Are domain controllers using correct DNS settings?

DNS is an integral part of Active Directory subsystem. Without DNS, Active Directory functionality will not work. DNS is required when authenticating the client computers, when GPO settings are applied to users and computers and so on. The domain controllers must be configured to use the correct DNS settings in TCP/IP property of the network card. For example, if you have four domain controllers in an Active Directory domain and if all domain controllers are running DNS server role then the settings on DNS TCP/IP property must be configured to use DNS server IP of each other domain controller in order to avoid resolution failures. The domain controllers connect to each other to exchange security tokens and to replicate changes. Before the changes can be replicated the domain controllers find its replication partner by sending a query to the local DNS server. There are many other functions of a domain controller that require DNS. This article provides a PowerShell script that can be used to check how many DNS servers are configured in the TCP/IP property of a domain controller. It doesn’t check to ensure the domain controller is using the correct DNS server IP address, though.

What does this PowerShell script do?

The DNS PowerShell script provided in this article performs the following operations:

  • Collects all domain controllers specified in a text file named C:\Temp\DCServers.TXT.
  • Collects Network Card information from the target domain controller using Win32_NetworkAdapterConfiguration class.
  • The PowerShell script checks to make sure the domain controller is configured with at least two DNS servers. If it finds a domain controller is configured with just one IP Address it reports the domain controller name and DNS Server IP configured in the report file.
  • There is no special PowerShell module required for this script to work as it uses Windows default PowerShell and WMI Class to get data and report back to the report file.

PowerShell script to check DNS settings

Executing this PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\DCDNSReport.CSV. You need to provide the domain controller names one per line in the C:\Temp\DCServers.TXT before executing the script.

$GDCList="C:\Temp\DCServers.TXT"
$DCDNSREport = "C:\Temp\DCDNSReport.CSV"
$ThisString="Domain Controller,Connection,Command Status, Network Adapter Description, IP Address,Subnet,Default Gateway,DNS Servers,Final Status"
Add-Content $DCDNSREport $ThisString
$AnyGap = "No"
Foreach ($ItemName in Get-Content "$GDCList")
{
$nwINFO = Get-WmiObject -ComputerName $ItemName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null }
foreach ($NIC in $nwINFO)
{
$nwServerName = $NIC.DNSHostName
$nwDescrip = $NIC.Description
$nwIPADDR = $NIC.IPAddress
$nwSUBNET = $NIC.IpSubnet
$nwGateWay = $NIC.DefaultIPGateway
$nwMacADD = $NIC.MACAddress
$nwDNS = $NIC.DNSServerSearchOrder
$FinalStatus="Ok"
IF ($NwDNS.Count -lt 2)
{
$FinStatus ="Not enough DNS Servers have been configured on this domain controller."
$AnyGap = "Yes"
}
$FinalSTR = $ItemName+","+$DCConError+","+$ComConError+","+$nwDescrip+","+$nwIPADDR+","+$nwSUBNET+","+$nwGateWay+","+'"'+$NWDNS+'"'+","+$FinStatus
Add-Content "$TestCSVFile" $FinalSTR
}
}
IF ($AnyGap -eq "Yes")
{
$TestText = "Some Domain Controllers have not been configured with enough DNS Servers in the TCP/IP property of the network card. Please check FinalStatus column of the output and check which Domain Controller required updating with DNS configuration. It is recommended to configure domain controllers with at least 2 DNS Servers."
}

Once the PowerShell script has finished executing, you can see a report under “C:\Temp\DNSDCReport.CSV,” which contains the columns such as domain controller name, network adapter description, IP address, subnet, default gateway, DNS servers, and the Final Status column indicating the issue with the DNS TCP/IP configuration.

As you can see, the output script reported four domain controllers from TechGenix.com that do not have enough DNS servers configured. It is always recommended to configure at least two DNS servers in the TCP/IP property of each domain controller to avoid name resolution failures. Once you have the report you can take actions accordingly.

The PowerShell script was retrieved from the “Domain Controllers DNS Configuration Test” Dynamic Pack, which is part of Active Directory Health Profiler.

DNS settings and Active Directory

As we explained, DNS is a requirement for Active Directory to work efficiently. Each domain controller must be configured to use at least two DNS Servers in the TCP/IP property of the network card to avoid name resolution failures. We provided a PowerShell script that can report on the TCP/IP DNS server configuration on each domain controller.

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Share
Published by
Nirmal Sharma

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

3 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

4 days ago