Active Directory, responsible for security of Windows-based networks, is hosted by domain controllers. Active Directory information is replicated across the controllers. So, within the replication delay interval, all the data on the controllers is identical. It means all the security information (such as login credentials, access control lists etc) is the same.
However, security logs are not the same across controllers. Every domain controllers registers only the actual security-related events; they are not copied to other controllers, for obvious reason: only the actual events, related to the given controller, are left in its security logs.
So it is a mistake to assume the logs are replicated as well; it also means all the security-related monitoring and analysis must scan all the logs of all the domain controllers present.
However, security logs are not the same across controllers. Every domain controllers registers only the actual security-related events; they are not copied to other controllers, for obvious reason: only the actual events, related to the given controller, are left in its security logs.
So it is a mistake to assume the logs are replicated as well; it also means all the security-related monitoring and analysis must scan all the logs of all the domain controllers present.
