Track IP/Gateway/DNS changes on Windows Server 2008

Is there a way to track changes made to a Static IP, DNS, or gateway settings on Windows Server 2008? Ideally I would like to see before and after changes.
LVL 1
Leverage IT ConsultingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaSr IT Support EngineerCommented:
I'm confused.  If they are static, why would they change?
Tony GiangrecoCommented:
Normally, the only location to find events like changes to DNS is in the system logs on your server or DNS server. Alternately, you could subscribe to a monitoring service like MxToolbox.com which will record changes and alert you by email of the change events.

Those are the only ways to view this type of event unless you install a package that records that info. I haven't seen a app like that.

Hope this info helps!
Leverage IT ConsultingAuthor Commented:
Let me clarify. I am talking about the NIC settings on Windows Server 2008. The DNS settings on the server reverted back to old settings somehow on multiple servers. We either suspect a script or an admin did it. Overall we are trying to narrow down the time window of when this may have happened.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Cris HannaSr IT Support EngineerCommented:
You might see something in event logs, but not likely now.  Next step is to enable verbose logging and auditing for the future
Leverage IT ConsultingAuthor Commented:
Chris,

What settings are needed to enable this verbose logging for the future?
Cris HannaSr IT Support EngineerCommented:
Well I was mistaken...there is not specifically an audit for changing NIC settings...but you can audit logon and logoffs and so you could see whose on a system at a given time.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Event-IDs-Windows-Server-2008-Vista-Revealed.html
Tony GiangrecoCommented:
You can subscribe to a service like this that keeps history of your dns and allows you to view changes and when they were made:

http://mxtoolbox.com/productinfo/dnszoneprotect2.aspx?page=pp-mf&upgrade=pp-mf&gevent=68ba1471-a104-427a-a9cb-51b1424b014d

Hope this helps!
Leverage IT ConsultingAuthor Commented:
I found the solution on my own, and so for anyone checking this out down the road here is what we did.


- DNS listings are stored in the registry
"NameServer" Key for us was in: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\InterfaceID\
- Altered the local security policy. Security Settings/Local Policy/Audit Policy/Audit object access
- Opened Regedit to the specific subkey. Right-click Permissions/Advanced/Auditing. Add the Everyone user and Success and Failed for types: Set Value, Create Subkey, Write DAC, Write Owner (Not 100% which of these was the ones I really really needed but just did the ones that looked promising and they got the job done)
- To test I went into the Network settings for the adapter and Changed 2nd DNS from 192.168.0.201 to 8.8.8.8 save and close
- Change back save and close
- 2 Events generated: Event ID 4657 Task Category: Registry
Looked like this:
A registry value was modified.

Subject:
Security ID:      testdomain\admin
Account Name:      admin
Account Domain:     testdomain
Logon ID:      ******

Object:
Object Name:      \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{6B52FECC-1B17-454E-8E61-89D43AEB1EF3}
Object Value Name:      NameServer
Handle ID:      0xa70
Operation Type:      Existing registry value modified

Process Information:
Process ID:      0x2ea8
Process Name:      C:\Windows\explorer.exe

Change Information:
Old Value Type:      REG_SZ
Old Value:      192.168.10.201,8.8.8.8
New Value Type:      REG_SZ
New Value:      192.168.10.201,192.168.0.201


Some of my web references
- http://superuser.com/questions/463969/monitor-who-altered-registry-key
- http://windowsitpro.com/networking/where-registry-are-entries-dns-servers-located

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leverage IT ConsultingAuthor Commented:
Accepted my comment because full blown solutions hadn't been outlined so I researched and solved on my own
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.