Hello! Does anyone have a suggestion for how to best monitor DNS record changes in Windows 2003? We have several Domain controllers which also run our DNS and I was wondering if anyone had a suggestion on how to best monitor when records were added and by whom. Thank you

Hi, As I understand, you want to monitor DNS record changes with SCE 2007,is that right? For SCE OpsMgr component is designed for healthy monitor, we cannot use it for DNS records monitor or auditing. Anyhow,below Steps about HOW TO: Set up DNS auditing for records that is removed from the zone may help you: 1. Enable Directory Service Access auditing in your default Domain Policy: a) Edit the Domain Security Policy b) Navigate to Local Policies -> Audit Policy c) Define 'Audit directory service access' for success and failure d) Refresh the policy on all Domain Controllers 2. Enable auditing on the DNS zone: a) Open ADSIEdit (Start, Run, adsiedit.msc) b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container c) Expand MicrosoftDNS, and navigate to the location of the DNS zone d) Right-click the zone and choose Properties e) On the Security tab, click the Advanced button f) Select the Auditing tab, and click Add g) Under User or Group, type in Everyone h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree 3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC. If it do not help, then we suggest you to contact Windows Server Active Directory newsgroup for further troubleshoot. Best regards, Xiu Zhang - MSFT Microsoft Online Community Support

Thank you for the response. I think I used the wrong forum (my apologies). I'm attempting the solution, but have run into difficulties with step (c). MicrosoftDNS does not appear when after I connect using ADSI Edit. All that appears are the folders CN=LostAndFound and CN=NTDS Quotas. Since this is better suited for the Windows Server Active Directory, I'll pose this question over on that forum. MikeE

Helloyou should display the ForestDnsZone by applyiing the below action plan:right-click on ADSIEDITclick on connect toin the name field type DC=ForestDNSZones, DC=yourdomain, DC=comclick OK.after that you can complish the rest hope that will help youplease update us if you have any question.A+monham