Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 7, 2010 12:34 AM
Is there any way to track DNS record (A, PTR, etc...) changes? I need to know what was changed and by whom.
All replies (7)
Thursday, October 7, 2010 6:27 AM ✅Answered
Hi,
Thanks for the post.
AFAIK, there is no this kind of tool or option to track DNS record (A, PTR, etc...) changes and know who change it.
As is shown in the following link, DNS command line tools do not provide this function:
http://msmvps.com/blogs/richardwu/archive/2006/10/18/Tools-to-monitor-DNS.aspx
In my opinion, we may use Network Monitor to monitor DNS server then filter out any packet other than DNS packets. Also we could use Process Monitor to monitor the DNS Zone files.
Hope this helps.
Miles
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, October 7, 2010 3:06 PM ✅Answered
Hi Miles,
I believe you had posted in the past about keeping track of who deleted DNS records? I can't remember which thread it was, but I saved the procedure. I'm not sure if it will help Stoops, but it's worth a shot. It talks about deletion, but I believe it should apply for this situation. Here is it below:
==================================================================
DNS records disappearing
Also, you can enable Auditing to watch for deletions:
Have you enabled and set the aging and scavenging properties for AD-integration zone on DNS server ?
I suggest to use DNS auditing for records that disappear from the zone.
1.Enable Directory Service Access auditing in your default Domain Policy:
a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define 'Audit directory service access' for success and failure
d) Refresh the policy on all Domain Controllers
2. Enable auditing on the DNS zone:
a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container.
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree
3. When a record is deleted from DNS, Event ID 566 will be logged in the Security Event Log
Hope that’s helpful
Also, more troubleshooting.
You might like to trace which account was used to update DNS records via audit feature , and find out the source host. Here is the workaround:
1. Enable Directory Service Access auditing in your default Domain Policy:
a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define 'Audit directory service access' for success and failure
d) Refresh the policy on all Domain Controllers
2. Enable auditing on the DNS zone:
a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree
3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.
==================================================================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services.
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, October 8, 2010 1:11 AM
Hi Ace,
Thanks for the prompt. Yes, I think it's worth a shot.
To Stoops, please check if the above suggestion will help you on this issue. Please feel free to let us know if you have anything unclear on it.
Thanks,
Miles
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, May 30, 2013 2:54 AM
that is good. helps alot
Thursday, May 30, 2013 5:19 PM
Good to hear, Hardie.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, September 6, 2013 5:09 PM
Hi Ace!
How's MS DNS been lately?
I'm looking for a way to track changes on all zones. how do I apply step 2 for all 3,000 zones and subzones?
Regards,
Greg
Monday, May 25, 2015 1:51 PM
sharing the step by step approach to enable Auditing & finding who has made changes to DNS records,
for those who are still trying to enable it.
http://msexchange.me/2015/05/25/auditing-dns-records/
Sukhija Vikas http://msexchange.me