dns auditing
-
Monday, May 14, 2012 1:31 PMI have alot of zones I need to enable auditing on. Can this be scripted? Is so what utility can be used (DNSCMD)?
All Replies
-
Monday, May 14, 2012 1:50 PMWhat do you mean by auditing the zone?
Grant Ward, a.k.a. Bigteddy
-
Monday, May 14, 2012 1:58 PM
I have a lot of reverse zones which I want to audit. If I follow the directions from the Microsoft team blog there are several steps involved (see below). I am looking to automate this seeing I have a lot of zones.
6) Under CN=MicrosoftDNS you will find DC=<your zone name> (DC=contoso.com in my case). Right click on that and select Properties.
7) On the Security tab, click the Advanced button.
8) Select the Auditing tab, and click Add.
9) Under User or Group, type ‘Everyone’ and click on Check Names button. Click OK.
(You may find some already existing entries with the name ‘Everyone’ under the Auditing tab. This may be confusing but please add a new entry as mentioned above.)10) On the Auditing Entry window that pops up, under the Object tab, select Success and Failure for access types Write All Properties, Delete, and Delete Subtree and click Ok.
-
Monday, May 14, 2012 2:11 PM
I have alot of zones I need to enable auditing on. Can this be scripted? Is so what utility can be used (DNSCMD)?
You might be able to script it using SubInAcl from teh Resource Kit.
¯\_(ツ)_/¯
-
Thursday, May 17, 2012 7:18 PMModerator
Hi,
A quick search did not reveal to me a way to automate this via GPO or command-line; sorry. You may have to open a support case to get a definitive answer.
Bill
-
Thursday, May 17, 2012 7:36 PM
This will help to explain security fro AD integrated DNS.
http://www.powershellcommunity.org/Forums/tabid/54/aft/2079/Default.aspx
You can use DSACLS t set security and auditing on DNS zones stored in AD. I don't have an example but the article/thread has links to BSOnPosh utility to assist in this.
¯\_(ツ)_/¯
-
Thursday, May 17, 2012 7:54 PM
Here is a direct method which can be scripted.
$zone=[adsi]'LDAP://DC=2.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=System,dc=myzoo,dc=local' $zone.psbase.ObjectSecurity
Inspect teh ObjectSecurity. It has an audit rule factory and all other security elements. Each reverse lookup zone in AD has an entry like this. This is from one of my systems.
Your reverse zones will all look like this;
DC=2.168.192.in-addr.arpa
This is the reverse zone for the 192.168.2.0/24 subnet.
You can just enumerate zones:
[adsi]'LDAP://cn=MicrosoftDNS,cn=System,dc=myzoo,dc=local'|select -expand children
Your AD will have all of the same names except for the final domain name. Here it is "myzoo.local" (DC=myzoo,DC=local).
.If you can retrieve the object GUIDs I believe that you can also use SubInAcl.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Thursday, May 17, 2012 7:55 PM
- Proposed As Answer by Richard MuellerMVP, Moderator Friday, May 25, 2012 2:39 AM
- Marked As Answer by Richard MuellerMVP, Moderator Friday, May 25, 2012 2:58 PM
-
Thursday, May 17, 2012 8:19 PMModerator
Good info - a quick perusal of the help for dsacls.exe seems only to talk about DACLs but it may support SACLs also.
Bill
-
Thursday, May 17, 2012 8:38 PM
Good info - a quick perusal of the help for dsacls.exe seems only to talk about DACLs but it may support SACLs also.
Bill
Bill - good point. I did a little chicking and DSACLS cannot set audit rules. It can be done through ADSI.
¯\_(ツ)_/¯
-
Friday, May 25, 2012 2:58 PMModerator
As there has been no activity in this thread for a few days, we assume the issue is resolved. We will mark it as "answered" to assist others in similar situations. If you disagree, please reply with further information. You can unmark the answer if you wish. If a reply helped answer your question, please mark it as the answer.
Richard Mueller - MVP Directory Services
.png)
