Are domain controllers using correct DNS settings?

DNS is an integral part of Active Directory subsystem. Without DNS, Active Directory functionality will not work. DNS is required when authenticating the client computers, when GPO settings are applied to users and computers and so on. The domain controllers must be configured to use the correct DNS settings in TCP/IP property of the network card. For example, if you have four domain controllers in an Active Directory domain and if all domain controllers are running DNS server role then the settings on DNS TCP/IP property must be configured to use DNS server IP of each other domain controller in order to avoid resolution failures. The domain controllers connect to each other to exchange security tokens and to replicate changes. Before the changes can be replicated the domain controllers find its replication partner by sending a query to the local DNS server. There are many other functions of a domain controller that require DNS. This article provides a PowerShell script that can be used to check how many DNS servers are configured in the TCP/IP property of a domain controller. It doesn’t check to ensure the domain controller is using the correct DNS server IP address, though.

What does this PowerShell script do?

The DNS PowerShell script provided in this article performs the following operations:

  • Collects all domain controllers specified in a text file named C:\Temp\DCServers.TXT.
  • Collects Network Card information from the target domain controller using Win32_NetworkAdapterConfiguration class.
  • The PowerShell script checks to make sure the domain controller is configured with at least two DNS servers. If it finds a domain controller is configured with just one IP Address it reports the domain controller name and DNS Server IP configured in the report file.
  • There is no special PowerShell module required for this script to work as it uses Windows default PowerShell and WMI Class to get data and report back to the report file.

PowerShell script to check DNS settings

Executing this PowerShell script will generate a report in CSV format. The report file can be found at C:\Temp\DCDNSReport.CSV. You need to provide the domain controller names one per line in the C:\Temp\DCServers.TXT before executing the script.

$DCDNSREport = "C:\Temp\DCDNSReport.CSV"
$ThisString="Domain Controller,Connection,Command Status, Network Adapter Description, IP Address,Subnet,Default Gateway,DNS Servers,Final Status"
Add-Content $DCDNSREport $ThisString
$AnyGap = "No"
Foreach ($ItemName in Get-Content "$GDCList")
$nwINFO = Get-WmiObject -ComputerName $ItemName Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null }
foreach ($NIC in $nwINFO)
$nwServerName = $NIC.DNSHostName
$nwDescrip = $NIC.Description
$nwIPADDR = $NIC.IPAddress
$nwSUBNET = $NIC.IpSubnet
$nwGateWay = $NIC.DefaultIPGateway
$nwMacADD = $NIC.MACAddress
$nwDNS = $NIC.DNSServerSearchOrder
IF ($NwDNS.Count -lt 2)
$FinStatus ="Not enough DNS Servers have been configured on this domain controller."
$AnyGap = "Yes"
$FinalSTR = $ItemName+","+$DCConError+","+$ComConError+","+$nwDescrip+","+$nwIPADDR+","+$nwSUBNET+","+$nwGateWay+","+'"'+$NWDNS+'"'+","+$FinStatus
Add-Content "$TestCSVFile" $FinalSTR
IF ($AnyGap -eq "Yes")
$TestText = "Some Domain Controllers have not been configured with enough DNS Servers in the TCP/IP property of the network card. Please check FinalStatus column of the output and check which Domain Controller required updating with DNS configuration. It is recommended to configure domain controllers with at least 2 DNS Servers."

Once the PowerShell script has finished executing, you can see a report under “C:\Temp\DNSDCReport.CSV,” which contains the columns such as domain controller name, network adapter description, IP address, subnet, default gateway, DNS servers, and the Final Status column indicating the issue with the DNS TCP/IP configuration.

As you can see, the output script reported four domain controllers from that do not have enough DNS servers configured. It is always recommended to configure at least two DNS servers in the TCP/IP property of each domain controller to avoid name resolution failures. Once you have the report you can take actions accordingly.

The PowerShell script was retrieved from the “Domain Controllers DNS Configuration Test” Dynamic Pack, which is part of Active Directory Health Profiler.

DNS settings and Active Directory

As we explained, DNS is a requirement for Active Directory to work efficiently. Each domain controller must be configured to use at least two DNS Servers in the TCP/IP property of the network card to avoid name resolution failures. We provided a PowerShell script that can report on the TCP/IP DNS server configuration on each domain controller.

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma

Recent Posts

Why the service mesh is an improvement over earlier network topologies

Modern applications must be “on-the-ball” all the time. Service mesh is built to handle unpredictability and sheer numbers in the…

15 hours ago

Microsoft Windows bug patched — after 20 years

A Windows bug has been putting computer users in potential danger for almost 20 years. After much delay, Microsoft has…

20 hours ago

Review: Email security software GFI MailEssentials

GFI MailEssentials is a powerful software suite that offers email security, business spam filtering, antivirus protection, and more. Here’s our…

23 hours ago

Quick take: Using PowerShell split method for Azure scripts

The PowerShell split method can be a handy tool when you are running scripts in Microsoft Azure. Here’s an example…

2 days ago

Quick take: New Azure NSG features, improvements announced

Network security groups are an essential part of Azure. Those using it will be excited by these new NSG features…

2 days ago

Texas governments hit by multiple ransomware attacks

Texas has become the latest victim of ransomware attacks targeting local governments or agencies. It’s unclear who’s behind this attack…

2 days ago