Solved

Clean stale records in AD and DNS

Posted on 2016-10-05
6
37 Views
1 Endorsement
Last Modified: 2016-10-24
Hello Team,

Can someone please provide me with a nice script or free utility to identify all stale records in DNS and Active directory environment?

need that information exported to a CSV file, and full compatible with Windows 2012 R2 servers and PowerShell
1
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41830395
There isnt really a way to determine if a record is stale other than looking for a host behind the record.  Are you talking about dynamic records or static?  

We should start with what your issue is and what are you trying to solve for...
0
 
LVL 12

Assisted Solution

by:Vaseem Mohammed
Vaseem Mohammed earned 125 total points (awarded by participants)
ID: 41830447
I would point you to Aging and Scavenging feature
Refer to : Use Aging and Scavenging
0
 
LVL 6

Assisted Solution

by:sAMAccountName
sAMAccountName earned 125 total points (awarded by participants)
ID: 41830475
Aging and scavenging wont do anything for static records, which is why I asked.  I think before anyone provides a solution, we all need to understand the requirement.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:Jerry Seinfield
ID: 41830980
How can Identify and then delete static and dynamic stale records? if that even possible?
0
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41831159
2 powershell scripts one for AD and one for DNS
# 
# Get the Current Date  
#   
$CurrentDate=GET-DATE  
#  
# Number of Days to check back.    
#   
$NumberDays=90  
#  
# Organizational Unit to search  
#  
$SearchBase='OU=Users,OU=Business,DC=Contoso,DC=Local'  
#  
Import-Module ActiveDirectory 
GET-ADUSER -filter * -SearchBase $OU -properties LastLogonDate | where { $_.LastLogonDate.AddDays($NumberDays) -lt $CurrentDate } | Format-Table 
#  
# Add in a | DISABLE-ADAccount to AUTOMATICALLY Disable those accounts.  
# Line should read like this if you want to do that  
#  
# GET-ADUSER -filter * -SearchBase $OU -properties LastLogonDate | where { $_.LastLogonDate.AddDays($NumberDays) -lt $CurrentDate } | Disable-ADAccount 

Open in new window

http://bit.ly/2dujhIb

#Requires -Module ActiveDirectory,DnsServer 
  
<# 
.SYNOPSIS 
    This script will report on all dynamic DNS records in a particular DNS zone that 
    are at risk of being scavenged by the DNS scavenging process. 
.NOTES 
    Created on:     8/22/2014 
    Created by:     Adam Bertram 
    Filename:       Get-RecordsToBeScavenged.ps1 
    Credits:         
    Requirements:   An AD-integrated DNS zone 
.EXAMPLE 
    PS> Get-RecordsToBeScavenged.ps1 -DnsZone myzone -WarningDays 5 
  
    This example will find all DNS records in the zone 'myzone' that are set to be scavenged 
    within 5 days. 
.PARAMETER DnsServer 
    The DNS server that will be queried 
.PARAMETER DnsZone 
    The DNS zone that will be used to find records 
.PARAMETER WarningDays 
    The number of days ahead of scavenge time you'd like to report on.  By default, this script 
    only displays DNS records set to be scavenged within 1 day. 
#> 
[CmdletBinding()] 
[OutputType('System.Management.Automation.PSCustomObject')] 
param ( 
    [Parameter(Mandatory)] 
    [string]$DnsZone, 
    [Parameter()] 
    [string]$DnsServer = (Get-ADDomain).ReplicaDirectoryServers[0], 
    [Parameter()] 
    [int]$WarningDays = 1 
) 
begin { 
    function Get-DnsHostname ($IPAddress) { 
        ## Use nslookup because it's much faster than any other cmdlet 
        $Result = nslookup $IPAddress 2> $null 
        $Result| where { $_ -match 'name' } | foreach { 
            $_.Replace('Name:    ', '') 
        } 
    } 
    Function Test-Ping ($ComputerName) { 
        try { 
            $oPing = new-object system.net.networkinformation.ping; 
            if (($oPing.Send($ComputerName, 200).Status -eq 'TimedOut')) { 
                $false; 
            } else { 
                $true   
            } 
        } catch [System.Exception] { 
            $false 
        } 
    } 
} 
process { 
    try { 
        ## Check if scavenging and aging is even enabled on the server and zone 
        $ServerScavenging = Get-DnsServerScavenging -Computername $DnsServer 
        $ZoneAging = Get-DnsServerZoneAging -Name $DnsZone -ComputerName $DnsServer 
        if (!$ServerScavenging.ScavengingState) { 
            Write-Warning "Scavenging not enabled on server '$DnsServer'" 
            $NextScavengeTime = 'N/A' 
        } else { 
            $NextScavengeTime = $ServerScavenging.LastScavengeTime + $ServerScavenging.ScavengingInterval 
        } 
        if (!$ZoneAging.AgingEnabled) { 
            Write-Warning "Aging not enabled on zone '$DnsZone'" 
        } 
          
        ## A record won't be scavengable until the refresh + no-refresh period has elapsed.  Set a threshold 
        ## of this time plus a buffer to give the user a heads up ahead of time. 
        $StaleThreshold = ($ZoneAging.NoRefreshInterval.Days + $ZoneAging.RefreshInterval.Days) + $WarningDays 
          
        ## Find all dynamic DNS host records in the zone that haven't updated their timestamp in a long time 
        ## ensuring to only include the hosts ending with the zone name.  If not, by default, Get-DnsServerResourceRecord 
        ## will include a record with and without the zone name appended 
        $StaleRecords = Get-DnsServerResourceRecord -ComputerName $DnsServer -ZoneName $DnsZone -RRType A | where { $_.TimeStamp -and ($_.Timestamp -le (Get-Date).AddDays("-$StaleThreshold")) -and ($_.Hostname -like "*.$DnsZone") } 
        foreach ($StaleRecord in $StaleREcords) { 
            ## Get the IP address of the host to preform a reverse DNS lookup later 
            $RecordIp = $StaleRecord.RecordData.IPV4Address.IPAddressToString 
            ## Perform a reverse DNS lookup to find the actual hostname for that IP address. 
            ## Sometimes when a record has been out of commission for a long time duplicate 
            ## records can be created and the actual hostname for the IP address doesn't match 
            ## the old DNS record hostname anymore. 
            $ActualHostname = Get-DnsHostname $RecordIp 
            if ($ActualHostname) { 
                ## There's a PTR record for the host record.  Ping the hostname to see if it's 
                ## still online.  This is to only pay attention to the computers that may still 
                ## be online but have a problem updating their record. 
                $HostOnline = Test-Ping -Computername $ActualHostname 
            } else { 
                $HostOnline = 'N/A'  
            } 
            [pscustomobject]@{ 
                'Server' = $DnsServer 
                'Zone' = $DnsZone 
                'RecordHostname' = $StaleRecord.Hostname 
                'RecordTimestamp' = $StaleRecord.Timestamp 
                'IsScavengable' = (@{ $true = $false; $false = $true }[$NextScavengeTime -eq 'N/A']) 
                'ToBeScavengedOn' = $NextScavengeTime 
                'ValidHostname' = $ActualHostname 
                'RecordMatchesValidHostname' = $ActualHostname -eq $StaleRecord.Hostname 
                'HostOnline' = (@{ $true = $HostOnline; $false = 'N/A' }[$ActualHostname -eq $StaleRecord.Hostname]) 
            } 
        } 
    } catch { 
        Write-Error $_.Exception.Message 
    } 
}

Open in new window

http://bit.ly/2dujhb8
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41856714
asked and answered
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question