HOWTO: Set up DNS auditing for records that disappear from the zone
==============================================
1.Enable Directory Service Access auditing in your default Domain Policy:
- open domain security policy
- navigate to Local Policies -> Audit Policy
- Define "Audit directory service access" for success and failure
- Refresh domain policy on all domain controllers
2. Enable auditing on the zone
- open AdsiEdit
- Navigate to the location of your DNS zone
- Right click the zone to audit and choose properties.
- go to the security tab, click the advanced button
- select the Auditing tab and click Add
- for the user or group, type in Everyone
- On the Object tab, select Success and Failure for the following Access
types:
-- Write All Properties, Read All properties, Delete and Delete Subtree
- OK out of the policy and refresh the policy again.
3. When a record is deleted from DNS the following event is logged in the Security
Event log:
Event ID: 566
Source: Security
Type: Success
Category: Directory Service Access
Description: Will post a message similar to following:
Object Name: DC=recordname,DC=domain,DC=domain,CN=System,DC=dcname,DC=domain
Properties: Write Property
Default property set
dnsRecord
dNSTombstoned

==============================================

執行完上述動作後,如果往後有人刪除A記錄,您將可看到看到下列資訊。
範例
================
事件類型:   稽核成功

事件來源:   Security

事件類別目錄:     目錄服務存取

事件識別碼:        566

日期:         2010/3/29

時間:         下午 04:22:01

使用者:              HJHROOT\administrator

電腦: W2003RDC03

描述:

物件操作:

物件伺服器:        DS

操作類型:   Object Access

物件類型:   dnsNode

物件名稱:   DC=test001,DC=hjhroot.com,CN=MicrosoftDNS,CN=System,DC=hjhroot,DC=com

處理識別碼:        -

主要使用者名稱:  W2003RDC03$

主網域:      HJHROOT

主要登入識別碼:  (0x0,0x3E7)

用戶端使用者名稱:       administrator

用戶端網域:        HJHROOT

用戶端登入識別碼:       (0x0,0x537E2)

存取: 寫入屬性

內容:

寫入屬性

                Default property set

                        dnsRecord

                        dNSTombstoned

        dnsNode

其他資訊:  

其他資訊 2:       

存取遮罩:   0x20

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心,以取得其他資訊。
================