Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Audit AD DNS zone
Audit AD DNS zone [message #157171] Wed, 01 July 2009 13:05 Go to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello all

I am running Windows 2008 DC, all DC are DNS servers. I need to be able to
audit users manually deleteting records out of DNS. What i have done so far
is setup auditing on ever 2008 DC by running the auditpol command. Example
Auditpol /set /subcategory:"Directory service chagnes" /success:enable and
/failure:enable. I also setup auditing for directory service changes using
the same command. When i run auditpol /get /category:"DS access" i now get

C:\Windows\system32>auditpol /get /category:"DS Access"
System audit policy
Category/Subcategory Setting
DS Access
Directory Service Changes Success and Failure
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success and Failure


I also used adsiedit and changed the connection strings to connect to
domaindnszones. I then located the zone i need to monitor right clicked on
it properties-securty-advanced-auditing. I added everyone and selected
"write all properties" "Delete" and "Delete subtree". for "apply onto:" i
selected "Descendant dnszone objects"

Now when i delete a record out of the zone, i still dont see an event being
created for the deletion. What am i missing with this?

Many thanks
Re: Audit AD DNS zone [message #157180 is a reply to message #157171] Wed, 01 July 2009 14:24 Go to previous message
Chris Dent  is currently offline Chris Dent
Messages: 189
Registered: July 2009
Senior Member
Records deleted in the GUI aren't really deleted (as in the object in AD
remains). Instead the dnsRecord field is modified in such a way that the
record is effectively tombstoned.

That means you would need to audit writes to the dnsRecord attribute. Might
take a spot of playing with because you want to avoid catching too much.
Writes to that field will include all dynamic updates, any scavenging
actions, pretty much everything really, it should be fine if you limit your
Audit ACE to something a bit more restrictive than Everyone.

HTH

Chris

"Sawyer" <Gmail@gmail.com> wrote in message
news:30378FDC-9A66-45B2-AE99-6442CE889D4B@microsoft.com...
> Hello all
>
> I am running Windows 2008 DC, all DC are DNS servers. I need to be able to
> audit users manually deleteting records out of DNS. What i have done so
> far is setup auditing on ever 2008 DC by running the auditpol command.
> Example Auditpol /set /subcategory:"Directory service chagnes"
> /success:enable and /failure:enable. I also setup auditing for directory
> service changes using the same command. When i run auditpol /get
> /category:"DS access" i now get
>
> C:\Windows\system32>auditpol /get /category:"DS Access"
> System audit policy
> Category/Subcategory Setting
> DS Access
> Directory Service Changes Success and Failure
> Directory Service Replication No Auditing
> Detailed Directory Service Replication No Auditing
> Directory Service Access Success and Failure
>
>
> I also used adsiedit and changed the connection strings to connect to
> domaindnszones. I then located the zone i need to monitor right clicked on
> it properties-securty-advanced-auditing. I added everyone and selected
> "write all properties" "Delete" and "Delete subtree". for "apply onto:" i
> selected "Descendant dnszone objects"
>
> Now when i delete a record out of the zone, i still dont see an event
> being created for the deletion. What am i missing with this?
>
> Many thanks
Previous Topic:Default Gateway and Proxy server
Next Topic:Do I have to migrate to DFSR SYSVOL?
Goto Forum:
  


Current Time: Fri Oct 20 10:18:16 EDT 2017

Total time taken to generate the page: 0.02439 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software