the field has the value 1 for trusted domains, 2 for trusting domains, and 3 for a two-way, mutual trust.
If you have the Audit policy Audit directory service access option enabled, you'll also see an instance of event ID 565 (Object open) when you change a trust. The description lists the event operation as create child and the object class as trustedDomain and supplies the distinguished name (DN) of the new domain (e.g., CN=SouthAmerica,CN=System,DC=elm,DC=local).