How To Find Source Of Active Directory Integrated DNS Record Deletion

Query King | Thu, 31 Aug 2017 at 14:24 hours | Replies : 4 | Points : 100

Category : DNS


I am using Active Directory integrated DNS on Windows 2008 R2 Server. Recently we have found that some DNS records were missing from DNS. Please suggest how to find source DNS record Deletion or how to enable for future tracking.

This Question is already solved Click To See The Answer



Please check the Windows Security Log on domain Controller for event 4662. It contains the information about Changes on Active Directory Objects.

you need to look for "DNSNode" object type.

Hi Santosh,


Thanks for response but I am unable to find event log 4662. Please suggest how to enable the logging.

Hi Query King,

Find the given steps to enable auditing.

  1. Enable Directory Service Auditing.
    1. Login into Any Domain Controller.
    2. Click Start go to Administrative Tools and click on Group Policy Management.
    3. Expand your Domain and select Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
    4. Expand Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy.
    5. Right-click Audit directory service access, and then click Properties.
    6. Select the Define these policy settings check box.
    7. Under Audit these attempts, select the Success, check box, and then click OK.


 2. Enable DNS Auditing on DNS Zone.

    1. Go to Run and Type ADSIEdit.msc
    2. In opened windows. Right Click on ADSI Edit and select Connect to…
    3. Select Default naming context → Expand DomainDNS object with the name of your Domain → System then Right сlick on MicrosoftDNS and click on Properties.
    4. Now in Security Tab, click on AdvancedAuditing (Tab) → click on Add.
    5. Enter "Everyone" and click on OK.
    6. In permission windows, Select/check on "Success", in front of Write all properties, Delete, Delete subtree options.
    7. select "This object and all descendant objects", In Applies to option,
    8. Click "OK".


 3. Verify if Audit Logs are Generating in Windows Security Log.

  1. Start Event Viewer and open Security Logs.
  2. Search for Event Log 4662.
  3. If you are able to see Event Log 4662, where Object Type is dnsNode then its configured now.

Hi Santosh,


Sorry for delayed response, Thanks, now I am able to see Event 4662 in Security logs and able to find deletion source.