amendala
asked on
Require a PowerShell script to iterate through all domain controllers in a forest and list those that have DNS scavenging ENABLED.
Folks -
I need someone to craft a PowerShell script that will interate through all the Domain Controllers in a forest (assume all DCs are in OU=Domain Controllers,DC=domain,DC=l cl) and to determine if DNS scavenging is enabled or not. If it is, output the name of the domain controller. If not, move on. Rinse, wash, repeat until all have been visited.
I believe this script will be handy for those of us looking for DNS servers with scavenging enabled that are using AD-Integrated zones as technically, thanks to replication and AD-Integration, only one server should be scavenging records.
Thanks.
I need someone to craft a PowerShell script that will interate through all the Domain Controllers in a forest (assume all DCs are in OU=Domain Controllers,DC=domain,DC=l
I believe this script will be handy for those of us looking for DNS servers with scavenging enabled that are using AD-Integrated zones as technically, thanks to replication and AD-Integration, only one server should be scavenging records.
Thanks.
ASKER
Well it returns data but it's not accurate. I get what I'd expect from one domain controller (168 or 7 days) but all the others show 0.
Scavenging is a zone-specific setting on a per-DC basis. So the scripting needs to take into account all the zones.
What you wrote above does query and return data but it shows 0's for servers that have scavening enabled. At least insofar as the DNS MMC reflects.
Odd... thanks for your help Chris. Any changes we can make to it that'll give us a zone-by-zone breakdown on a Per-DC basis?
I'm not sure what zone that WMI namespace is looking at. Most likely the primary domain zone.
Scavenging is a zone-specific setting on a per-DC basis. So the scripting needs to take into account all the zones.
What you wrote above does query and return data but it shows 0's for servers that have scavening enabled. At least insofar as the DNS MMC reflects.
Odd... thanks for your help Chris. Any changes we can make to it that'll give us a zone-by-zone breakdown on a Per-DC basis?
I'm not sure what zone that WMI namespace is looking at. Most likely the primary domain zone.
> Well it returns data but it's not accurate. I get what I'd expect from one
> domain controller (168 or 7 days) but all the others show 0.
That's pretty much what I thought it would do. For those, can you verify that DNS server properties / Advanced / Scavenging is disabled / unset? If it's set, can you tell me what it's set to please?
> Scavenging is a zone-specific setting on a per-DC basis. So the scripting needs to
> take into account all the zones.
The scavenging process is not. For AD integrated zones whether scavenging is enabled or not is stored in AD and replicated (the dnsProperty attribute holds this). The scavenging process (actual execution of scavenging) is, on the other hand, per-DC and what we're (hopefully) pulling here.
We can still pull the Aging settings per zone, either from WMI or from AD. If everything is AD integrated you should not see any difference between DCs though.
Chris
> domain controller (168 or 7 days) but all the others show 0.
That's pretty much what I thought it would do. For those, can you verify that DNS server properties / Advanced / Scavenging is disabled / unset? If it's set, can you tell me what it's set to please?
> Scavenging is a zone-specific setting on a per-DC basis. So the scripting needs to
> take into account all the zones.
The scavenging process is not. For AD integrated zones whether scavenging is enabled or not is stored in AD and replicated (the dnsProperty attribute holds this). The scavenging process (actual execution of scavenging) is, on the other hand, per-DC and what we're (hopefully) pulling here.
We can still pull the Aging settings per zone, either from WMI or from AD. If everything is AD integrated you should not see any difference between DCs though.
Chris
ASKER
Thanks for your input Chris. I believe we're actually saying the same thing.
For some background...
All of my zones are AD-Integrated, therefore replicated. I recently discovered that the scavenging process had been turned on for all DCs and all zones. This is *NOT* how I originally configured the DCs. How this occured, I don't know.
My typical configuration is to configure scavenging only on the DC holding the PDC role, just for my own procedure consistency. Only one DC should be scavenging an AD-Integrated zone as any deleted or tombstoned records will be replicated. I think you'd agree. Somehow, I ended up with all DCs scavenging all zones.
The picture I included shows the checkbox I'm after. What I'd like to know is what DCs have that box checked for what zones. I'm trying to get this information into a daily AD health check report that I run so I can inspect it on a regular basis in case the setting ever reverts.
Obviously I'm concerned how this setting ever got changed. Only one of my DCs should have the scavenging process enabled.
So back to the script... what I'm seeing returned is not consistent with the graphic attached. Every DC I have has every zone with this check box enabled. The script is returning "0" for servers that have the box checked.
I really appreciate your help.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Chris -
Thanks for all your help. I've got things working over here.
However, I must admit a major brain-lapse on my part that I apologize for. You tried to point something out to me and I glossed over it thinking we were on the same page. We weren't, my mistake. :)
As it turns out, my DCs are set exactly as I configured them. The scavenging feature is only turned on for one of them, as your script indicated properly. I was looking at the aging parameters as per the screenshot I sent you.
I swear, some days I need a good slap.
Thanks for everything, you were very thorough and helpful.
Thanks for all your help. I've got things working over here.
However, I must admit a major brain-lapse on my part that I apologize for. You tried to point something out to me and I glossed over it thinking we were on the same page. We weren't, my mistake. :)
As it turns out, my DCs are set exactly as I configured them. The scavenging feature is only turned on for one of them, as your script indicated properly. I was looking at the aging parameters as per the screenshot I sent you.
I swear, some days I need a good slap.
Thanks for everything, you were very thorough and helpful.
No problem, glad I could help out :)
Chris
Chris
I'll assume you have something installed to get computers from AD (Import-Module ActiveDirectory), just for simplicity. If you do, you don't need much to get this done.
Open in new window
I'm pretty sure that ScavengingInterval returns 0 if it's not enabled at all. Would you mind playing with this a bit to see if the theory is true?It'll throw big red errors if it finds a Domain Controller without DNS installed, but we can deal with that once we've verified we're getting useful information back.
Cheers,
Chris