There can be situations when DNS record is deleted & you have to find how it got deleted.
Record may have been deleted manually but unless Auditing is enabled you will not be able to tell by whom.
Here are the steps that you have to follow to enable it, first step is to enable the Auditing on “directory service access”.
- Launch Group Policy Management Console
–> RUN –> GPMC.MSC
- Right Click & Edit Default Domain Controllers Policy
- Enable Success/Failure for Audit Directory Service access
After this has been enabled , There is one more step that needs to be done for DNS Zone so that auditing starts logging the records.
- Launch ADSI Run –> ADSIEDIT.msc –> Right click & Connect to
In my case DNS is stored in DC=DomainDnsZones,DC=labtest,DC=com
- Select & Type DN as below
- Go to MicrosoftDNS –> your Zone properties –>Security
- Click advanced –> Auditing Tab
- Add everyone –> Select Write All Properties, Delete, and Delete Subtree (Success/Failure)
Note:- Don’t get confused by two default entries of Everyone
- Click Ok & close..
Now lets delete one of the record in DNS & see who has deleted it 🙂
- Launch DNS Management –> Run –> DNSmgmt.msc
I will remove one of the test record.
- Launch eventvwr.msc –> Security log & search for eventid 4662
An operation was performed on an object.
Security ID: LABTEST\Administrator
Account Name: Administrator
Account Domain: LABTEST
Logon ID: 0x5c8e7
Object Server: DS
Object Type: dnsNode
Object Name: DC=testrecord2,DC=labtest.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=labtest,DC=com
Handle ID: 0x0
Operation Type: Object Access
Accesses: Write Property
Access Mask: 0x20
Properties: Write Property
Parameter 1: –
I have highlighted the fields from which you will know who has performed the action.
There can be situations where there are many domain controllers & first you have to know on which domain controller operation was performed.
In this case you first need to use LDP which is by default available on all domain controllers.
- Run –> LDP –> Connect to any domain controller
- Connection –> Bind with username & password or with currently logged in user if it has admin rights.
- Click View –> Tree –> Select your DNS DN
- Click Options –>Controls —> Load predefined –>Return deleted Objects
- Again click Tree –> press OK to refresh
- Under Deleted Objects –> Select Record –> Copy DN
Now we have to use Repadmin command:
repadmin /showobjmeta labdc01 “DC=testrecord1ADEL:60cb39e2-6887-4def-8c8c-710002510e05,CN=Deleted Objects,DC=DomainDnsZones,DC=labtest,DC=com” >c:\dnsaudit.txt
Here are the results, it shows the complete records when it was deleted & on which domain controller
So now we can log on to that domain controller & can find the event id 4662 as shown above in this article.