To troubleshoot issues with DNS dynamic updates (e.g., certain Active Directory-joined Windows servers not properly registering their hostnames in DNS), there's an easy way to troubleshoot via the DNS Server's audit log, where DNS updates are logged. To properly filter the log for certain IP addresses or hostnames, you'll need to use custom XML filters to properly filter on the contents of the log entries because of the way the events are logged and standard filters don't provide the proper filtering.
The audit log can be found in the Event Viewer at Applications and Services logs → Microsoft → Windows → DNS-Server → Audit. Once the log is open, click on Action → Filter Current Log, click the XML tab and the checkbox Edit query manually.
To search for a specific host name (here: server01):
<QueryList>
<Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
<Select Path="Microsoft-Windows-DNSServer/Audit">
*[EventData[Data[@Name='NAME'] and (Data='server01')]]
</Select>
</Query>
</QueryList>
To search for a specific IPv4 address (here: 192.168.1.2). The IP address needs to be converted to hexadecimal value, in order and without any punctuation:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
<Select Path="Microsoft-Windows-DNSServer/Audit">
*[EventData[Data[@Name='RDATA'] and (Data='C0A80102')]]
</Select>
</Query>
</QueryList>
