Track IP/Gateway/DNS changes on Windows Server 2008

Is there a way to track changes made to a Static IP, DNS, or gateway settings on Windows Server 2008? Ideally I would like to see before and after changes.
LVL 1
Leverage IT ConsultingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaCommented:
I'm confused.  If they are static, why would they change?
0
Tony GiangrecoCommented:
Normally, the only location to find events like changes to DNS is in the system logs on your server or DNS server. Alternately, you could subscribe to a monitoring service like MxToolbox.com which will record changes and alert you by email of the change events.

Those are the only ways to view this type of event unless you install a package that records that info. I haven't seen a app like that.

Hope this info helps!
0
Leverage IT ConsultingAuthor Commented:
Let me clarify. I am talking about the NIC settings on Windows Server 2008. The DNS settings on the server reverted back to old settings somehow on multiple servers. We either suspect a script or an admin did it. Overall we are trying to narrow down the time window of when this may have happened.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Cris HannaCommented:
You might see something in event logs, but not likely now.  Next step is to enable verbose logging and auditing for the future
0
Leverage IT ConsultingAuthor Commented:
Chris,

What settings are needed to enable this verbose logging for the future?
0
Cris HannaCommented:
Well I was mistaken...there is not specifically an audit for changing NIC settings...but you can audit logon and logoffs and so you could see whose on a system at a given time.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Event-IDs-Windows-Server-2008-Vista-Revealed.html
0
Tony GiangrecoCommented:
You can subscribe to a service like this that keeps history of your dns and allows you to view changes and when they were made:

http://mxtoolbox.com/productinfo/dnszoneprotect2.aspx?page=pp-mf&upgrade=pp-mf&gevent=68ba1471-a104-427a-a9cb-51b1424b014d

Hope this helps!
0
Leverage IT ConsultingAuthor Commented:
I found the solution on my own, and so for anyone checking this out down the road here is what we did.


- DNS listings are stored in the registry
"NameServer" Key for us was in: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\InterfaceID\
- Altered the local security policy. Security Settings/Local Policy/Audit Policy/Audit object access
- Opened Regedit to the specific subkey. Right-click Permissions/Advanced/Auditing. Add the Everyone user and Success and Failed for types: Set Value, Create Subkey, Write DAC, Write Owner (Not 100% which of these was the ones I really really needed but just did the ones that looked promising and they got the job done)
- To test I went into the Network settings for the adapter and Changed 2nd DNS from 192.168.0.201 to 8.8.8.8 save and close
- Change back save and close
- 2 Events generated: Event ID 4657 Task Category: Registry
Looked like this:
A registry value was modified.

Subject:
Security ID:      testdomain\admin
Account Name:      admin
Account Domain:     testdomain
Logon ID:      ******

Object:
Object Name:      \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6B52FECC-1B17-454E-8E61-89D43AEB1EF3}
Object Value Name:      NameServer
Handle ID:      0xa70
Operation Type:      Existing registry value modified

Process Information:
Process ID:      0x2ea8
Process Name:      C:\Windows\explorer.exe

Change Information:
Old Value Type:      REG_SZ
Old Value:      192.168.10.201,8.8.8.8
New Value Type:      REG_SZ
New Value:      192.168.10.201,192.168.0.201


Some of my web references
- http://superuser.com/questions/463969/monitor-who-altered-registry-key
- http://windowsitpro.com/networking/where-registry-are-entries-dns-servers-located
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leverage IT ConsultingAuthor Commented:
Accepted my comment because full blown solutions hadn't been outlined so I researched and solved on my own
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.