|
Well I have tested over and over with different
servers and zone types, I can Not get a User ID other than "LocalSystem" to be
reported as the "who". I have tested creating and deleting - Zones,
records, and service settings. All of which are reported as being changed
by the system account.
I tried to find more information about Event ID's
526 and 529, but I couldn't find anything pertinent to DNS. Could you
send me a link to the info you have?
I am starting to believe that Msft's DNS auditing
has some flaws, has anyone ever seen a Security log entry that has the correct
User ID for a DNS object change?
----- Original Message -----
Sent: Tuesday, March 01, 2005 11:06
AM
Subject: RE: [ActiveDir] Integrated
Primary DNS Auditing
I think dynamically
registered records are tagged with the system, manually modified are tagged
using the admins ID. (I am using my rusty memory for this reference, so
you will want to test my theory). Also you might have to turn up the AD
logging to get the info you are looking for. All AD Integrated DNS
modifications are stored in the security logs, I think you are going to have
to look for 526 or 529 Event ID�s , but you will need to search the body of
the records to find out which record got modified. I would mention there
is a third-party audit tool that can track and report on the configuration and
architecture changes in DNS, but the last I checked they weren�t able to log
record changes (TMI).
Todd
From: Tommy
[mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 12:40
PM To:
[email protected] Subject: [ActiveDir] Integrated Primary
DNS Auditing
Trying to Audit changes to a DNS
zone stored in AD, I have enabled all the native auditing in Group Policy and
set SACLs on the Registry and AD objects that are associated with DNS, but the
changes are ALL reported by the "System" account. I am looking for a way
to audit WHO made changes to DNS,
|