Auditing DNS Records

Hi Readers,

There can be situations when DNS record is deleted & you have to find how it got deleted.

Record may have been deleted manually but unless Auditing is enabled you will not be able to tell by whom.

Here are the steps that you have to follow to enable it, first step is to enable the Auditing on “directory service access”.

  • Launch Group Policy Management Console



  • Right Click & Edit Default Domain Controllers Policy


  • Enable Success/Failure for Audit Directory Service access

After this has been enabled , There is one more step that needs to be done for DNS Zone so that auditing starts logging the records.

  • Launch ADSI  Run –> ADSIEDIT.msc –> Right click & Connect to


In my case DNS is stored in DC=DomainDnsZones,DC=labtest,DC=com

  • Select & Type DN as below


  •  Go to MicrosoftDNS –> your Zone properties –>Security


  • Click advanced –> Auditing Tab


  •  Add everyone –> Select Write All Properties, Delete, and Delete Subtree (Success/Failure)

Note:- Don’t get confused by two default entries of Everyone


  •  Click Ok & close..

Now lets delete one of the record in DNS & see who has deleted it 🙂

  • Launch DNS Management –> Run –> DNSmgmt.msc


I will remove one of the test record.

  • Launch eventvwr.msc –> Security log & search for eventid 4662


An operation was performed on an object.

Subject :
Security ID: LABTEST\Administrator
Account Name: Administrator
Account Domain: LABTEST
Logon ID: 0x5c8e7

Object Server: DS
Object Type: dnsNode
Object Name: DC=testrecord2,,CN=MicrosoftDNS,DC=DomainDnsZones,DC=labtest,DC=com
Handle ID: 0x0

Operation Type: Object Access
Accesses: Write Property

Access Mask: 0x20
Properties: Write Property
Additional Information:
Parameter 1: –
Parameter 2:

I have highlighted the fields from which you will know who has performed the action.

There can be situations where there are many domain controllers & first you have to know on which domain controller operation was performed.

In this case you first need to use LDP which is by default available on all domain controllers.

  • Run –> LDP –> Connect to any domain controller


  •  Connection –> Bind with username & password or with currently logged in user if it has admin rights.


  • Click View –> Tree –> Select your DNS DN


  • Click Options –>Controls —> Load predefined –>Return deleted Objects


  • Again click Tree –> press OK to refresh


  • Under Deleted Objects –> Select Record –> Copy DN


Now we have to use Repadmin command:

repadmin /showobjmeta labdc01 “DC=testrecord1ADEL:60cb39e2-6887-4def-8c8c-710002510e05,CN=Deleted Objects,DC=DomainDnsZones,DC=labtest,DC=com” >c:\dnsaudit.txt


Here are the results, it shows the complete records when it was deleted & on which domain controller


So now we can log on to that domain controller & can find the event id 4662 as shown above in this article.


Sukhija Vikas




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s