Sunday, May 24, 2015

Auditing DNS Records

Hi Readers,

There can be situations when DNS record is deleted & you have to find how it got deleted.

Record may have been deleted manually but unless Auditing is enabled you will not be able to tell by whom.

Here are the steps that you have to follow to enable it, first step is to enable the Auditing on "directory service access".

  • Launch Group Policy Management Console


--> RUN --> GPMC.MSC

Capture1

  • Right Click & Edit Default Domain Controllers Policy


Capture2

  • Enable Success/Failure for Audit Directory Service access


After this has been enabled , There is one more step that needs to be done for DNS Zone so that auditing starts logging the records.

  • Launch ADSI  Run --> ADSIEDIT.msc --> Right click & Connect to


Capture3

In my case DNS is stored in DC=DomainDnsZones,DC=labtest,DC=com

  • Select & Type DN as below


Capture4

  •  Go to MicrosoftDNS --> your Zone properties -->Security


Capture5

  • Click advanced --> Auditing Tab


Capture6

  •  Add everyone --> Select Write All Properties, Delete, and Delete Subtree (Success/Failure)


Note:- Don't get confused by two default entries of Everyone

Capture7

  •  Click Ok & close..


Now lets delete one of the record in DNS & see who has deleted it :)

  • Launch DNS Management --> Run --> DNSmgmt.msc


Capture8

I will remove one of the test record.

  • Launch eventvwr.msc --> Security log & search for eventid 4662


Capture9

An operation was performed on an object.

Subject :
Security ID: LABTEST\Administrator
Account Name: Administrator
Account Domain: LABTEST
Logon ID: 0x5c8e7

Object:
Object Server: DS
Object Type: dnsNode
Object Name: DC=testrecord2,DC=labtest.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=labtest,DC=com
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Write Property

Access Mask: 0x20
Properties: Write Property
{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
{e0fa1e69-9b45-11d0-afdd-00c04fd930c9}
{d5eb2eb7-be4e-463b-a214-634a44d7392e}
dnsNode
Additional Information:
Parameter 1: -
Parameter 2:

I have highlighted the fields from which you will know who has performed the action.

There can be situations where there are many domain controllers & first you have to know on which domain controller operation was performed.

In this case you first need to use LDP which is by default available on all domain controllers.

  • Run --> LDP --> Connect to any domain controller


Capture10

  •  Connection --> Bind with username & password or with currently logged in user if it has admin rights.


Capture11

  • Click View --> Tree --> Select your DNS DN


Capture12

  • Click Options -->Controls ---> Load predefined -->Return deleted Objects


Capture13

  • Again click Tree --> press OK to refresh


Capture14

  • Under Deleted Objects --> Select Record --> Copy DN


Capture15

Now we have to use Repadmin command:

repadmin /showobjmeta labdc01 "DC=testrecord1ADEL:60cb39e2-6887-4def-8c8c-710002510e05,CN=Deleted Objects,DC=DomainDnsZones,DC=labtest,DC=com" >c:\dnsaudit.txt

Capture17

Here are the results, it shows the complete records when it was deleted & on which domain controller

Capture18

So now we can log on to that domain controller & can find the event id 4662 as shown above in this article.

Regards

Sukhija Vikas

http://msexchange.me

 

 

 

No comments:

Post a Comment