Ensure correct Active Directory DNS forwarders settings with PowerShell

By /

DNS forwarders are used to forward DNS queries that cannot be resolved by the local DNS Server. The DNS forwarders are used only when the local DNS database does not have a matching DNS record requested by the DNS client. For example, if you send a DNS query that contains TechGenix.com as the domain suffix, the DNS server will check if it hosts any domain zone by the name TechGenix.com. If it hosts and finds the record in the TechGenix.com database, it prepares a response back to the DNS client. If the DNS server doesn’t host the TechGenix.com domain zone, the query is forwarded to the DNS servers configured in the DNS Forwarders tab.

You may not want DNS servers to send any negative response to the DNS Clients. Instead, you would like DNS servers to use all possible ways to ensure the response results in a positive response. This is where the DNS forwarder feature comes handy. Apart from making sure DNS servers are configured with necessary DNS forwarders, it is also important to note that internal DNS servers should never be configured with ISP DNS servers. It is not recommended to configure forwarders on the internal DNS servers to use ISP DNS servers. Instead, internal DNS servers should only be used to send requests to internal DNS Servers.

In this article, we are going to provide a PowerShell script that can help you collect the DNS forwarders configured on all the domain controllers (assuming the DNS server role is running on the domain controller) and the list of DNS servers that have been configured to use the ISP DNS servers.

Requirements

Before you can run the script, please make sure to meet the requirements mentioned below:

  • Ensure that you run the script from a Windows Server 2012 R2 member server or domain controller.
  • You must install DNS Server tools from Server Manager. Note that below script uses the Get-DNSServer PowerShell cmdlet, which is installed as part of DNS Server Tools.
  • Make sure to create a folder by name C:\Temp on the computer from where you will run the script, and a text file by name DCList.TXT that contains the domain controller names per line.

Once you have met above requirements, copy the below script in a PS1 file and execute it from an elevated PowerShell window.

Tip: You can also schedule this script by using the Task Scheduler and have it run every month to ensure DNS forwarders settings are correct.

$TestCSVFile = “C:\Temp\DNSForwardersReport.CSV”
$GDCList = “C:\Temp\DCList.TXT”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString=”DNS Server,Connection,Command Status, Number of DNS Forwarders, Configured DNS Forwarders, Forwarder Query Timeout,Final Status”
Add-Content “$TestCSVFile” $ThisString
$TotNo=0
$ItemCount=0
$TestText = “”
$TestStatus=””
$SumVal = “”
$AnyGap = “No”
$ErrorOrNot = “No”
$AnyOneOk = “No”
$TotDCsInError = 0
Foreach ($ItemName in Get-Content “$GDCList”)
{
$DCConError = “Ok”
$DCConStatus = “Ok”
$ProceedOrNot = “Yes”
$Error.Clear()
$AllServices = Get-WMIObject Win32_Service -computer $ItemName
IF ($Error.Count -ne 0)
{
$ProceedOrNot = “No”
$TotDCsInError++
$DCConError = $Error[0].Exception.Message
$FinalSTR = $ItemName+”,Not OK: Error: $DCConError”
Add-Content “$TestCSVFile” $FinalSTR
}
IF ($ProceedOrNot -eq “Yes”)
{
$ComConError=”Ok”
$Error.Clear()
$RCNow = Get-DNSServer -ComputerName $ItemName
IF ($Error.count -eq 0)
{
$AnyOneOk=”Yes”
$TotCFNow = $RCNow.ServerForwarder
$FordTimeout = $RCNow.ServerForwarder.Timeout
$TotForwarders=$RCNow.ServerForwarder.IPAddress.Count
$FinStatus=”Ok”
IF ($TotForwarders -eq 0)
{
$TotNo++
$AnyGap = “Yes”
$FinStatus =”This DNS Server does not have any DNS Forwarders configured.”
}
$FinalVal=””
ForEach ($Item in $TotCFNow)
{
$SName = $Item.IPAddress.ipaddresstostring
$FinalVal += $SName+” “
}
$FinalSTR = $ItemName+”,$DCConError,”+$ComConError+”,”+$TotForwarders+”,”+$FinalVal+”,”+$FordTimeout+”,”+$FinStatus
Add-Content “$TestCSVFile” $FinalSTR
}
else
{
$ComConError = $Error[0].Exception.Message
$FinalSTR = $ItemName+”,$DCConError,”+$ComConError
Add-Content “$TestCSVFile” $FinalSTR
}
}
}
$OthText = “”
IF ($TotDCsInError -ne 0)
{
$OthText = “Some Domain Controllers have not been checked due to connectivity or command issues.”
}
IF ($AnyGap -eq “Yes”)
{
$TestText = “Some DNS Servers are not configured with DNS Forwarders. It is important to configure DNS Forwarders on production DNS Servers to be able to resolve DNS queries throughout Active Directory. $OthText”
$SumVal = $TotNo
$TestStatus=”Critical”
}
IF ($AnyGap -eq “No”)
{
$TestText = “DNS Servers have one or more DNS Forwarders configured. $OthText”
$SumVal = “”
$TestStatus=”Passed”
IF ($AnyOneOk -eq “No”)
{
$TestText = “Error Executing Dynamic Pack.”
$SumVal = “”
$TestStatus=”Completed with Errors.”
}
}
$STR = $ADTestName +”,”+$TestStartTime+”,”+$TestStatus+”,”+$SumVal +”,”+$TestText

Once you have executed the PowerShell script, a report named DNSForwardersReport.CSV will be generated under C:\Temp folder on the computer where you ran the script. The report includes the Domain Controller name, number of DNS forwarders configured on the domain controller, list of DNS forwarders configured, forward query timeout value, and the final status indicating the whether the DNS Server requires any changes or not. This is also shown in the screenshot below:

DNS Forwarders Report

As you can see in the report, the script checked all domain controllers specified in the DCList.TXT file and reported DNS forwarders configured on each DNS Server. As you can see, DC4.TechGenix.com does not have any DNS forwarder configured, so the script reported “This DNS Server does not have any DNS forwarders configured” status in the Final Status column. DC3.TechGenix.com is configured with the Google ISP DNS server, which is not recommended.

This script is part of PowerShell-based Dynamic Packs that ship with the Active Directory Health Profiler, which you can use to perform a complete health check of an Active Directory forest. There are 99 health checks included in the AD Health Profiler.

Modify DNS forwarders if necessary

By using the PowerShell script provided in this article you can know DNS forwarders configured on the DNS servers. The script also helps you understand if any DNS Server is configured with the ISP DNS server. Once you know the DNS forwarders configuration, you can modify the settings if required.

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top