Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, May 28, 2016 12:04 PM
dns how can we find who & when created a DNS record ?
I know at AD level some audit need to turn on , say its tuned on, so how can we find this info ?
thanks
All replies (14)
Saturday, May 28, 2016 12:51 PM ✅Answered
Here is an easy way to get just the owner:
Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType | select RecordData,ownername,TextRepresentation
\(ツ)_/
Monday, May 30, 2016 12:17 AM ✅Answered | 1 vote
Ok my response will be same, i am looking for something i can run remotely, i do not have access to WS2008R2 (where AD integrated DNS is running) box but have only dns admin limited role.
i felt looking at the script that it will act as function .. but i was wrong perhaps ..
i wonder why MS do not want to compete with BT diamond or other ipam tools ..
Then you are out of luck. You must be given remote query access on WMI root/MicrosoftDNS namespace. Without this there is no way you can access the DNS server.
If you have been given access with the remote management tools for DNS then you may be able to use the PowerShell DNS classes.
If you are a DNS admin then you can RDS to the DNS server and run WMI to export the info from an RDS session.
Microsoft actually does better and is easier to use than other tools. You just need to be given permission to access DNS remotely via WMI.
One line of code is all it takes to get your info.
\(ツ)_/
Monday, May 30, 2016 6:52 AM ✅Answered
you can run this on the DNS server if you are a DNS Admin.
Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType
If you are given permissions on remote WMI then you can run this remotely:
Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType -Computer DNS-Server
\(ツ)_/
Saturday, May 28, 2016 12:11 PM
i believe this could be done with
As for that you want to find out who add the records, we may check if we could through the owner of the records to find out some clues. To check the owner of the records, right click the record>properties>security>advanced>owner.
if yes, then how this can be exported with powercli in csv
Saturday, May 28, 2016 12:45 PM
Here is a script: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-DNS-8c2fe077
\(ツ)_/
Saturday, May 28, 2016 11:42 PM
Get-WmiObject : Invalid namespace "root\microsoftdns"
At line:1 char:1
- Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType | select RecordData,owner ...
-
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Any idea on this ?
Saturday, May 28, 2016 11:46 PM
No sample output, no variables in this script
Also the summary is not clear what the script does,
I've been neck deep in a problem with Microsoft's dynamic DNS on a DNS server for awhile now. In this process, it was discovered that servers were not updating the timestamp on their DNS A record because they did not have permission. In order to find all the problem records I needed a way to find which records did not have "Modify" rights to their respective server. The result is this script.
So i am not comfortable running on prod env
Saturday, May 28, 2016 11:52 PM
Get-WmiObject : Invalid namespace "root\microsoftdns"
At line:1 char:1
- Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType | select RecordData,owner ...
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommandAny idea on this ?
The DNS namespace only exists on a WS2008R2 server or later with DNS installed.
\(ツ)_/
Saturday, May 28, 2016 11:55 PM
No sample output, no variables in this script
Also the summary is not clear what the script does,
I've been neck deep in a problem with Microsoft's dynamic DNS on a DNS server for awhile now. In this process, it was discovered that servers were not updating the timestamp on their DNS A record because they did not have permission. In order to find all the problem records I needed a way to find which records did not have "Modify" rights to their respective server. The result is this script.
So i am not comfortable running on prod env
Microsoft does not have DDNS. MS DNS is only available with WMI or CmdLets on a Domain integrated DNS server. Outside of AD there is no ownership of a record and no security.
Be sure you are on a DNS integrated DNS server when you run the commands and that DNS PowerSHell support is installed. Also be sure that you are accessing a DNS server of the required type when using WMI.
\(ツ)_/
Sunday, May 29, 2016 11:51 PM
Thanks. i am looking for something i can run remotely, i do not have access to WS2008R2 (where AD integrated DNS is running) box but have only dns admin limited role.
Sunday, May 29, 2016 11:54 PM
Ok my response will be same, i am looking for something i can run remotely, i do not have access to WS2008R2 (where AD integrated DNS is running) box but have only dns admin limited role.
i felt looking at the script that it will act as function .. but i was wrong perhaps ..
i wonder why MS do not want to compete with BT diamond or other ipam tools ..
Monday, May 30, 2016 6:08 AM
Thanks
Actually its AD which run the DNS
So the Windows team has given partial access ie DNS add/remove only to us.
We have not been given AD windows server access. thats the way it is.
The 2 statement of yours are contracting unless i am confused.
1. "If you are a DNS admin then you can RDS to the DNS server and run WMI to export the info from an RDS session."
2. "You just need to be given permission to access DNS remotely via WMI."
Thanks
Monday, May 30, 2016 7:34 AM
Hi EsxiCali,
I've butchered one my existing scripts which is based around setting AD object ownership, so it's not particularly robust, however, it gets you away from needing any special rights (as everyone has read access to the DNS zone partitions).
It is written based on the assumption your DNS zones are set up as partitions, which may not be the case if you're running quite an old domain, as partitions didn't kick in until Server 2003 and require manual intervention to make them partitions, but if this is the case the script can still be used. The searchBase would simply need to be changed.
If you copy and paste the code into a blank text file and then save it as something like Get-DnsRecordAcl.ps1, that should at least give you a starting point. You can add/remove your own attributes as you see fit.
Param (
[parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true)][string]$Identity
)
$Identity += "*";
$dnsResults = @();
$oRootDSE = Get-ADRootDSE;
$oADObject = Get-ADObject -Server ($oRootDSE.dnsHostName) -Filter { (Name -like $Identity) } -SearchBase ("CN=MicrosoftDNS,DC=DomainDnsZones," + $oRootDSE.defaultNamingContext) ;
foreach ($dnsRecord in $oADObject) {
$oAceObj = Get-Acl -Path ("ActiveDirectory:://RootDSE/" + $dnsRecord.distinguishedName);
$dnsResults += New-Object -TypeName System.Object |
Add-Member -MemberType NoteProperty -Name "Identity" -Value (($oAceObj.Path.ToString()) -replace ".*dse/", "") -PassThru |
Add-Member -MemberType NoteProperty -Name "Owner" -Value ($oAceObj.Owner) -PassThru |
Add-Member -MemberType NoteProperty -Name "Modified" -Value ((Get-ADObject -Identity $dnsRecord.distinguishedName -Properties whenCreated).whenCreated) -PassThru;
}
$dnsResults;
Cheers,
Lain
Saturday, June 4, 2016 11:17 PM
Got it now.
Thanks !
i can not validate it as i do not have access seems, but makes sense now.
Get-WmiObject : Access denied
At line:1 char:1
- Get-WmiObject -ns root\microsoftdns MicrosoftDNS_AType -Computer XXXX | se ...
-
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand