Windows 2008 has an improved user interface for DNS. The main console includes details of a records time stamp and whether or not the record is Static. Life isn’t quite so easy with Windows 2003. However, as each static record has a time stamp set to 0 they can be found with a little work.

When using an Active Directory Integrated zone records are stored within Active Directory as dnsNode objects. The Time Stamp value is encoded along with the rest of the record properties (TTL, etc) in the dnsRecord attribute on the dnsNode. The attribute is a Binary Large Object (BLOB), Microsoft do not currently publish references or maps for these attributes. WMI queries can be used as an alternative.

The DNS management console

To see the current time stamp, and whether a record is dynamic or not first enable View / Advanced in the DNS console. For each record that makes an additional tick box and text box visible.

The record below is dynamic, if the box is not ticked, and the time stamp field is blank the record is static. That means that unticking the box stating the record can be scavenged changes the record to static.

dynamicrecord

DNSCMD

DNSCMD installs along with the Windows Support Tools. It can be used to identify static records, although it can be very difficult pulling the results out of a list like this.

For example:

dnscmd /ZonePrint somedomain.example

WMIC

WMIC, Windows Management Instrumentation Command-Line, will install the first time it is run. As the name suggests, it allows execution of WMI queries on the command line.

WMIC /NAMESPACE:"rootMicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "ContainerName='somedomain.example'" AND TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

Or

WMIC /NAMESPACE:"rootMicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

VbScript

This VbScript snippet echoes each static record, it is works best when run with cscript.

strServerName = "dc01.somedomain.example"
strContainerName = "somedomain.example"

Set objWMIService = GetObject("winmgmts:" & strServerName &_
    "rootMicrosoftDNS")
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType " &_
    " WHERE ContainerName='" & strContainerName & "' AND TimeStamp=0")
    
For Each objItem In colItems
    WScript.Echo objItem.OwnerName & VbTab & objItem.IPAddress & VbTab & "Static"
Next

Set colItems = Nothing
Set objWMIService = Nothing

PowerShell

$containerName = "somedomain.example"
$params = @{
    Filter       = 'ContainerName="{0}" AND TimeStamp=0' -f $containerName
    Class        = 'MicrosoftDNS_AType'
    Namespace    = 'root\MicrosoftDNS'
    ComputerName = "dc01.somedomain.example"
}
Get-WmiObject @params |
    Select-Object OwnerName, TTL, @{n="TimeStamp";e={ "Static" }}

The same search can be used for any record type, by changing the WMI class. The options most likely to be useful are:

  • MicrosoftDNS_AType – Address or Host records
  • MicrosoftDNS_CNAMEType – Alias records
  • MicrosoftDNS_MXType – Mail Exchanger records
  • MicrosoftDNS_NSType – Name Server records
  • MicrosoftDNS_SRVType – Service records
  • MicrosoftDNS_PTRType – Pointer records (Reverse Lookup zone)