Not
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
HOWTO: Set up DNS auditing for records that disappear from the zone
==============================================
1.Enable Directory Service Access auditing in your default Domain Policy:
- open domain security policy
- navigate to Local Policies -> Audit Policy
- Define "Audit directory service access" for success and failure
- Refresh domain policy on all domain controllers
2. Enable auditing on the zone
- open AdsiEdit
- Navigate to the location of your DNS zone
- Right click the zone to audit and choose properties.
- go to the security tab, click the advanced button
- select the Auditing tab and click Add
- for the user or group, type in Everyone
- On the Object tab, select Success and Failure for the following Access
types:
-- Write All Properties, Read All properties, Delete and Delete Subtree
- OK out of the policy and refresh the policy again.
3. When a record is deleted from DNS the following event is logged in the Security
Event log:
Event ID: 566
Source: Security
Type: Success
Category: Directory Service Access
Description: Will post a message similar to following:
Object Name: DC=recordname,DC=domain,DC=domain,CN=System,DC=dcname,DC=domain
Properties: Write Property
Default property set
dnsRecord
dNSTombstoned
==============================================
執行完上述動作後,如果往後有人刪除A記錄,您將可看到看到下列資訊。
範例
================
事件類型: 稽核成功
事件來源: Security
事件類別目錄: 目錄服務存取
事件識別碼: 566
日期: 2010/3/29
時間: 下午 04:22:01
使用者: HJHROOTadministrator
電腦: W2003RDC03
描述:
物件操作:
物件伺服器: DS
操作類型: Object Access
物件類型: dnsNode
物件名稱: DC=test001,DC=hjhroot.com,CN=MicrosoftDNS,CN=System,DC=hjhroot,DC=com
處理識別碼: -
主要使用者名稱: W2003RDC03$
主網域: HJHROOT
主要登入識別碼: (0x0,0x3E7)
用戶端使用者名稱: administrator
用戶端網域: HJHROOT
用戶端登入識別碼: (0x0,0x537E2)
存取: 寫入屬性
內容:
寫入屬性
Default property set
dnsRecord
dNSTombstoned
dnsNode
其他資訊:
其他資訊 2:
存取遮罩: 0x20
請在 https://go.microsoft.com/fwlink/events.asp 查看說明及支援中心,以取得其他資訊。
================