|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Audting DNS A recordsHello all
Mysteriously a critcal A record was removed or deleted from an AD 2008 dns zone. I do have some auditing running on the DC's but i'm not sure if what i have currently being audited would show me who or what deleted the record. What Auditing should i turn on if i want to montior A records being manually delted out of a zone? I dont want to audit scaveging just users deleting records out of AD zones. Also is there an event id that i can start searching on? The DC's are running windows 2008sp1 Many thanks "Sawyer" <Gm***@gmail.com> wrote in message news:8755DFF8-59F1-4EEB-84AC-0CB97EFB3679@microsoft.com... Can you tell us what that record was? Was it a manually created record for one of the DCs? Or was it an LdapIpAddress record? Or was it a CNAME record?> Hello all > > Mysteriously a critcal A record was removed or deleted from an AD 2008 dns > zone. I do have some auditing running on the DC's but i'm not sure if what i > have currently being audited would show me who or what deleted the record. > What Auditing should i turn on if i want to montior A records being manually > delted out of a zone? I dont want to audit scaveging just users deleting > records out of AD zones. Also is there an event id that i can start > searching on? The DC's are running windows 2008sp1 > > Many thanks > If it is a record concerning a DC, the DC's netlogon service could have overwritten it with its own record, which is not unlikely, and default behavior. Also, if the DC is multihomed (more than one NIC), other unwanted behavior will occur. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. it was an A record for a critical member server
Show quoteHide quote "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> Can you tell us what that record was? Was it a manually created record for wrote in message news:%23B9l$4q%23JHA.1252@TK2MSFTNGP04.phx.gbl... "Sawyer" <Gm***@gmail.com> wrote in message news:8755DFF8-59F1-4EEB-84AC-0CB97EFB3679@microsoft.com... > Hello all > > Mysteriously a critcal A record was removed or deleted from an AD 2008 dns > zone. I do have some auditing running on the DC's but i'm not sure if what > i > have currently being audited would show me who or what deleted the record. > What Auditing should i turn on if i want to montior A records being > manually > delted out of a zone? I dont want to audit scaveging just users deleting > records out of AD zones. Also is there an event id that i can start > searching on? The DC's are running windows 2008sp1 > > Many thanks > one of the DCs? Or was it an LdapIpAddress record? Or was it a CNAME record? If it is a record concerning a DC, the DC's netlogon service could have overwritten it with its own record, which is not unlikely, and default behavior. Also, if the DC is multihomed (more than one NIC), other unwanted behavior will occur. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Always worth confirming Aging / Scavenging settings in these scenarios.
It's not entirely uncommon to see records vanish if Scavenging is in use and Refresh Interval lower than 24 hours has been set. Chris "Sawyer" <Gm***@gmail.com> wrote in message news:84E09119-1D8B-4200-9BC0-3CC0F1B40ACD@microsoft.com... Sawyer,> it was an A record for a critical member server Is this related to the restore problem in your other thread? Ace no, a critical server was not accesable
"Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> Sawyer,wrote in message news:uAezQE5%23JHA.1608@TK2MSFTNGP02.phx.gbl... "Sawyer" <Gm***@gmail.com> wrote in message news:84E09119-1D8B-4200-9BC0-3CC0F1B40ACD@microsoft.com... > it was an A record for a critical member server Is this related to the restore problem in your other thread? Ace "Sawyer" <Gm***@gmail.com> wrote in message news:5F9E0702-FCA9-4BCA-B6BE-E6E948B7F089@microsoft.com... I have some questions, if you don't mind answering. Please elaborate if you can. - Thanks.> no, a critical server was not accesable 1. Chris mentioned Scavenging settings possibly causing this. Do you have scavenging enabled? If so, what are the settings set to? 2. How many administrators have access to the zone? 3. Was this critical "A" (host) record manually created as a static record? 4. Is the server that this critical "A" record associated with, have the same name as the server? 5. Is WINS Integration enabled on the zone? Thanks, Ace In news:5F9E0702-FCA9-4BCA-B6BE-E6E948B7F089@microsoft.com, Sawyer <Gm***@gmail.com>, posted the following, which I replied to down below...: Hello SawyerShow quoteHide quote >> no, a critical server was not accesable Sawyer,> > I have some questions, if you don't mind answering. Please elaborate > if you can. - Thanks. > > 1. Chris mentioned Scavenging settings possibly causing this. Do you > have scavenging enabled? If so, what are the settings set to? > > 2. How many administrators have access to the zone? > > 3. Was this critical "A" (host) record manually created as a static > record? > > 4. Is the server that this critical "A" record associated with, have > the same name as the server? > > 5. Is WINS Integration enabled on the zone? > > Thanks, > > Ace In addition, curious, does the server have a static config different than the record you've created that keeps getting deleted? When you created the record, assuming you had the DNS console set to Advanced View, did you uncheck "Delete this record when it becomes stale" for records you want to keep? If you want to find the deleted record in the AD database, it is still there. This is because anything in the AD database that gets deleted, is tombstoned. There's a series of steps you can follow to get the object, find out whether it was deleted, and find out who was logged on at the time it was deleted. You can also enable auditing for Directory Services for AD objects. You can set it either in the DC's Directory Security Policy, or in a GPO. Once enabled, then go into the DNS console, zone properties, Security tab, Advanced, enable Auditing for Everyone group. Read the following for more information on how to determine who deleted the object, and how to enable auditing for DNS objects. DNS Concepts. Ace http://dnsfunda.blogspot.com/ 
Other interesting topics
|
|||||||||||||||||||||||
