Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1869
  • Last Modified:

How to update the TTL for all domains on Windows 2003 DNS server

Hi Experts.

We have a Windows 2003 DNS server with 1000+ domains.

It is currently set to the following:
Refresh Interval: 15sec
Retry Interval: 10sec
Expires After: 1sec
Minimum (default) TTL: 0 Days
TTL for this record: 0:0:0:0

What would be the recommended/standard configuration to use? How would I go about updating all the records as none of the domains have preferred settings and all use the defaults.

Changing them individually it just too time consuming so I am looking for a batch style update if possible.

Your help is much appreciated.
0
1NSANE
Asked:
1NSANE
  • 7
  • 6
1 Solution
 
KrisdeepCommented:
Does this help Let me know?

http://support.microsoft.com/kb/297510
0
 
Chris DentPowerShell DeveloperCommented:

Should be possible to script modification of the SOA through WMI, looking now.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Okay, it is. Would you be happy using PowerShell to perform this change? Easier than VbScript, none of the default tools (dnscmd etc) allow for record modification.

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

There are no hard rules that say what intervals you must use above. The values I've used are below, then explanation here:

SOA TTL - Matching the value of MinimumTTL, a reasonably long value. SOA is unlikely to change that frequently

Refresh Interval - For Secondary Servers, how frequently they check for updates. If Notify is enabled they will check on notify in addition to this.

Retry Delay - Retry for a failed transfer

Expire Limit - How long a Secondary zone is kept until it is discarded by a Secondary server. Long time periods allow for greater fault tolerance.

Minimum TTL - You know this one

And the code bears some explanation.

This bit gets the SOA Record for a single zone (SomeZone.com):

Get-WMIObject -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_SOAType" `
  -ComputerName "SomeDNSServer" -Filter "ContainerName='SomeZone.com'"

It can be run remotely because of the ComputerName parameter, but we will need WMI access. To return all SOA records on the server, remove the Filter parameter.

% is a loop, for each SOA record returned by the search.

Modify has fixed parameters, the serial is incremented below, Primary Server and Responsible Party are copied from the original record ($_). The rest are set to the new values.

Chris
# New values for the SOA
 
$SOATTL = "86400" # 1 Day
$RefreshInterval = "21600" # 6 Hours
$RetryDelay = "900" # 15 Minutes
$ExpireLimit = "1209600" # 2 Weeks
$MinimumTTL = "86400" # 1 Day
 
# Retrieving the SOA Record for SomeZone.com
 
Get-WMIObject -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_SOAType" `
  -ComputerName "SomeDNSServer" -Filter "ContainerName='SomeZone.com'" | %{
  # Modifying the SOA Record values
  $_.Modify($SOATTL, $_.SerialNumber + 1, $_.PrimaryServer, $_.ResponsibleParty, `
    $RefreshInterval, $RetryDelay, $ExpireLimit, $MinimumTTL)
}

Open in new window

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
1NSANEAuthor Commented:
All domains have updated correctly.

Thanks for the help. It is very much appreciated.
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome :)

Chris
0
 
1NSANEAuthor Commented:
Hi Chris

I have configured a new Windows 2003 DNS server. I need to update the SOA name server records for the secondary etc. on the primary DNS server.

How can this be done in a batch update? Can this be done through PowerShell?
0
 
Chris DentPowerShell DeveloperCommented:

I'm not quite sure what you mean I'm afraid?

Did you want to update  the NS Record for the Secondary Server? Or change the zone transfer settings?

The SOA record only applies to the Primary, the Secondary uses it to determine whether and when to transfer a zone, but you shouldn't need to make changes to the SOA to appease the Secondary.

Still, it almost certainly can be scripted. Very little of the DNS system is inaccessible from script.

Chris
0
 
1NSANEAuthor Commented:
We have 2 DNS servers (NS1 and NS2). NS2 has been rebuilt and the IP has changed. NS1 has 2 entries under the "Name Servers" tab. I want to change the references to NS2 so that it reflects the new IP of NS2 unless it does its own DNS query which would mean it is not necessary.

I want NS1 to replicate to NS2 automatically as it was never setup this way.
0
 
Chris DentPowerShell DeveloperCommented:

Okay cool, that makes sense.

So we need to modify the out-of-zone A record for ns2 (if it exists). Do you know if Zone Transfers are currently set to "All servers listed in the name servers tab"? That would avoid having to change anything there.

Lets deal with the A record first.

Typically WMI appears to dislike displaying Out-Of-Zone records, which includes the Glue for NS records. Irritating as hell. That means either editing the text files or calling DNSCMD to remove, then add the glue back in.

Lets try that one one zone first, then we can think about wrapping a script around it to do it for all zones.

It should go like this:

DNSCMD /RecordDelete domainname.com ns2.domain.com. A <OldIP>

If it works, it should change the IP address in the Name Servers tab to the current IP for that resource with a * after it (indicating it's the result of a lookup). Then glue can be added again with:

DNSCMD /RecordAdd domainnamecom ns2.domain.com. A <NewIP>

You will need the trailing "." after ns2.domain.com., otherwise it'll add a record relative to the zone itself, not much help.

As long as ns2.domain.com is referenced in the NS record it should be fine committing the glue. It will refuse to fully commit the change unless a corresponding NS Record also exists.

Chris
0
 
1NSANEAuthor Commented:
Hi Chris.

Sorry for the delayed response.

Our Zone Transfers are set to "Only servers listed on the Name Servers tab".

I get this error when trying the command:

The term 'dnscmd' is not recognized as a cmdlet, function, operable program, or script file. Verify the term and try ag
ain.
At line:1 char:7
+ dnscmd  <<<< /RecordDelete clientdomain.com ns1.domain.com. A 130.94.x.x

I am running the command on the local DNS server. Once I can get the entries for NS2 changed then I need to add all the forward lookup zones to NS2 as secondary records referenced from NS1.
0
 
Chris DentPowerShell DeveloperCommented:

Ahh it's part of the Windows Support Tools, those will need to be installed to use it.

Chris
0
 
1NSANEAuthor Commented:
The /recorddelete command worked. It doesn't delete the entry just the IP and puts a " * " behind it. It has the new IP now.
If we can set it to run that command through all the forward zones that would be perfect.
0
 
Chris DentPowerShell DeveloperCommented:

Good stuff :)

Lets stuff a bit of script around it then, back to PowerShell (because it's short and sweet).

This will return reverse lookup zones as well (ZoneType just tells it to return Primary zones), if you don't want it to the Filter can be modified to exclude them.

Get-WMIObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Zone `
  -Filter "ZoneType='1'" | %{

  DNSCMD /RecordDelete $($_.ContainerName) ns2.domain.com. A <OldIP>
  DNSCMD /RecordAdd $($_.ContainerName) ns2.domain.com. A <NewIP>
}

Chris
0
 
1NSANEAuthor Commented:
Thanks again. All is working and updated.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now