Q. Event ID 684 is logged every 60 minutes on a PDC emulator after you raise the forest functional level to Windows Server 2003?

After raising the forest functional level to Microsoft Windows Server 2003, you create a new account that you add to an administrative or operator group, like Domain Admins, causing events like the following to logged every 60 minutes in the Security event log of the PDC (Primary Domain Controller) emulator:

Event Type: Success AuditEvent Source: SecurityEvent Category: Account ManagementEvent ID: 684Date: MM/DD/YYYYTime: HH:MM:SSUser: NT AUTHORITYANONYMOUS LOGONComputer: Description:Set ACLs of members in administrators groups:Target Account Name: Target Domain: DC=,DC=Target Account ID: Caller User Name: Caller Domain: Caller Logon ID: (0x0,0x3E7)Privileges: -For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The AdminSDHolder object in Active Directory updates security every 60 minutes by comparing the security descriptor of the AdminSDHolder object to the new administrative account. After raising the forest functional level, access control entries are reordered for new or modified accounts, causing a mismatch with the security descriptor of the AdminSDHolder object since the compare is performed as a binary large object instead of ACE (Access Control Entry) against ACE.

See 9639 Description and Update of the Active Directory AdminSDHolder Object.

For more information about the scope and the operation of the AdminSDHolder object, see
817433 Delegated permissions are not available and inheritance is automatically disabled