?
Solved

DNS trace

Posted on 2011-10-07
9
Medium Priority
?
230 Views
Last Modified: 2012-08-13
I have a problem today on the DNS
In fact today in my DNS I have 30 @ name are deleted (host).
I think he is someone to delete
please you have tools or script to see how they are deleted
 and what user (of the active directory) to delete  
0
Comment
Question by:DRRAM
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36934144
Do you have aging and scavenging turned on for that zone?
0
 

Author Comment

by:DRRAM
ID: 36934150
please I do not know where I can check your request
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36934162
Check out http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I'm not sure if that exact process is the same in more recent versions of Windows Server.  If it is different just Google for "windows dns aging scavenging" plus your version -- there are tons of links out there.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DRRAM
ID: 36934207
I have windows 2008 - DNS and active directory
scavenging ??

and please

I can not control every @ name was deleted at what time
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36934701
IF Audit Directory Service Access is enabled on the Server where DNS is running then in security log you will see the following events  for deleting a DNS record.If it is not enabled then the event will be not logged.

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date:  8/23/2006
Time:  7:28:30 PM
User:  [perp]
Computer: [dns server]
Description:
Object Operation:
  Object Server: DS
  Operation Type: Object Access
  Object Type: dnsNode
  Object Name: DC=Test,DC=zone.com,CN=MicrosoftDNS,CN=System,DC=zone,DC=com
  Handle ID: -
  Primary User Name: [computer name]$
  Primary Domain: [Domain]
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: administrator
  Client Domain: [domain]
  Client Logon ID: (0x0,0x729EE07)
  Accesses: Write Property
   
  Properties:
 Write Property
  Default property set
   dnsRecord
   dNSTombstoned
   dnsNode

  Additional Info:
  Additional Info2:
  Access Mask: 0x20



0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36934774
This blog may also help you shows how to setup auditing

http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx
Tracking DNS Record Deletion

Thanks

Mike
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36934875
Pls see the link you will get the events but you need to be audit enabled.

http://blogs.dirteam.com/blogs/jorge/archive/2008/04/29/auditing-in-windows-server-2008.aspx

Regards,
Abhijit Waikar.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 36934900
As a reminder, setting directory access auditing will create a storm of events in your security log.  In most production environments, you can expect thousands of "noise" events for every malicious DNS deletion, so this probably needs to be used sparingly.
0
 

Author Closing Comment

by:DRRAM
ID: 37041623
THX
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question