Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Audting DNS A records
Audting DNS A records [message #157169] Wed, 01 July 2009 09:48 Go to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello all

Mysteriously a critcal A record was removed or deleted from an AD 2008 dns
zone. I do have some auditing running on the DC's but i'm not sure if what i
have currently being audited would show me who or what deleted the record.
What Auditing should i turn on if i want to montior A records being manually
delted out of a zone? I dont want to audit scaveging just users deleting
records out of AD zones. Also is there an event id that i can start
searching on? The DC's are running windows 2008sp1

Many thanks
Re: Audting DNS A records [message #157198 is a reply to message #157169] Wed, 01 July 2009 18:44 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sawyer" <Gmail@gmail.com> wrote in message news:8755DFF8-59F1-4EEB-84AC-0CB97EFB3679@microsoft.com...
> Hello all
>
> Mysteriously a critcal A record was removed or deleted from an AD 2008 dns
> zone. I do have some auditing running on the DC's but i'm not sure if what i
> have currently being audited would show me who or what deleted the record.
> What Auditing should i turn on if i want to montior A records being manually
> delted out of a zone? I dont want to audit scaveging just users deleting
> records out of AD zones. Also is there an event id that i can start
> searching on? The DC's are running windows 2008sp1
>
> Many thanks
>

Can you tell us what that record was? Was it a manually created record for one of the DCs? Or was it an LdapIpAddress record? Or was it a CNAME record?

If it is a record concerning a DC, the DC's netlogon service could have overwritten it with its own record, which is not unlikely, and default behavior. Also, if the DC is multihomed (more than one NIC), other unwanted behavior will occur.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Audting DNS A records [message #157230 is a reply to message #157198] Thu, 02 July 2009 10:21 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
it was an A record for a critical member server
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:%23B9l$4q%23JHA.1252@TK2MSFTNGP04.phx.gbl...

"Sawyer" <Gmail@gmail.com> wrote in message
news:8755DFF8-59F1-4EEB-84AC-0CB97EFB3679@microsoft.com...
> Hello all
>
> Mysteriously a critcal A record was removed or deleted from an AD 2008 dns
> zone. I do have some auditing running on the DC's but i'm not sure if what
> i
> have currently being audited would show me who or what deleted the record.
> What Auditing should i turn on if i want to montior A records being
> manually
> delted out of a zone? I dont want to audit scaveging just users deleting
> records out of AD zones. Also is there an event id that i can start
> searching on? The DC's are running windows 2008sp1
>
> Many thanks
>

Can you tell us what that record was? Was it a manually created record for
one of the DCs? Or was it an LdapIpAddress record? Or was it a CNAME record?

If it is a record concerning a DC, the DC's netlogon service could have
overwritten it with its own record, which is not unlikely, and default
behavior. Also, if the DC is multihomed (more than one NIC), other unwanted
behavior will occur.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: Audting DNS A records [message #157231 is a reply to message #157230] Thu, 02 July 2009 10:29 Go to previous messageGo to next message
Chris Dent  is currently offline Chris Dent  United Kingdom
Messages: 189
Registered: July 2009
Senior Member
Always worth confirming Aging / Scavenging settings in these scenarios.

It's not entirely uncommon to see records vanish if Scavenging is in use
and Refresh Interval lower than 24 hours has been set.

Chris
Re: Audting DNS A records [message #157252 is a reply to message #157230] Thu, 02 July 2009 21:48 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sawyer" <Gmail@gmail.com> wrote in message news:84E09119-1D8B-4200-9BC0-3CC0F1B40ACD@microsoft.com...
> it was an A record for a critical member server

Sawyer,

Is this related to the restore problem in your other thread?

Ace
Re: Audting DNS A records [message #157473 is a reply to message #157252] Tue, 07 July 2009 19:24 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
no, a critical server was not accesable
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:uAezQE5%23JHA.1608@TK2MSFTNGP02.phx.gbl...
"Sawyer" <Gmail@gmail.com> wrote in message
news:84E09119-1D8B-4200-9BC0-3CC0F1B40ACD@microsoft.com...
> it was an A record for a critical member server

Sawyer,

Is this related to the restore problem in your other thread?

Ace
Re: Audting DNS A records [message #157474 is a reply to message #157473] Tue, 07 July 2009 19:41 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sawyer" <Gmail@gmail.com> wrote in message news:5F9E0702-FCA9-4BCA-B6BE-E6E948B7F089@microsoft.com...
> no, a critical server was not accesable

I have some questions, if you don't mind answering. Please elaborate if you can. - Thanks.

1. Chris mentioned Scavenging settings possibly causing this. Do you have scavenging enabled? If so, what are the settings set to?

2. How many administrators have access to the zone?

3. Was this critical "A" (host) record manually created as a static record?

4. Is the server that this critical "A" record associated with, have the same name as the server?

5. Is WINS Integration enabled on the zone?

Thanks,

Ace
Re: Audting DNS A records [message #157475 is a reply to message #157474] Tue, 07 July 2009 20:23 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
In news:5F9E0702-FCA9-4BCA-B6BE-E6E948B7F089@microsoft.com,
Sawyer <Gmail@gmail.com>, posted the following, which I replied to down below...: Hello Sawyer
>> no, a critical server was not accesable
>
> I have some questions, if you don't mind answering. Please elaborate
> if you can. - Thanks.
>
> 1. Chris mentioned Scavenging settings possibly causing this. Do you
> have scavenging enabled? If so, what are the settings set to?
>
> 2. How many administrators have access to the zone?
>
> 3. Was this critical "A" (host) record manually created as a static
> record?
>
> 4. Is the server that this critical "A" record associated with, have
> the same name as the server?
>
> 5. Is WINS Integration enabled on the zone?
>
> Thanks,
>
> Ace


Sawyer,

In addition, curious, does the server have a static config different than the record you've created that keeps getting deleted?

When you created the record, assuming you had the DNS console set to Advanced View, did you uncheck "Delete this record when it becomes stale" for records you want to keep?

If you want to find the deleted record in the AD database, it is still there. This is because anything in the AD database that gets deleted, is tombstoned. There's a series of steps you can follow to get the object, find out whether it was deleted, and find out who was logged on at the time it was deleted.

You can also enable auditing for Directory Services for AD objects. You can set it either in the DC's Directory Security Policy, or in a GPO. Once enabled, then go into the DNS console, zone properties, Security tab, Advanced, enable Auditing for Everyone group.

Read the following for more information on how to determine who deleted the object, and how to enable auditing for DNS objects.

DNS Concepts.

Ace
http://dnsfunda.blogspot.com/
Previous Topic:Secondary (backup) domain controller not working ?
Next Topic:Re: An active directory Domain Controller for the domain could not becontacted in windows vista Busi
Goto Forum:
  


Current Time: Tue Jan 16 10:42:34 MST 2018

Total time taken to generate the page: 0.04906 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software