Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 23, 2018 2:04 PM
Hi
does anyone know if there a simple way to generate a list of all DNS Records with the ACL (Permissions)?
i want check if all Records SecureDNS enabled. My DNS Server ist on Server 2016 OS.
Kindly regards
Florian
All replies (4)
Monday, April 23, 2018 2:54 PM
Hi,
If you the zone is AD integrated you can do it by binding to the Application partition (DomainDNSZones or ForestDNSZones) and access the object property ObjectSecurity.
Below a sample script of what I used (Using ADSI) :
$context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $DomainFQDN)
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
$rootDSE = ([ADSI]"LDAP://$($Domain.Name)/RootDSE")
foreach($NC in $rootDSE.namingContexts)
{
if($NC -like "*DomainDNSZones*")
{
$DomainDNSZones = ([ADSI]"LDAP://$NC")
}
}
$strLDAPFilter = "(&(objectClass=dnsNode)(distinguishedName=$($entry.DistinguishedName)))"
$directorySearcher = New-Object DirectoryServices.DirectorySearcher($DomainDNSZones, $strLDAPFilter)
$dnsNode = $directorySearcher.FindAll()
$dnsNodeSecurity = [ADSI]$dnsNode.Path$dnsNodeSecurity.ObjectSecurity
If you just to want to check if the zone is configured to allow only secure dynamic update Get-DNSServerZone can help you
Best Regards,
Thursday, January 23, 2020 10:38 AM
Any Ideas why your syntax does not work for me?
At line:14 char:39
- $dnsNodeSecurity = [ADSI]$dnsNode.Path$dnsNodeSecurity.ObjectSecurity
+ ~~~~~~~~~~~~~~~~
Unexpected token '$dnsNodeSecurity' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
Wednesday, February 5, 2020 6:13 PM
Line 14 should be two separate lines:
$dnsNodeSecurity = [ADSI]$dnsNode.Path
$dnsNodeSecurity.ObjectSecurity.Access
Also, $entry needs to be defined as a DNS object.
Example:
$entry = Get-DNSServerResourceRecord -Name <recordName> -Server <dnsServer> -RRType <A,CNAME,etc> -Zone <DnsZone>
To pull ALL of them, like the original question asked, you'd get the zones and then the names and pass them to Dokoh's sample script.
Here's one obscenely dirty way:
(Get-DnsServerZone | ?{$_.IsAutoCreated -eq $false}).ZoneName | %{Get-DnsServerResourceRecord -ZoneName $_} | %{
$entry = $_
#what follows is Dokoh's work
$context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $DomainFQDN)
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
$rootDSE = ([ADSI]"LDAP://$($Domain.Name)/RootDSE")
foreach($NC in $rootDSE.namingContexts)
{
if($NC -like "*DomainDNSZones*")
{
$DomainDNSZones = ([ADSI]"LDAP://$NC")
}
}
$strLDAPFilter = "(&(objectClass=dnsNode)(distinguishedName=$($entry.DistinguishedName)))"
$directorySearcher = New-Object DirectoryServices.DirectorySearcher($DomainDNSZones, $strLDAPFilter)
$dnsNode = $directorySearcher.FindAll()
$dnsNodeSecurity = [ADSI]$dnsNode.Path
$dnsNodeSecurity.ObjectSecurity.Access
# End of Dokoh's work
}
Still takes a lot of things for granted, i.e., this as-is would need to be run on the DNS server itself, and it omits zones that aren't auto-generated, because we USUALLY don't care as much about those.
Friday, February 7, 2020 12:27 PM
That code still didn't work!?
I eventually found this and this worked for me...
$DomainName = ‘atmsol.co.za’
$AdIntegrationType = ‘Domain’
$DomainDn = (Get-AdDomain).DistinguishedName
Get-ChildItem “AD:DC=$DomainName,CN=MicrosoftDNS,DC=$AdIntegrationType`DnsZones,$DomainDn” | foreach {
Get-Acl -Path “ActiveDirectory:://RootDSE/$($_.DistinguishedName)”
} | Export-Csv C:\Users\HeathD\Documents\DNS_ATMSOL_Ownership.csv