DNS is closely integrated with Microsoft Active Directory. When you perform a health check of Active Directory systems, it becomes necessary to include health check items associated with the DNS servers. For example, you might want to check whether all DNS servers have scavenging enabled or not. Similarly, you might also want to check as to how many DNS stale records you have in Active Directory Domain Zones. Another health check item pertaining to DNS server is to make sure you don’t have static DNS entries created for Windows client computers. Apart from checking the above mentioned DNS server health check items, you can also check to make sure the Active Directory domain zone has secure updates enabled. In this article, we will explain how you can use a simple PowerShell script to get a list of static DNS entries created in the DNS server and then identify the static entries that are no longer needed.
You can always create static DNS records for systems that cannot refresh/update their DNS records dynamically such as Linux operating systems, but it makes no sense to create static DNS entries for Windows client computers. Windows client computers can easily refresh/update their DNS records in the DNS Server. You can use the below PowerShell script to get a list of static DNS A and CNAME records from the current DNS domain zone.
Requirements to find static DNS records
Before you can run the script, please make sure to meet the requirements mentioned below:
- Ensure you are running the script from a Windows Server 2012 R2 member server or domain controller.
- You must install DNS Server tools from Server Manager. Note that below script uses Get-DNSServerResourceRecord PowerShell cmdlet, which is installed as part of DNS Server Tools.
- Make sure to create a folder by name “C:\Temp” on the computer from where you will run the script.
- Create a text file by name DomList.txt and specify the name of domain zones in it.
- Make sure PDC Emulator of the Active Directory domain is reachable. Note that it is always recommended to perform Active Directory-related operations against PDC Emulator.
Once you have met above requirements, copy the below script in a PS1 file and execute it from an elevated PowerShell window.
### Script Starts Here ###
$TestCSVFile = "C:\Temp\DNSStaticEntries.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$GDomList = "C:\Temp\DomList.TXT"
$ThisString="Domain Zone, Connected to PDC, Number of Static CNAME Entries, Number of Static A DNS Entries, Static Record File,Final Status"
Add-Content "$TestCSVFile" $ThisString
$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
$AnyGap = "No"
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PrefDCFile = C:\Temp\None.Txt
Add-Content $PrefDCFile "None"
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
}
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
}
$Error.Clear()
$StaticARecords = Get-DnsServerResourceRecord -ZoneName $ThisDomain -ComputerName $PDCServerToConnect -RRType A | Where Timestamp -eq $Null | Select -Property HostName,RecordType -ExpandProperty RecordData
IF ($Error.count -eq 0)
{
$StaticCNAMERecords = Get-DnsServerResourceRecord -ZoneName $ThisDomain -ComputerName $PDCServerToConnect -RRType CNAME | Where Timestamp -eq $Null | Select -Property HostName,RecordType -ExpandProperty RecordData
$StaticACount = $StaticARecords.Count
$StaticCNAMECount = $StaticCNAMERecords.Count
$OkOrNot="Ok"
IF ($StaticACount -ne 0 -or $StaticCNAMECount -ne 0)
{
$AnyGap = "Yes"
$OkOrNot = "NO"
}
$StaticZoneAFile = "C:\Temp\"+$CurProfNowForAll+"_StaticRecords_A"+$ThisDomain+".CSV"
IF (Test-path $StaticZoneAFile)
{
Remove-item $StaticZoneAFile
}
$StaticZoneCNAMEFile = "C:\ProgramData\DynamicPacksTechnologies\ADHealthProfiler\Data\DNSStaticRecordsTest\"+$CurProfNowForAll+"_StaticRecords_CNAME"+$ThisDomain+".CSV"
IF (Test-path $StaticZoneCNAMEFile)
{
Remove-item $StaticZoneCNAMEFile
}
$StaticARecords | Export-CSV $StaticZoneAFile -Append -NoTypeInfo
$StaticCNAMERecords | Export-CSV $StaticZoneCNAMEFile -Append -NoTypeInfo
$FinStatus=""
IF ($OkOrNot -eq "NO")
{
$FinStatus ="Found Static Records in Domain Zones."
}
$FinalSTR =$ThisDomain+","+$PDCServerToConnect+","+$StaticCNAMECount+","+$StaticACount+","+$StaticZoneAFile+";"+$StaticZoneCNAMEFile+","+$FinStatus
Add-Content "$TestCSVFile" $FinalStr
}
else
{
$ErrorOrNot="Yes"
}
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack"
}
else
{
IF ($AnyGap -eq "Yes")
{
$TestStatus = "High"
$SumVal=""
$TestText = "Static DNS Records found in Domain Zones. Please ensure no DNS Static Records have been created for client computers other than servers that require a DNS Static record to be created in the Domain Zones. Static Record files are located at $StaticZoneAFile and $StaticZoneCNAMEFile"
}
IF ($AnyGap -eq "No")
{
$TestStatus = "Passed"
$SumVal=""
$TestText = "No DNS Static Records were found in Domain Zones."
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
### Script Ends Here ###
Tip: Note that the script is smart enough to collect static DNS A and CNAME records from all the Active Directory domains specified in the DomList.txt and create two CSV files for each domain zone.
Once you have finished executing the script, a report will be generated to help you understand the status of static entries in each Active Directory domain as shown in the screenshot below:
As you can see, the script collected static A and CNAME DNS records from the DNS Server for domain zones specified in the DomList.txt file and reported the number of static A and CNAME records found in each domain zone. Note that the static DNS entries with host name and its IP Address are saved in a CSV file under C:\Temp folder.
This script is part of PowerShell-based Dynamic Packs that ship with the Active Directory Health Profiler, which you can use to perform a complete health check of an Active Directory forest. There are 99 health checks included in the AD Health Profiler.
By using the above PowerShell script you can collect a list of DNS static A and CNAME records from the Active Directory domain zones. Since the script saves data (IP Address and host names) in separate CSV files for each domain. Once you have static DNS entries data with you, you can either remove the static DNS entries that are no longer needed or send the file to the domain owner for them to take actions accordingly.
Photo credit: Shutterstock