I got an unusual request from a customer today.  She is in an environment where everyone is currently a domain admin (not a good thing).  Although they are taking my advice and moving to a least priviliged scenario, things are sometimes slow in federations.  In any event, she suspects that other administrators are deleting DNS records from the Active Directory zone.  My first question is "Why would someone do this?" but politics rule, so I know better than to even ask it.

If you look at the DNS Server and DNS Zones, and even the records themselves, you'll notice that object auditing is turned on for these resources by default.  It should follow, therefore, that as long as Object Access auditing is turned on for the DNS server, creations, deletions or other changes would be recorded in the security event log. 

It turns out that enabling Object Access auditing doesn't not correspond to DNS zone records being included in the security logs.  Instead, you must enable "Audit Directory Service Access" on the machines where DNS is running.  Once working, you will see the following events in the Security log for creating a new DNS record:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date:  8/23/2006
Time:  4:03:05 PM
User:  [guilty party]
Computer: [dns server]
Description:
Object Operation:
  Object Server: DS
  Operation Type: Object Access
  Object Type: dnsZone
  Object Name: DC=[zone].com,CN=MicrosoftDNS,CN=System,DC=[zone],DC=com
  Handle ID: -
  Primary User Name: [machine]$
  Primary Domain: [domain name]
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: administrator
  Client Domain: [domain]
  Client Logon ID: (0x0,0x706012D)
  Accesses: Create Child
   
  Properties:
 Create Child
 dnsNode

  Additional Info: DC=Testing2,DC=[zone].com,cn=MicrosoftDNS,cn=System,DC=[zone],DC=com
  Additional Info2: DC=Testing2,DC=[zone].com,CN=MicrosoftDNS,CN=System,DC=[zone],DC=com
  Access Mask: 0x1

And for deleting a record:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date:  8/23/2006
Time:  7:28:30 PM
User:  [perp]
Computer: [dns server]
Description:
Object Operation:
  Object Server: DS
  Operation Type: Object Access
  Object Type: dnsNode
  Object Name: DC=Test,DC=zone.com,CN=MicrosoftDNS,CN=System,DC=zone,DC=com
  Handle ID: -
  Primary User Name: [computer name]$
  Primary Domain: [Domain]
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: administrator
  Client Domain: [domain]
  Client Logon ID: (0x0,0x729EE07)
  Accesses: Write Property
   
  Properties:
 Write Property
  Default property set
   dnsRecord
   dNSTombstoned
   dnsNode

  Additional Info: 
  Additional Info2: 
  Access Mask: 0x20

As a reminder, setting directory access auditing will create a storm of events in your security log.  In most production environments, you can expect thousands of "noise" events for every malicious DNS deletion, so this probably needs to be used sparingly.