none
Is it possible to find out who deleted a DNS entry in my Active Directory-integrated DNS (and from where)?

    Question

  • Between 2013-11-06 20:00 and 2013-11-07 05:00 (my local time), an DNS entry was deleted from our AD-Integrated DNS.  Is it possible to find out who deleted this entry?  And from where (ie which computer)?

    Here are the details:

    • The DNS entry type is Host (A).  Let's call the entry ServerA.mydomain.com.

    • The entry has existed continuously for more than 4 years.  So I don't see why it would disappear without reason.

    • ServerA was still running when I found out that its DNS entry disappeared.  So, the disappearance cannot be a result of system shutdown and DNS unregistration, am I right?

    • We have two DC and two RODC.  Let's call them DC1, DC2, RODC1 and RODC2.  Everyone of them is also a DNS server.
      Correct me if I'm wrong, I think DNS entries cannot be changed from RODC, right?  So maybe this can help us concentrate the search on only DC1 and DC2?  Or is this irrelevant?

    • Suppose DNS Audit was NOT enabled.  Is it still possible to find out who deleted the DNS entry?

    • Scavenge is disabled on both DC1 and DC2.  And on RODC1 and RODC2, scavenge options are greyed but disabled.

    Is it possible to find who deleted our DNS entry?  And optionally from which computer?

    Thanks in advance.

    Thursday, November 07, 2013 7:21 PM

Answers

All replies

  • Hello Horinius,
    I suggest to read this useful TechNet Blogs article if not already: Tracking DNS Record Deletion. It explains why a DNS record could disappear:

    • The computer owning the DNS record was gracefully shut-down and dynamically de-registered its host or SRV records.
    • A zone transfer deletion bug described in MSKB 953317 deletes virtually the entire contents of the zone immediately following zone transfer on busy W2K8 SP1 computers hosting secondary copies of a DNS zone.
    • Systems not able to update their record in DNS.
    • Misconfigured scavenging settings prematurely delete records before they can be re-registered by the computer that owns the record.
    • Someone manually deletes the record from the DNS zone.

    and how to get more information about who did what (enabling Audit):

    "... A DNS zone can be either stored on the DNS server in form of a file such as contoso.com.dns or it can be integrated in Active Directory for replication.

    In the case of Standard Primary or Secondary zone, there is no way to determine who or what deleted the records from the zone. But if the zone is Active Directory-integrated, we can set up Directory Service Access Auditing to learn more about the cause of deletion of the records. ..."

    I hope it could help.

    Bye,
    Luca


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. | Whenever you see a helpful reply, click on Vote As Help and click on Mark As Answer if a post answers your question.


    • Edited by Luca Fabbri Thursday, November 07, 2013 8:30 PM
    • Proposed as answer by Luca Fabbri Monday, November 11, 2013 6:48 AM
    • Unproposed as answer by Horinius Tuesday, November 12, 2013 10:10 AM
    Thursday, November 07, 2013 8:17 PM
  • Hello Horinius,
    I suggest to read this useful TechNet Blogs article if not already: Tracking DNS Record Deletion. It explains why a DNS record could disappear:

    • The computer owning the DNS record was gracefully shut-down and dynamically de-registered its host or SRV records.
    • A zone transfer deletion bug described in MSKB 953317 deletes virtually the entire contents of the zone immediately following zone transfer on busy W2K8 SP1 computers hosting secondary copies of a DNS zone.
    • Systems not able to update their record in DNS.
    • Misconfigured scavenging settings prematurely delete records before they can be re-registered by the computer that owns the record.
    • Someone manually deletes the record from the DNS zone.

    and how to get more information about who did what (enabling Audit):

    "... A DNS zone can be either stored on the DNS server in form of a file such as contoso.com.dns or it can be integrated in Active Directory for replication.

    In the case of Standard Primary or Secondary zone, there is no way to determine who or what deleted the records from the zone. But if the zone is Active Directory-integrated, we can set up Directory Service Access Auditing to learn more about the cause of deletion of the records. ..."


    Hi Luca,

    I actually had found the article you gave me and other similar articles like http://blogs.technet.com/b/yuridiogenes/archive/2008/03/06/auditing-a-dns-zone.aspx and http://msmvps.com/blogs/acefekay/archive/2010/12/09/dns-records-disappearing-and-dns-auditing.aspx and implemented the auditing after this incident, but they don't work!!

    About the possible explanations to DNS record disappearance, all except two are impossible/unlikely because they didn't happen:

    • Systems not able to update their record in DNS.
    • Someone manually deletes the record from the DNS zone.

    But the server's DNS record had been here for years.  I don't see and I can't find any trace as to why it was suddenly unable to update its record. Beside, why would it suddenly update the record?

    That's why it left me the last possibility: someone manually deleted the record and that's exactly the topic of my initial post.

    As there was no auditing BEFORE the incident, there's no way to determine who deleted that, right?

    Friday, November 08, 2013 3:37 PM
  • Hello Horinius,
    if you don't have Audit enabled, it's difficult to get more information. I suggest to turn on Audit, re-create record and then you can monitor events.

    Question: Did you check if your record is Tombstoned* ? From the article you post DNS Records Disappearing and DNS Auditing you could know from Tombstoned objects exact date/time the record was marked for deletion, so you can restrict the investigation.

    * - This attribute exists to make searching for tombstoned records easier and faster. Tombstoned objects are objects that have been deleted but not yet removed from the directory.

    Bye,
    Luca


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. | Whenever you see a helpful reply, click on Vote As Help and click on Mark As Answer if a post answers your question.

    Friday, November 08, 2013 4:38 PM
  • Sunday, November 10, 2013 6:16 PM
  • Hi,

    As other mentioned, i think you may turn on Audit.

    And i would like to confirm what is the current situation?

    Please feel free to let us know if you have any updates.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, November 18, 2013 2:22 AM
    Moderator