Who deleted it ?

[Lee Messenger]

Hi,

Some reverse lookup-zones were deleted of our AD DNS servers, can anyone
tell me how or if I can find out who deleted them ?

TIA

LM

 

[David Brandt [MSFT]]

Unless auditing had been enabled prior to the deletion, there isn't any way
that I know of after the fact.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Lee Messenger]

Auditing has been enabled for everything apart from Privilege use and
process tracking.

I;ve looked thru the security logs but cant find anything of note, any
ideas where I should be looking

Thanks

LM

 

[David Brandt [MSFT]]

More of an art than sience i'm afraid, but you can set the filter view for
the security log to ds and security sources to see if that gives you
something. Also query for the machine name that hosted dns.
It appears that auditing was enabled via policy, but was it also enabled on
the "server name icon" under dns in your snapin (properties of
server/security/advanced/auditing) for whatever group/s may have had
permissions to access/configure dns (administrators, dns operators, etc)

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Jason Robarts [MSFT]]

If it is of any help
http://support.microsoft.com/default.aspx?scid=kb;en-us;258310 can help you
find the deleted objects, then looking at the replication metadata you might
find the DC the originating write for the delete occurred on. The deleted
object may also give a clue as to when the delete occurred.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm