Hi Query King,

Find the given steps to enable auditing.

1. Enable Directory Service Auditing.

1. Login into Any Domain Controller.
2. Click Start go to Administrative Tools and click on Group Policy Management.
3. Expand your Domain and select Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. Expand Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy.
5. Right-click Audit directory service access, and then click Properties.
6. Select the Define these policy settings check box.
7. Under Audit these attempts, select the Success, check box, and then click OK.

 2. Enable DNS Auditing on DNS Zone.

1. Go to Run and Type ADSIEdit.msc
2. In opened windows. Right Click on ADSI Edit and select Connect to…
3. Select Default naming context → Expand DomainDNS object with the name of your Domain → System then Right сlick on MicrosoftDNS and click on Properties.
4. Now in Security Tab, click on Advanced → Auditing (Tab) → click on Add.
5. Enter "Everyone" and click on OK.
6. In permission windows, Select/check on "Success", in front of Write all properties, Delete, Delete subtree options.
7. select "This object and all descendant objects", In Applies to option,
8. Click "OK".

 3. Verify if Audit Logs are Generating in Windows Security Log.

1. Start Event Viewer and open Security Logs.
2. Search for Event Log 4662.
3. If you are able to see Event Log 4662, where Object Type is dnsNode then its configured now.

Hi Santosh,

Sorry for delayed response, Thanks, now I am able to see Event 4662 in Security logs and able to find deletion source.