This feature is only available on AD integrated zones, and not Standard Primary Zones. One way to find out if someone is manually deleting records as I mentioned, whether intentionally or unintentionally, is to enable DNS auditing.
How to find who manually created host records in Secure DNS Zones
… In Microsoft® Windows® 2000 Server and Windows Server 2003 … Read the following article in conjunction with the steps I’ve provided below it, in its entirety for complete information on how to determine who deleted the object, and how to enable auditing for DNS objects.Īctive Directory Domain Services (AD DS) Auditing Step-by-Step Guide From there we may be able to determine who/what was on that source DC at the time.” This shows the originating source DC of this change. “Once we determine if the DNS recored is dNSTombstoned or AD tombstoned we then use “repadmin /showmeta,” which will show us the time/date that each attribute for this object was created, edited, or marked for deletion. IsDeleted: isDeleted is the AD “tombstone” for the deletion of the object from the AD. It can be marked one of two ways for deletion: dNSTombstoned and isDeleted.ĭNSTombstoned: If a record is deleted in the MMC for dnsmgmt.msc the object still exists but dns.exe will no longer load the value. This is because anything in the AD database that gets deleted, gets tombstoned, or another way to put it, marked for deletion. If you want to find the deleted record in the AD database, it is still there. You can also find the deleted record in the AD database. Once enabled, then go into the DNS console, zone properties, Security tab, Advanced, enable Auditing for Everyone group. You can set it either in the DC’s Directory Security Policy, or in a GPO. You can also enable auditing for Directory Services for AD objects to determine and find out who’s deleting anything. How many administrators have access to the zone?
Other things to be wary of is if another administrator deleted it. To see this setting, the DNS Console’s View must be in Advanced Mode. If Scavenging is set to less than the recommended default of 7 days, especially if less than 24 hours, or if the record, when created, the checkbox “Delete this record when it becomes stale” for records you want to keep, was not unchecked. Scavenging settings possibly causing this. Scavenging Can Also Cause Records To Disappear Oops, our AD Integrated DNS zone’s are missing in Windows 2003! Published by acefekay on at 2:34 PM 2313 0 Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones To understand what this is, how it may have occured, and how to fix it, please read my blog on this subject: In summary, if an administrator manually created a current AD Integrated zone, possibly thinking to quicken the replication process, you’ve just introduced a duplicate zone. If the zone is AD integrated, you simply allow the new DC to replicate (such as go to lunch, or wait at least 20 minutes), otherwise you WILL introduce a duplicate zone if you manually create a zone that already exists on the other domain controllers because AD replication put it there.
When an administratore promoted the new server, the administrator may have thought that after installing DNS, they would have to manually create the current AD zone.
Therefore, one major cause of duplicate zones is not waiting for the zone to AUTOMATICALLY populate after you install DNS on a newly promoted domain controller. Therefore due to AD replication, the zone is automatically available on other DCs in their respective replication scope. The whole concept of AD integrated zones is based on AD replication because the zone is stored in the actual AD database and is replicated to other DCs based on the replication scope of the zone (whether choosing the DomainNC partition, All DCs in the Domain, or All DCs in the Forest). Duplicate zones are little understood basically because of misunderstanding how AD integrated zones work. DNS Records Disappearing and DNS AuditingĪce Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003Īctive Directory, Exchange and Windows Infrastructure EngineerĭNS records that may be disappearing, or zone data that seems to be altered, may be caused by duplicate zones.