Many Windows admins love to use PowerShell because of how it helps in reducing the time needed to perform operations using GUI and also aids in scheduling the repeated tasks. Starting with Windows Server 2012 R2, Microsoft provides an opportunity to manage the complete operation of Microsoft-based DNS Servers using PowerShell.
To manage DNS Servers using PowerShell, you will be required to install DNS Server Tools from the Server Manager.
All you need to do is click on the Server Manager, click Features, expand Remote Server Administration Tools and then check "DNS Server Tools" to begin the installation of DNS Server Tools. As part of the installation, DNS Server Manager (GUI) and PowerShell cmdlets will be installed. This is also shown in the screenshot below.
Once you have installed DNS Server Tools, you can interact with DNS Servers such as getting DNS Server configuration, DNS zone aging settings, domain zones hosted by the DNS Servers, listing domain zones configuration, collecting stale accounts and many more.
To ensure DNS Server PowerShell cmdlets have been installed, open the PowerShell window and then run any DNS Server PowerShell cmdlet. In this tutorial, we will learn how to use a simple PowerShell script to check domain zone aging configuration.
Checking Domain Zone Aging Settings
You are required to enable DNS Aging on every domain zone managed by the DNS Server. If you do not enable DNS Aging on domain zones, the DNS Server will end up holding a huge number of stale DNS records.
As a result, enabling DNS Aging with the correct Refresh and No-Refresh Interval on all domain zones hosted by the DNS Server is recommended. You can use the PowerShell script below to help you get DNS Aging settings on all domain zones managed by the DNS Server.
Before you run the script, please make sure to install DNS Server Tools as explained earlier in this tutorial and add the domain zone names in the "C:\Temp\DomainList.TXT" file.
### Script Starts Here ###
$TestCSVFile = "C:\Temp\DNSZoneAgingSettings.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$GDomList = "C:\Temp\DomainList.TXT"
Remove-item $GDomList -ErrorAction SilentlyContinue
$ThisString="Domain Zone, Connected to PDC, Is Aging Enabled?, Refresh Interval, No Refresh Interval,Final Status"
Add-Content "$TestCSVFile" $ThisString
$TestText = ""
$SumVal = ""
$AnyGap = "No"
ForEach ($ThisDomain in Get-Content "$GDomList")
$AgingSettings = Get-DNSServerZoneAging -name $ThisDomain
IF ($Error.count -eq 0)
$IsAgingEnabled = $AgingSettings.AgingEnabled
IF ($IsAgingEnabled -eq $True)
$AnyGap = "Yes"
$OkOrNot = "NO"
$RefInt = $AgingSettings.RefreshInterval
$NoRefInt = $AgingSettings.NoRefreshInterval
IF ($OkOrNot -eq "NO")
$FinStatus ="DNS Scavenging is not enabled for Domain Zone."
$FinalSTR = $ThisDomain+","+$PDCServerToConnect+","+$IsAgingEnabled+","+$RefInt+","+$NoRefInt+","+$FinStatus
Add-Content "$TestCSVFile" $FinalSTR
$ErrExp = $Error
$FinalSTR = $ThisDomain+",Error Occured: "+'"'+$ErrExp+'"'
Add-Content "$TestCSVFile" $FinalStr
IF ($AnyGap -eq "Yes")
$TestStatus = "High"
$TestText = "Domain Zones do not have DNS Aging enabled. It is important to note that if you do not enable Aging for a Domain Zone DNS Server may result inot huge number of stale DNS records. It is recommended to enable DNS Aging for each Domain Zone."
IF ($AnyGap -eq "No")
$TestStatus = "Passed"
$TestText = "Domain Zones have Aging enabled."
IF ($AnyOneOk -eq "No")
$TestStatus = "Error"
$ErrExp = $Error
$TestText = "Error Executing Dynamic Pack."+'"'+$ErrExp+'"'
### Script Ends Here ###
Once you have executed the script, a CSV report by the name "DNSZoneAgingSettings.CSV" will be generated under the C:\Temp folder. The CSV report will include the domain zone name, Aging status, Refresh Interval and the No-Refresh Interval configured for each DNS domain zone as shown in the screenshot below:
As you can see in the report above, the script collected DNS Aging settings for two domain zones: ServerWatch.com and Example.ServerWatch.com. As the report indicates, DNS Aging is enabled on the ServerWatch.com domain zone and both Refresh and No-Refresh intervals are set, but DNS Aging is not enabled on the domain zone "Example.ServerWatch.com."
Once you know the DNS Aging configuration for every domain zone, you can rectify the DNS Aging settings if required. In any case, you may want to run the above script every month or include in your Active Directory health check procedure to ensure DNS Aging settings are configured as expected.
In today's Server Tutorial we explained why and how to install DNS Server Tools to manage Microsoft-based DNS Servers using PowerShell cmdlets. We also provided a PowerShell script you can use to check the DNS Aging settings for all domain zones managed by the DNS Server.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at email@example.com.