{"id":2028,"date":"2021-10-03T15:47:18","date_gmt":"2021-10-03T13:47:18","guid":{"rendered":"https:\/\/itsimple.info\/?p=2028"},"modified":"2021-10-03T15:47:19","modified_gmt":"2021-10-03T13:47:19","slug":"how-to-track-dns-record-changes","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2028","title":{"rendered":"How to Track DNS record changes"},"content":{"rendered":"\n<p>1.Enable Directory Service Access auditing in your default Domain Policy:<\/p>\n\n\n\n<p>a) Edit the Domain Security Policy<br>b) Navigate to Local Policies -&gt; Audit Policy<br>c) Define &#8216;Audit directory service access&#8217; for success and failure<br>d) Refresh the policy on all Domain Controllers<\/p>\n\n\n\n<p>2. Enable auditing on the DNS zone:<\/p>\n\n\n\n<p>a) Open ADSIEdit (Start, Run, adsiedit.msc)<br>b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=&lt;domain&gt;,DC=&lt;top level domain&gt; container.<br>c) Expand MicrosoftDNS, and navigate to the location of the DNS zone<br>d) Right-click the zone and choose Properties<br>e) On the Security tab, click the Advanced button<br>f) Select the Auditing tab, and click Add<br>g) Under User or Group, type in Everyone<br>h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree<\/p>\n\n\n\n<p>3. When a record is deleted from DNS, Event ID 566 will be logged in the Security Event Log<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Also, more troubleshooting.<\/p>\n\n\n\n<p>You might like to trace which account was used to update DNS records via audit feature , and find out the source host. Here is the workaround:<\/p>\n\n\n\n<p>1. Enable Directory Service Access auditing in your default Domain Policy:<br>a) Edit the Domain Security Policy<br>b) Navigate to Local Policies -&gt; Audit Policy<br>c) Define &#8216;Audit directory service access&#8217; for success and failure<br>d) Refresh the policy on all Domain Controllers<\/p>\n\n\n\n<p>2. Enable auditing on the DNS zone:<br>a) Open ADSIEdit (Start, Run, adsiedit.msc)<br>b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=&lt;domain&gt;,DC=&lt;top level domain&gt; container<br>c) Expand MicrosoftDNS, and navigate to the location of the DNS zone<br>d) Right-click the zone and choose Properties<br>e) On the Security tab, click the Advanced button<br>f) Select the Auditing tab, and click Add<br>g) Under User or Group, type in Everyone<br>h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree<\/p>\n\n\n\n<p>3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-pullquote\"><blockquote class=\"has-text-color has-light-green-cyan-color\"><p>Good Luck<\/p><\/blockquote><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>1.Enable Directory Service Access auditing in your default Domain Policy: a) Edit the Domain Security Policyb) Navigate to Local Policies -&gt; Audit Policyc) Define &#8216;Audit directory service access&#8217; for success and failured) Refresh the policy on all Domain Controllers 2. Enable auditing on the DNS zone: a) Open ADSIEdit (Start, Run, adsiedit.msc)b) Right-click ADSI Edit, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,12,14,15],"tags":[],"class_list":["post-2028","post","type-post","status-publish","format-standard","hentry","category-operating-systems","category-tutorials","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2028"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2028\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}