Documenting an AD based DNS infrastructure using powershell

Hi

Following with the work done to document an AD infrastructure using powershell that i explained in this post

https://blogs.technet.microsoft.com/fernandorubio/2018/01/26/how-to-document-your-infrastructure-in-an-xml-file-by-using-parallelexecution-powershell-module/

Today we will talk about how to document an AD DNS based infrastructure. If you have your DNS server running on Domain Controllers, most probably you are using AD integrated zones.  They support multimaster updates, automatically appearing in new domain controllers, supports ACLs... definetely the way to go. So if you just exported all the LDAP partitions the info is just there but the dnsrecord info is stored on a dns-node object under the dns-record attribute on a binary format.

https://msdn.microsoft.com/en-us/library/ms675527(v=vs.85).aspx

This is one of these cases in which it makes sense to use the service specific powershell cmdlets to retrieve and store the dns information for future reference. With the help of Adrian Crespo we created the following script to be invoked once per domain. Sorry for the lack of comments

https://github.com/fernandorubioroman/DocumentAD/blob/master/scripts/documentDNS.ps1

$results=@{}
$recordresults=@{}
$policies=@{}
$OSVersion=((Get-CimInstance win32_operatingsystem).Version).split(".",2)[0]
#if on 2016 we need to collect more info as scopes could be used
if ($osversion -gt 6){
$zones=$null
$zones=Get-DnsServerZone
$server=Get-DnsServer -ErrorAction SilentlyContinue
$results.add("dnszones",$zones)
$results.add("dnsserver",$server)
foreach ($zone in $zones){
$records=$null
$scopes=$null
$scopes=get-dnsserverzonescope -zonename $zone.ZoneName
foreach($scope in $scopes){
$records=Get-DnsServerResourceRecord -ZoneName $zone.ZoneName -zonescope $scope.Zonescope
$recordresults.add(($zone.ZoneName+"_"+$scope.ZoneScope),$records)
}
$records=Get-DnsServerResourceRecord -ZoneName $zone.ZoneName
$recordresults.add($zone.ZoneName,$records)
$zonepolicies=$null
$zonepolicies=Get-DnsServerQueryResolutionPolicy -ZoneName $zone.ZoneName
$policies.add($zone.ZoneName,$zonepolicies)
}
$results.add("dnsrecords",$recordresults)
$results.Add("dnspolicies",$policies)
$conditional = Get-DnsServerForwarder
$results.Add("conditional", $conditional)
$globalpolicies=$null
$globalpolicies=Get-DnsServerQueryResolutionPolicy
$results.Add("dnsglobalpolicies",$globalpolicies)
}
#this is for 2008r2, 2012...
else{
$zones=$null
$zones=Get-DnsServerZone
$server=Get-DnsServer -ErrorAction SilentlyContinue
$results.add("dnszones",$zones)
$results.add("dnsserver",$server)
foreach ($zone in $zones){
$records=$null
$records=Get-DnsServerResourceRecord -ZoneName $zone.ZoneName
$recordresults.add($zone.ZoneName,$records)
}
$results.add("dnsrecords",$recordresults)
$conditional = Get-DnsServerForwarder
$results.Add("conditional", $conditional)

}
return $results

 

Basically we collect a bunch of info, the zones, and records on each one, forwarders...also for 2016 we collect scopes and records on each one as welll as the defined policies. If you haven´t dig into 2016 scopes take a look at this link

/en-us/windows-server/networking/dns/deploy/dns-policies-overview

That is! call it from your parallelexecution engine or locally at a server and you will have a backup of how your dns looks for future reference...

Cheers

Fernando

Comments