Auditing DNS Records

Hi Readers,

There can be situations when DNS record is deleted & you have to find how it got deleted.

Record may have been deleted manually but unless Auditing is enabled you will not be able to tell by whom.

Here are the steps that you have to follow to enable it, first step is to enable the Auditing on “directory service access”.

  • Launch Group Policy Management Console

–> RUN –> GPMC.MSC

Capture1

  • Right Click & Edit Default Domain Controllers Policy

Capture2

  • Enable Success/Failure for Audit Directory Service access

After this has been enabled , There is one more step that needs to be done for DNS Zone so that auditing starts logging the records.

  • Launch ADSI  Run –> ADSIEDIT.msc –> Right click & Connect to

Capture3

In my case DNS is stored in DC=DomainDnsZones,DC=labtest,DC=com

  • Select & Type DN as below

Capture4

  •  Go to MicrosoftDNS –> your Zone properties –>Security

Capture5

  • Click advanced –> Auditing Tab

Capture6

  •  Add everyone –> Select Write All Properties, Delete, and Delete Subtree (Success/Failure)

Note:- Don’t get confused by two default entries of Everyone

Capture7

  •  Click Ok & close..

Now lets delete one of the record in DNS & see who has deleted it 🙂

  • Launch DNS Management –> Run –> DNSmgmt.msc

Capture8

I will remove one of the test record.

  • Launch eventvwr.msc –> Security log & search for eventid 4662

Capture9

An operation was performed on an object.

Subject :
Security ID: LABTEST\Administrator
Account Name: Administrator
Account Domain: LABTEST
Logon ID: 0x5c8e7

Object:
Object Server: DS
Object Type: dnsNode
Object Name: DC=testrecord2,DC=labtest.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=labtest,DC=com
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Write Property

Access Mask: 0x20
Properties: Write Property
{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
{e0fa1e69-9b45-11d0-afdd-00c04fd930c9}
{d5eb2eb7-be4e-463b-a214-634a44d7392e}
dnsNode
Additional Information:
Parameter 1: –
Parameter 2:

I have highlighted the fields from which you will know who has performed the action.

There can be situations where there are many domain controllers & first you have to know on which domain controller operation was performed.

In this case you first need to use LDP which is by default available on all domain controllers.

  • Run –> LDP –> Connect to any domain controller

Capture10

  •  Connection –> Bind with username & password or with currently logged in user if it has admin rights.

Capture11

  • Click View –> Tree –> Select your DNS DN

Capture12

  • Click Options –>Controls —> Load predefined –>Return deleted Objects

Capture13

  • Again click Tree –> press OK to refresh

Capture14

  • Under Deleted Objects –> Select Record –> Copy DN

Capture15

Now we have to use Repadmin command:

repadmin /showobjmeta labdc01 “DC=testrecord1ADEL:60cb39e2-6887-4def-8c8c-710002510e05,CN=Deleted Objects,DC=DomainDnsZones,DC=labtest,DC=com” >c:\dnsaudit.txt

Capture17

Here are the results, it shows the complete records when it was deleted & on which domain controller

Capture18

So now we can log on to that domain controller & can find the event id 4662 as shown above in this article.

Regards

Sukhija Vikas

http://msexchange.me

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s