Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, September 27, 2019 10:14 PM
I am trying to decipher ptr record deletions vhe the DNSServer/audit. On server 2012 the information seems to be logged in eventid 520. A record deletions (logged as type 1) show the dns entry hostname that is being deleted. PTR records however (logged as type 12) do not seem to have this information. For the name they include only an arbitrary 2 or 3 digit number along with the zone where the record was deleted. Is there any way to decipher what entry was deleted?
All replies (4)
Wednesday, October 16, 2019 1:34 AM âś…Answered
I think I actually figured it out. The 520 event does show it correctly. The number is the last octet of the record. I was able to determine that the machine was deleting its own record.
Monday, September 30, 2019 7:29 AM
Hi,
Thanks for your question.
As the research, I made a test environment as same as yours.
Exactly, we only can observe that A record has a delete value when it deleted and logged in the auditing events 4662 under the section "Windows logs > Security > Audit Success". A PTR record deleting can be recorded, but there's no delete value, only read and write operations.
But, we can still realize a PTR record was deleted from the event ID 516 as below. This event logged under "Event viewer > Applications and Services > Microsoft > Windows > DNS-Server > Audit ".
Then we could audit this PTR deleting operation by passing through the two events.
Hope this helps. If you have any question or concern, please feel free to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, October 8, 2019 7:19 AM
Hi,
Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back
Best Regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, October 16, 2019 10:21 AM
I'm glad that the issue was resolved successfully.
Thanks for your sharing and support.
Have a nice day!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]