Is there a way to see which user made changes to AD integrated Zone in DNS?

GusGallows
GusGallows used Ask the Experts™
on
Someone removed all of the A records from an AD Integrated zone in our DNS. Active directory is running in Windows 2003 mode. Is there any way to see which user account did this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
By default, Active Directory DNS does not perform logging that shows who logged into it and deleted items.

More imporantly, unless you made changes, only administrators can typically access the DNS and remove items.

Have you verified you did not have some sort of DNS database crash or corruption?
This can only be accomplished if auditing is enabled. So if while changes were being made auditing was not enabled then there is no way to find out who deleted the entries.
For now you can use psexec and run
"net stop netlogon & net start netlogon"
"ipconfig /registerdns"
on remote computers so that they register themselves to the DNS.
Technical Lead
Top Expert 2011
Commented:
If the  "Audit Directory Service Access"  is not enabled you wont be able to see which user has deleted the DNS records.

You must enable "Audit Directory Service Access" on the machines where DNS is running.

Note:Setting directory access auditing will create a storm of events in your security log.  In most production environments, you can expect thousands of "noise" events for every malicious DNS deletion, so this probably needs to be used sparingly.

Refrence article:http://blogs.technet.com/b/yuridiogenes/archive/2008/03/06/auditing-a-dns-zone.aspx
GusGallowsSupport Escalation Engineer

Author

Commented:
Thanks guys. I have verified that audit was not enabled, so there really is nothing I can do now but cleanup. In the case of this zone, it was only used for web sites, so reregistering the machines would not have helped as their are in a different zone. The problem we face is that we have way to many domain admins, some of them using shared accounts. We are fixing that this week. No more shared accounts for domain admins and rights will now be delegated fore everyone but a few of us.

Sandeshdubey, I am awarding you the points as that is very good information on how to enabled auditting and the possible side effects. Thanks guys.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial