The module now contains these additional CmdLets.

• Refresh-DnsZone – Implements the ForceRefresh method for Secondary Zones
• Reload-ADDnsZone – Implements the UpdateFromDS method for AD Integrated Zones
• Reload-DnsZone
• Reset-DnsZoneType – Implements the ChangeZoneType method
• Resume-DnsZone
• Set-DnsZoneTransfer – Implements the ResetSecondaries method
• Start-DnsScavenging
• Start-DnsService
• Stop-DnsService
• Suspend-DnsZone – Implements the Pause method
• Update-DnsZoneFile

As usual, the module can be downloaded from code.msdn.microsoft.com/dnsshell.

Related posts:

1. DnsShell – alpha release DnsShell is my PowerShell module intended to help administer MS...
2. DnsShell: Get-AD* A new version of DnsShell has been released, this release...
3. DnsShell DnsShell is a Microsoft DNS administration module for PowerShell 2.0....

Related posts brought to you by Yet Another Related Posts Plugin.

The updated release is available on MSDN as version 0.2.0.

code.msdn.microsoft.com/dnsshell

Basic help is available for each of the new CmdLets.

Related posts:

1. DnsShell – alpha release DnsShell is my PowerShell module intended to help administer MS...
2. DnsShell DnsShell is a Microsoft DNS administration module for PowerShell 2.0....

Related posts brought to you by Yet Another Related Posts Plugin.

The module is currently available on MSDN.

The following CmdLets are implemented at this stage:

• Get-Dns
• Clear-DnsCache
• Get-DnsRecord
• Get-DnsServer
• Get-DnsZone
• New-DnsRecord
• New-DnsZone
• Remove-DnsObject
• Set-DnsRecord
• Get-ADDnsRecord

I am in the process of writing detailed CmdLet help, it will be made available as soon as possible.

Related posts:

1. DnsShell: Zone and Server CmdLets After fixing a couple of authentication bugs with Set-DnsRecord and...
2. DnsShell: Get-AD* A new version of DnsShell has been released, this release...

Related posts brought to you by Yet Another Related Posts Plugin.

Michael Smith has a very pretty PowerShell script which uses the structures below, and a few more, to convert the DnsRecord attribute into a human readable format on his blog, Michael’s meanderings….

Update 02/02/2010: In December 2009, Microsoft released a (not entirely accurate) protocol specification including details of dnsRecord and dnsProperty: MS-DNSP.pdf

About the mapped structure

The map created below for DNSRecord is incomplete, the remaining values seem to defy testing. While the map below is probably accurate I reserve the right to be wrong. Despite that, the structures can be used to manually construct or decode DNSRecords via LDAP rather than using the GUI, dnscmd or WMI. Edit: The map is now complete.

About DNSRecord

The dnsRecord attribute appears on dnsNode objects. The dnsRecord attribute is multi-valued. This means that each node can contain more than one record. This is most obvious for the node representing “same as parent folder” which will hold the NS records and SOA records as a minimum.

Structures: DNSRecord

The DNSRecord attribute is comprised of the fields described in the table below.

These values produce the following binary array.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                 RDATA LENGTH                  |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TYPE                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  UNKNOWN (1)                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                 UPDATEDATSERIAL               |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TTL                      |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  UNKNOWN (2)                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                   TIMESTAMP                   |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
    /                     RDATA                     /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Unknown 1 is a difficult value to interpret. It may contain several separate fields, however as none appear easy to decipher they were left as a single block in the map. Testing shows that “unknown 1″ has the following values:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |           5           |     AdvRecordType     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |           0           |           0           |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Edit: The structure of Unknown 1 is as follows.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |        VERSION        |     AdvRecordType     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     FLAGS                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Modifying the first byte to any (decimal) value other than 5 will cause the record to vanish from the DNS system. It will remain in the directory, but appears to render it useless. Edit: 5 is the Version number and is a static value.

The second byte, termed AdvRecordType, appears to have a number of possible values. Experimentation shows that Root Hints have the value set to decimal 8, out-of-zone records (normally Glue for NS Records) have 128, delegations within a zone have 130 and everything else has 240. A larger data set than I have available is required to draw conclusions other than those.

Edit: The values for AdvRecordType, referred to as Rank in the documentation above are represented by this Enumeration.

public enum RankFlag : uint
{
  // The record came from the cache.
  CacheBit = 1,
  // The record is a preconfigured root hint.
  RootHint = 8,
  // This value is not used.
  OutsideGlue = 32,
  // The record was cached from the additional section of a
  // nonauthoritative response.
  CacheNAAdditional = 49,
  // The record was cached from the authority section of a
  // nonauthoritative response.
  CacheNAAuthority = 65,
  // The record was cached from the additional section of an
  // authoritative response.
  CacheAAdditional = 81,
  // The record was cached from the answer section of a
  // nonauthoritative response.
  CacheNAAnswer = 97,
  // The record was cached from the authority section of an
  // authoritative response.
  CacheAAuthority = 113,
  // The record is a glue record in an authoritative zone.
  Glue = 128,
  // The record is a delegation (type NS) record in an
  // authoritative zone.
  NSGlue = 130,
  // The record was cached from the answer section of an
  // authoritative response.
  CacheAAnswer = 193,
  // The record comes from an authoritative zone.
  Zone = 240
 }

The final two bytes appear to be set to 0 in all instances. Edit: Referred to as Flags, the value must be 0.

Edit: Unknown 2 is reserved for future use and should be set to 0 in all cases.

Structures: RDATA

Each of the structures below is a minimal representation of the record data, the structures show single-label names. In each case the “Label Length” and “Data” structures repeat where multiple labels are used, this also applies to “Responsible Person” in the SOA record.

A

The RDATA block for the A record is a static 4 byte (32 bit) field. Each byte represents an octet in the IP address.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     DATA                      |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

CNAME and NS

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

MX

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    PRIORITY                   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

SOA

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     SERIAL                    |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    REFRESH                    |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     RETRY                     |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    EXPIRE                     |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  MINIMUM TTL                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    +--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /               RESPONSIBLE PERSON              /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

SRV

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    PRIORITY                   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     WEIGHT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      PORT                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

TXT

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LENGTH           |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

However, although it is advertised of as a feature of Windows 2008 DNS it is present in Windows 2003 from DNS version 5.2.3790.4460 and above, released with KB 961063.

To enable, disable, or configure the list requires modifications in the Registry for Windows 2003.

Enabling or Disabling the Global Query Block List

The default is disabled.

Managing the Global Query Block List

Note that wpad and isatap are default values when enabling the block list on Windows 2008, they are included here as an example.

As this is a registry change it should be applied to all other DNS servers for consistent behaviour, it will not replicate automatically.

When a name is blocked

If a name is blocked by the Global Query Block List the DNS request for the name will Time Out and Event ID 6268 (see below) will be logged in the DNS Server Event Log.

Type:     Error
Source:   DNS
Event ID: 6268

The global query block list is a feature that prevents attacks on your
network by blocking DNS queries for specific host names. This feature
has caused the DNS server to fail a query with error code NAME ERROR
for wpad.somedomain.example. even though data for  this DNS name exists
in the DNS database. Other queries in all locally authoritative zones
for other names that begin with labels in the block list will also fail,
but no event will be logged when further queries are blocked until the
DNS server service on this computer is restarted. See product documentation
for information about this feature and instructions on how to configure it.

Below is the current global query block list  (this list may be truncated
in this event if it is too long):
wpad
isatap

Related posts:

1. Bookmarks Cisco DNS DNS Best Practices, Network Protections, and Attack Identification...

Related posts brought to you by Yet Another Related Posts Plugin.

I have released a PowerShell 2.0 module using the WMI provider here.

There are a few limitations of the interface. The properties associated with Aging are read-only and cannot be set. Several of the configuration options are not available including the option to enable GlobalNames with Windows Server 2008.

Common variables

The examples below use two common variables. Both should be updated to reflect the environment used to execute any command.

$ServerName = "dns01"
$ContainerName = "somedomain.example"

Management Class vs Management Object

Two different classes from the .NET Framework are used below. The ManagementObject, created using Get-WMIObject, and the ManagementClass created using [WMIClass].

[WMIClass] creates the same object as the following example.

$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
$Options = New-Object Management.ObjectGetOptions($Null, `
  [System.TimeSpan]::MaxValue, $True)

$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)

In general terms, to change something that already exists use the properties and methods of a ManagementObject via Get-WMIObject. To add something new use the methods associated with a ManagementClass.

Creating an instance of a Management Object

$Zones = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"

Exploring the Management Object

Showing the object type:

PS C:\Stuff\Scripts\PowerShell> $Zones.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array

Showing the properties and methods:

PS C:\Stuff\Scripts\PowerShell> $Zones | Get-Member

   TypeName: System.Management.ManagementObject#rootMicrosoftDNSMicrosoftDNS_Zone

Name                      MemberType   Definition
----                      ----------   ----------
AgeAllRecords             Method       Management.ManagementBaseObject AgeAllRec...
ChangeZoneType            Method       Management.ManagementBaseObject ChangeZon...
ForceRefresh              Method       Management.ManagementBaseObject ForceRefr...
GetDistinguishedName      Method       Management.ManagementBaseObject GetDistin...
PauseZone                 Method       Management.ManagementBaseObject PauseZone()
ReloadZone                Method       Management.ManagementBaseObject ReloadZone()
ResetSecondaries          Method       Management.ManagementBaseObject ResetSeco...
ResumeZone                Method       Management.ManagementBaseObject ResumeZone()
UpdateFromDS              Method       Management.ManagementBaseObject UpdateFro...
WriteBackZone              Method       Management.ManagementBaseObject WriteBack...
Aging                     Property     Boolean Aging {get;set;}
AllowUpdate               Property     UInt32 AllowUpdate {get;set;}
AutoCreated               Property     Boolean AutoCreated {get;set;}
AvailForScavengeTime       Property     UInt32 AvailForScavengeTime {get;set;}
Caption                   Property     String Caption {get;set;}
ContainerName             Property     String ContainerName {get;set;}
DataFile                  Property     String DataFile {get;set;}
Description               Property     String Description {get;set;}
DisableWINSRecordReplicat Property     Boolean DisableWINSRecordReplication {ge...
DnsServerName             Property     String DnsServerName {get;set;}
DsIntegrated              Property     Boolean DsIntegrated {get;set;}
ForwarderSlave            Property     Boolean ForwarderSlave {get;set;}
ForwarderTimeout          Property     UInt32 ForwarderTimeout {get;set;}
InstallDate               Property     String InstallDate {get;set;}
LastSuccessfulSoaCheck    Property     UInt32 LastSuccessfulSoaCheck {get;set;}
LastSuccessfulXfr         Property     UInt32 LastSuccessfulXfr {get;set;}
LocalMasterServers        Property     String[] LocalMasterServers {get;set;}
MasterServers             Property     String[] MasterServers {get;set;}
Name                      Property     String Name {get;set;}
NoRefreshInterval         Property     UInt32 NoRefreshInterval {get;set;}
Notify                    Property     UInt32 Notify {get;set;}
NotifyServers             Property     String[] NotifyServers {get;set;}
Paused                    Property     Boolean Paused {get;set;}
RefreshInterval           Property     UInt32 RefreshInterval {get;set;}
Reverse                   Property     Boolean Reverse {get;set;}
ScavengeServers           Property     String[] ScavengeServers {get;set;}
SecondaryServers          Property     String[] SecondaryServers {get;set;}
SecureSecondaries         Property     UInt32 SecureSecondaries {get;set;}
Shutdown                  Property     Boolean Shutdown {get;set;}
Status                    Property     String Status {get;set;}
UseNBStat                 Property     Boolean UseNBStat {get;set;}
UseWins                   Property     Boolean UseWins {get;set;}
ZoneType                  Property     UInt32 ZoneType {get;set;}
...

Showing a subset of the properties within the object:

PS C:\Stuff\Scripts\PowerShell> $Zones | Select-Object Name,DsIntegrated,ZoneType,Reverse

Name                            DsIntegrated            ZoneType             Reverse
----                            ------------            --------             -------
1.2.3.in-addr.arpa                     False                   1                True
1.2.4.in-addr.arpa                     False                   1                True
1.2.5.in-addr.arpa                     False                   1                True

Creating an instance of a Management Class

$ZoneClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone"

Exploring the Management Class

Showing the object type:

PS C:\Stuff\Scripts\PowerShell> $ZoneClass.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     ManagementClass                          System.Management.ManagementObject

Showing the properties and methods:

PS C:\Stuff\Scripts\PowerShell> $ZoneClass | Get-Member

   TypeName: System.Management.ManagementClass#ROOTMicrosoftDNSMicrosoftDNS_Zone

Name                   MemberType    Definition
----                   ----------    ----------
Name                   AliasProperty Name = __Class
CreateZone             Method        System.Management.ManagementBaseObject CreateZone(Sys...
...

Listing the parameters required for a method

The output above truncates the strings detailing the parameters used for each method. The following shows how the full list can be displayed.

([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_AType") | `
  Get-Member -Name CreateInstanceFromPropertyData | Format-List

Note that while this shows the parameter type it does not show whether or not the parameter is required or optional. For full details refer to the DNS WMI Provider Reference.

Creating Zones

The following values represent the Zone Types available with Microsoft DNS.

0 Primary zone
1 Secondary zone
2 Stub zone
 * Windows Server 2003:  This zone type is introduced in Windows Server 2003.
3 Zone forwarder
 * Windows Server 2003:  This zone type is introduced in Windows Server 2003.

Create a Forward or Reverse Lookup Zone

This example shows all of the possible parameters, this can be reduced to a single line by dropping the comments and use of variables. Note that any optional variable can be set to $Null or “”.

# Forward Lookup zone name (example)
$Name = "somedomain.example"
# Reverse Lookup zone name (example for 1.2.3.x Subnet)
$Name = "3.2.1.in-addr.arpa"
# See above
$Type = 0
# AD Integration (only valid on Active Directory Domain Controllers)
$IsDSIntegrated = $False
# FileName (Optional and only valid for zones with AD integrated set to $False)
# File must exist if specified and have size greater than 0b.
$Filename = $Null
# Master IP (Optional and only valid for Secondary, Stub and Forwarder zones)
$MasterIP = $Null
# AdminEmail (Optional and only valid for Primary zones, writes into SOA record)
$AdminEmail = $Null

$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  $Name, $Type, $IsDSIntegrated, $FileName, $MasterIP, $AdminEmail)

Examples

# New Standard Primary Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardprimary.example", 0, $False)
# New Standard Primary Forward Lookup Zone using existing zone file
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardprimary-existing.example", 0, $False, "standardprimary-existing.example.dns")
# New Active Directory Integrated Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "adprimary.example", 0, $True)
# New Standard Primary Reverse Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "1.168.192.in-addr.arpa", 0)
# New Active Directory Integrated Reverse Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "2.168.192.in-addr.arpa", 0, $True)
# New Secondary Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardsecondary.example", 1, $False, "", `
  @("192.168.0.1", "192.168.0.2"))
# New Stub Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "stub.example", 2, $False, "", @("192.168.0.1", "192.168.0.2"))
# New Conditional Forwarder
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "conditionalforwarder.example", 3, $False, "", @("192.168.0.1", "192.168.0.2"))
# New AD Integrated Conditional Forwarder
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "adconditionalforwarder.example", 3, $True, "", @("192.168.0.1", "192.168.0.2"))

Creating resource records with CreateInstanceFromPropertyData

CreateInstanceFromPropertyData is available on each individual record class. For example, the method can be invoked from MicrosoftDNS_AType, or MicrosoftDNS_MXType, and so on. Note that the syntax for the method varies slightly depending on the record type.

Create an A record

# Record Name (Owner Name). Should include full suffix to prevent the method
# throwing an error.
$OwnerName = "www.$ContainerName"
# Class, as in IN, CS, CH or HS. Normally only care about IN (Internet: 1) which
# is the default. (Optional)
$RecordClass = $Null
# Time To Live in seconds (Optional)
$TTL = $Null
# IP Address is required
$IPAddress = "1.2.3.4"

$NewATypeClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_AType"
$NewARecord = $NewATypeClass.CreateInstanceFromPropertyData( `
  $ServerName, $ContainerName, $OwnerName, $RecordClass, $TTL, $IPAddress)

Create an MX record

# Record Name (Owner Name). Normally the SMTP domain, in this case it matches
# ContainerName.
$OwnerName = $ContainerName
$RecordClass = $Null
$TTL = $Null
# Preference, numeric value used to determine the preferred server(s)
$Preference = 10
# The server used to handle the mail
$MailExchange = "mail.somedomain.example"

$NewMXTypeClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_MXType"
$NewMXRecord = $NewMXTypeClass.CreateInstanceFromPropertyData( `
  $ServerName, $ContainerName, $OwnerName, $RecordClass, $TTL, $Preference, $MailExchange)

Creating resource records with CreateInstanceFromTextRepresentation

CreateInstanceFromTextRepresentation is available from the MicrosoftDNS_ResourceRecord class. It takes fewer parameters than the previous method but ultimately requires exactly the same information.

Create an NS record

# The text version of the record. Must include Class (IN) or this will fail.
# @ represents the origin, or zone / domain name.
$TextRepresentation = "@ IN NS ns1.somedomain.net"

$NewRRClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_ResourceRecord"
$NewRR = $NewRRClass.CreateInstanceFromTextRepresentation( `
  $ServerName, $ContainerName, $TextRepresentation)

Create a TXT record

# Using @ with the TXT record here will cause an error when executing the method.
# Instead, this uses the $ContainerName variable.
# Unlike the zone file itself the method does not require a terminating
# period following each name.
$TextRepresentation = "$ContainerName IN TXT `"hello world`""

$NewRRClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_ResourceRecord"
$NewRR = $NewRRClass.CreateInstanceFromTextRepresentation( `
  $ServerName, $ContainerName, $TextRepresentation)

Update server data file

DNS zones are held in memory, any change to the zone is performed in memory rather than as a direct alteration of the zone file. The following method can be used to force the updated zone to write back to the file.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'").WriteBackZone()

Reload a zone

Changes made to the zone file can be loaded into memory immediately using the ReloadZone method.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'").ReloadZone()

Enabling and starting scavenging on a server

Enabling scavenging requires setting the ScavengingInterval property to a non-zero value. The value representing the interval uses Hours.

# Connecting to the Server Management Object
$Server = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Server"
# Setting a new Scavenging Interval
$Server.ScavengingInterval = 24
$Server.Put()
# Start Scavenging
$Server.StartScavenging()

Clear the cache

Any cached entries on a server can be cleared using the ClearCache method of the MicrosoftDNS_Cache class.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Cache").ClearCache()

Displaying the DNS server statistics

Each DNS server holds a variety of statistics that can help to evaluate server performance.

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Statistic" | `
    Select-Object Name, StringValue, Value

Related posts:

1. PowerShell, IIS and log settings A function to retrieve IIS log settings from a local...

Related posts brought to you by Yet Another Related Posts Plugin.

• A Type
• CNAME Type
• MX Type
• NS Type
• PTR Type
• SRV Type
• TXT Type

The examples below show modification of Host or A records, but it is possible to extend the example to use any of the types above.

Using VbScript to modify records

This example demonstrates the use of WMI in VbScript to modify a record. The first value for Modify is the TTL, by using objItem.TTL we just reinsert the existing value, only changing the IP address.

' Connect to the WMI Service
Set objWMIService = GetObject("winmgmts:\\dc01\root\MicrosoftDNS")
' Run a query to get the record we want to change
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType" & _
  " WHERE ContainerName='thezone.net' AND OwnerName='test.thezone.net'",,48)

' Loop through the results
For Each objItem in colItems
  ' Modify the record
  objItem.Modify objItem.TTL, "1.2.3.4"
Next

If the TTL must be changed it is important to exclude the IP Address parameter, failure to do so will result in the record being deleted. Any attempt to use Modify without making any changes will result in a “SWbemObjectEx: Generic failure” exception.

Using PowerShell to modify records

The same failure reasons and restrictions apply with PowerShell (including the obscure deletion). Otherwise changing the record can be performed like this.

$ServerName = "dns01"
$ContainerName = "somedomain.example"
$RecordName = "test.somedomain.example"

$Record = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter "ContainerName='$ContainerName' AND OwnerName='$RecordName'"
# Using the existing TTL value (in seconds)
$ModifiedRecord = $Record.Modify($Record.TTL, "2.3.4.5")

In both VbScript and PowerShell the method call returns an object representing the updated record if further processing is required.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

1. Using a private AD domain. e.g. internal.highorbit.co.uk
2. Hosting a public web server within the AD domain. e.g. www.highorbit.co.uk
3. Internal clients cannot access the server using the public IP (a routing restriction)

At this point DNS can be used in two ways to address the issue.

Either claim authority for the entire domain, e.g. highorbit.co.uk. The disadvantage of this is that every other record under the domain must be duplicated in the private version (Split Brain DNS) or it will fail to resolve. For example, attempting to access portal.highorbit.co.uk would fail unless it was also added.

Or, a zone can be created using the full name of the service, i.e. naming the zone www.highorbit.co.uk. Adding a Host (A) record to the zone with a blank name will allow the zone name to resolve to an IP address, in exactly the same way as names other domains are resolved.

The full step of steps for this is as follows:

1. Open the DNS Console (from Administrative Tools)
2. Expand Forward Lookup Zones
3. Create a new zone
4. Type is either (Standard) Primary or Primary and Active Directory Integrated
5. Replication Scope can remain default (if applicable)
6. Zone Name should be the name of the host, e.g. www.highorbit.co.uk
7. Select “Do not allow dynamic updates”
8. Finish

Then add a record so the name resolves back to an IP:

1. Select the new zone (e.g. www.highorbit.co.uk)
2. Right click and select “New Host (A)…”
3. Leave the Name Blank
4. Enter the IP Address

Note that an Alias, or CNAME, cannot be used. CNAME records cannot share resource names. In this case the resource name is www.highorbit.co.uk and is currently shared with NS records and the SOA record because it is being treated as a domain.

Finally, the change can be tested by running these commands:

nslookup www.highorbit.co.uk
ipconfig /flushdns
ping www.highorbit.co.uk

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating. Ordinarily stale records would be removed by a Scavenging process. These scripts may be useful if trying to asses the impact of enabling Scavenging or reducing Aging intervals.

Listing stale records with VbScript

This script uses a WMI query to return all A records for a domain, then it sorts through each record, echoing when the time stamp is older than our pre-defined maximum age. The script will work best when run with cscript.

' No-Refresh + Refresh (in Days)
Const MAXIMUM_AGE = 4

' Connect to the MicrosoftDNS Namespace
Set objWMIService = _
  GetObject("winmgmts:\\dc01.internal.highorbit.co.uk\root\MicrosoftDNS")

' Query A records with MicrosoftDNS_AType class where the record is not static
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType " &_
  " WHERE ContainerName='internal.highorbit.co.uk' AND TimeStamp<>0")

For Each objItem In colItems
  ' Convert the timestamp into a date and time
  dtmTimeStamp = DateAdd("h", objItem.TimeStamp, "01/01/1601 00:00:00")
  ' Compare the date and time with MAXIMUM_AGE
  If dtmTimeStamp <= (Date() - MAXIMUM_AGE) Then
    ' Echo the record details if it is older than the MAXIMUM_AGE
    WScript.Echo objItem.OwnerName & VbTab & objItem.IPAddress &_
      VbTab & dtmTimeStamp
  End If
Next

Listing stale records with PowerShell

This snippet uses Get-WMIObject and a improved query to return only stale records rather than sorting after returning all dynamic records.

A timespan value is generated to represent the minimum value of TimeStamp for valid records.

# No-Refresh + Refresh (in Days)
$TotalAgingInterval = 4

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

$MinTimeStamp = [Int](New-TimeSpan `
  -Start $(Get-Date("01/01/1601 00:00")) `
  -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter `
  "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" `
 | Select-Object OwnerName, `
  @{n="TimeStamp";e={(Get-Date("01/01/1601")).AddHours($_.TimeStamp)}}

Reading Aging intervals with PowerShell

The Aging intervals and the date the zone can be scavenged set on a zone can be read using WMI using the MicrosoftDNS_Zone class. As with the TimeStamp the .AddHours method must be used to return a date.

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'" `
 | Select-Object NoRefreshInterval, RefreshInterval, `
  @{n="AvailForScavengeTime";e={
    (Get-Date("01/01/1601")).AddHours($_.AvailForScavengeTime)}}

Localisation

As mentioned at the beginning of this post, all times are reported in UTC by default. By calling a the ToLocalTime method the date returned can be converted to local time, using the time zone configured on the system executing the query.

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

$MinTimeStamp = [Int](New-TimeSpan `
  -Start $(Get-Date("01/01/1601 00:00")) `
  -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter `
  "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" `
 | Select-Object OwnerName, `
  @{n="TimeStamp";e={
    ((Get-Date("01/01/1601")).AddHours($_.TimeStamp)).ToLocalTime()}}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The DNS management console

To see the current time stamp, and whether a record is dynamic or not first enable View / Advanced in the DNS console. For each record that makes an additional tick box and text box visible.

The record below is dynamic, if the box is not ticked, and the time stamp field is blank the record is static. That means that unticking the box stating the record can be scavenged changes the record to static.

DNSCMD

DNSCMD installs along with the Windows Support Tools. It can be used to identify static records, although it can be very difficult pulling the results out of a list like this.

For example:

dnscmd /ZonePrint somedomain.example

WMIC

WMIC, Windows Management Instrumentation Command-Line, will install the first time it is run. As the name suggests, it allows execution of WMI queries on the command line.

WMIC /NAMESPACE:"\\root\MicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "ContainerName='somedomain.example’ AND TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

Or

WMIC /NAMESPACE:"\\root\MicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

VbScript

This VbScript snippet echoes each static record, it is works best when run with cscript.

strServerName = "dc01.somedomain.example"
strContainerName = "somedomain.example"

Set objWMIService = GetObject("winmgmts:\\" & strServerName & _
  "\root\MicrosoftDNS")
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType " &_
  " WHERE ContainerName='" & strContainerName & "' AND TimeStamp=0")

For Each objItem In colItems
  WScript.Echo objItem.OwnerName & VbTab & objItem.IPAddress & VbTab & "Static"
Next

Set colItems = Nothing
Set objWMIService = Nothing

PowerShell

$ServerName = "dc01.somedomain.example"
$ContainerName = "somedomain.example"

Get-WMIObject -Computer $ServerName `
    -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
    -Filter "ContainerName='$ContainerName' AND TimeStamp=0" `
  | Select-Object OwnerName,TTL, @{n="TimeStamp";e={"Static"}}

The same search can be used for any record type, by changing the WMI class. The options most likely to be useful are:

• MicrosoftDNS_AType – Address or Host records
• MicrosoftDNS_CNAMEType – Alias records
• MicrosoftDNS_MXType – Mail Exchanger records
• MicrosoftDNS_NSType – Name Server records
• MicrosoftDNS_SRVType – Service records
• MicrosoftDNS_PTRType – Pointer records (Reverse Lookup zone)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.