Are domain controllers using correct DNS settings?

DNS is an integral part of Active Directory subsystem. Without DNS, Active Directory functionality will not work. DNS is required when authenticating the client computers, when GPO settings are applied to users and computers and so on. The domain controllers must be configured to use the correct DNS settings in TCP/IP property of the network card. For example, if you have four domain controllers in an Active Directory domain and if all domain controllers are running DNS server role then the settings on DNS TCP/IP property must be configured to use DNS server IP of each other domain controller in order to avoid resolution failures. The domain controllers connect to each other to exchange security tokens and to replicate changes. Before the changes can be replicated the domain controllers find its replication partner by sending a query to the local DNS server. There are many other functions of a domain controller that require DNS. This article provides a PowerShell script that can be used to check how many DNS servers are configured in the TCP/IP property of a domain controller. It doesn’t check to ensure the domain controller is using the correct DNS server IP address, though.

What does this PowerShell script do?

The DNS PowerShell script provided in this article performs the following operations:

  • Collects all domain controllers specified in a text file named C:\Temp\DCServers.TXT.
  • Collects Network Card information from the target domain controller using Win32_NetworkAdapterConfiguration class.
  • The PowerShell script checks to make sure the domain controller is configured with at least two DNS servers. If it finds a domain controller is configured with just one IP Address it reports the domain controller name and DNS Server IP configured in the report file.
  • There is no special PowerShell module required for this script to work as it uses Windows default PowerShell and WMI Class to get data and report back to the report file.

PowerShell script to check DNS settings

Executing this PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\DCDNSReport.CSV. You need to provide the domain controller names one per line in the C:\Temp\DCServers.TXT before executing the script.

$DCDNSREport = "C:\Temp\DCDNSReport.CSV"
$ThisString="Domain Controller,Connection,Command Status, Network Adapter Description, IP Address,Subnet,Default Gateway,DNS Servers,Final Status"
Add-Content $DCDNSREport $ThisString
$AnyGap = "No"
Foreach ($ItemName in Get-Content "$GDCList")
$nwINFO = Get-WmiObject -ComputerName $ItemName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null }
foreach ($NIC in $nwINFO)
$nwServerName = $NIC.DNSHostName
$nwDescrip = $NIC.Description
$nwIPADDR = $NIC.IPAddress
$nwSUBNET = $NIC.IpSubnet
$nwGateWay = $NIC.DefaultIPGateway
$nwMacADD = $NIC.MACAddress
$nwDNS = $NIC.DNSServerSearchOrder
IF ($NwDNS.Count -lt 2)
$FinStatus ="Not enough DNS Servers have been configured on this domain controller."
$AnyGap = "Yes"
$FinalSTR = $ItemName+","+$DCConError+","+$ComConError+","+$nwDescrip+","+$nwIPADDR+","+$nwSUBNET+","+$nwGateWay+","+'"'+$NWDNS+'"'+","+$FinStatus
Add-Content "$TestCSVFile" $FinalSTR
IF ($AnyGap -eq "Yes")
$TestText = "Some Domain Controllers have not been configured with enough DNS Servers in the TCP/IP property of the network card. Please check FinalStatus column of the output and check which Domain Controller required updating with DNS configuration. It is recommended to configure domain controllers with at least 2 DNS Servers."

Once the PowerShell script has finished executing, you can see a report under “C:\Temp\DNSDCReport.CSV,” which contains the columns such as domain controller name, network adapter description, IP address, subnet, default gateway, DNS servers, and the Final Status column indicating the issue with the DNS TCP/IP configuration.

As you can see, the output script reported four domain controllers from that do not have enough DNS servers configured. It is always recommended to configure at least two DNS servers in the TCP/IP property of each domain controller to avoid name resolution failures. Once you have the report you can take actions accordingly.

The PowerShell script was retrieved from the “Domain Controllers DNS Configuration Test” Dynamic Pack, which is part of Active Directory Health Profiler.

DNS settings and Active Directory

As we explained, DNS is a requirement for Active Directory to work efficiently. Each domain controller must be configured to use at least two DNS Servers in the TCP/IP property of the network card to avoid name resolution failures. We provided a PowerShell script that can report on the TCP/IP DNS server configuration on each domain controller.

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma

Recent Posts

Using Office 365 service health to get some answers quickly

There’s nothing worse than being flooded with alerts about false-positives in your company’s email. Get answers quick with Office 365…

3 hours ago

OneDrive: A lot more than simply a place to store your files

Think of OneDrive only as the place where you store files? There’s much more, including ransomware protections, monitoring, recovery, and…

6 hours ago

Algorithmic trading: Leveraging your IT expertise to play the stock market

If you’re a crackerjack IT pro or, even better, a programmer, you may have some skills needed to try algorithmic…

3 days ago

PowerShell script obfuscation: Fight back against this growing threat

Malware authors are increasingly using PowerShell script obfuscation to try to hack your systems. But there are several ways you…

3 days ago

Can’t pass the buck: Boards must take charge of enterprise cybersecurity

A company’s board must be responsible for more than the bottom line. As cyberattacks rage, enterprise cybersecurity must be at…

3 days ago

M2M communication: Changing the society one bit at a time

M2M communication is an information exchange between two machines without human intervention. But when used right, humans will benefit tremendously.

4 days ago