A customer of mine in the past had this issue so I thought it important that I raise the awareness of this article. Ask PFE Platforms wrote an article about “how to audit changes to AD-integrated DNS Zones”.
Now for those of you that know what this implies, you know it’s a potentially catastrophic issue that can result in massive corporate downtime with NO ONE being able to log in throughout the company unless they somehow have address resolution cached previously. Basically, if someone screws up or deletes AD-related DNS records, if there’s no precautions or auditing in place, you may have no idea who did it and there’s no accountability.
If this is something that sounds like it could happen to you, you need to read this article before it does:
- Ask Premier Field Engineering (PFE) Platforms:
Who Moved the DNS Cheese? Auditing for AD-Integrated DNS Zone and Record Deletions
http://blogs.technet.com/b/askpfeplat/archive/2013/10/12/who-moved-the-dns-cheese-auditing-for-ad-integrated-dns-zone-and-record-deletions.aspx
Kurt Shintaku's Blog 