Which DNS records would be scavenged - AD

In connection with a previous post on listing DNS scavenging settings, I thought I'd post those couple of lines of codes which gave me confidence before turning on or modifying scavenging settings - before I turn on any automation which only exists to delete stuff from production environment I always have a second thought when I put my head on the pillow, "did I really set the right values or will the phone ring in 2 hours waking me up and telling me there's a DNS outage?"

To make it a bit more scientific than "close your eyes and click OK", here is a couple of lines of PS which can help you identify all records from a DNS zone which would be deleted based on your thresholds.

• Set parameters, DNS server name, the DNS zone and the age threshold which specifies how many days older records should be deleted. Scavenging has a 7 + 7 days "No-refresh" + "Refresh" interval, so records older than 14 days will potentially be deleted when scavenging process runs:
  #set parameters
  $server = "c3podc1"
  $domain = "tatooine.com"
  $agetreshold = 14
• Threshold in hours from Microsoft's beginning of time definition (1st Jan 1601):
  # calculate how many hours is the age which will be the threshold
  $minimumTimeStamp = [int] (New-TimeSpan -Start $(Get-Date ("01/01/1601 00:00")) -End $((Get-Date).AddDays(-$agetreshold))).TotalHours
  
• Enumerate all records older than the time threshold
  # get all records from the zone whose age is more than our threshold $records = Get-WmiObject -ComputerName $dnsServer -Namespace "root\MicrosoftDNS" -Query "select * from MicrosoftDNS_AType where Containername='$domain' AND TimeStamp<$minimumTimeStamp AND TimeStamp<>0 "
  
• List the records and the time stamps
  # list the name and the calculated last update time stamp
  $records | Select Ownername, @{n="timestamp";e={([datetime]"1.1.1601").AddHours($_.Timestamp)}}

The output should look like this:

The full script:

 #set parameters  
 $dnsServer = "c3podc1"  
 $domain = "tatooine.com"  
 $agetreshold = 14  
   
 # calculate how many hours is the age which will be the threshold  
 $minimumTimeStamp = [int] (New-TimeSpan -Start $(Get-Date ("01/01/1601 00:00")) -End $((Get-Date).AddDays(-$agetreshold))).TotalHours  
   
 # get all records from the zone whose age is more than our threshold   
 $records = Get-WmiObject -ComputerName $dnsServer -Namespace "root\MicrosoftDNS" -Query "select * from MicrosoftDNS_AType where Containername='$domain' AND TimeStamp<$minimumTimeStamp AND TimeStamp<>0 "  
   
 # list the name and the calculated last update time stamp  
 $records | Select Ownername, @{n="timestamp";e={([datetime]"1.1.1601").AddHours($_.Timestamp)}}  
   

t

List DNS scavenging settings on multiple servers remotely - AD

DDNS (Dynamic DNS where clients register their own DNS records) was a very good idea when it was published in RFC2136 and had been missing like a slice of bread, but it inevitably left some questions on the table. For example, if I let 100 000 hosts register their own records, who will tell them to clean-up their stuff if they don't need it anymore? On the other hand, if I don't use DDNS and I have only one DHCP server registering addresses, I can just regulate that one guy and tell it off if it doesn't cleanup its rubbish.

The answer is DNS scavenging which would be the butter on that slice of bread just to make it taste better and proper. But we want to make sure that the butter we put on the bread is not rotten. Otherwise we would need to throw the bread to the bin with the butter... ok, enough of this nonsense.

DNS scavenging essentially deletes stale / old records from the given DNS Zone. What we want to make sure that the scavenging process is properly configured otherwise we could end up losing very valuable DNS records and cause outages - believe me, you don't want an outage caused by something as fundamental as DNS.

There are a couple of rules we need to keep in mind:

• The scavenging intervals have to be thought through - I'd go with the default settings 7+7 days
• There should be only 1 DNS server scavenging the zone regularly even if we have lots of e.g. Domain Controllers hosting the zone.
• The zone should be restricted and only that one server should be allowed to scavenge the zone. You can read more about scavenging e.g. here and here 

Question: if I have 100 domain controllers hosting an AD integrated zone how can I check if there's only one set to scavenge the zone. To get these settings from one server, you can use dnscmd /info. To do it on multiple servers you can do some dnscmd output parsing in powershell, e.g.:

Create an object where you will store the name of the DNS host, the scavenging interval set on that server and the default aging state on that server:
$sObject = "" | select hostname,ScavengingInterval,LastScav,DefaultAgingState

Take the output of dnscmd /info and go through each line:
dnscmd $srv /info | %{

If it's the line where scavenging info is stored, do some regex matching to take out the bits you need:
if($_ -imatch "last scav"){
$value = ([regex]::Match($_, "= .+$")).value -replace "= ",""

Add it to your output object:
$sObject.LastScav = $value

It will show you an output like this:

Note the date and result of the last scavenging run

The full script:

 # get the list of Windows DNS servers from the pipe  
 $hostlist = @($Input)  
   
 $hostlistlength = ($hostlist | measure).count  
   
 # go through each host  
 foreach($srv in $hostlist){  
    $sObject = "" | select hostname,ScavengingInterval,LastScav,DefaultAgingState  
   
    # run dnscmd to get the detailed info of each DNS server  
    dnscmd $srv /info | %{  
       $value = $null  
   
       # pick out the data from dnscmd output with regex matches  
       if($_ -imatch "last scav"){  
          $value = ([regex]::Match($_, "= .+$")).value -replace "= ",""  
          $sObject.LastScav = $value  
          $value = $null  
       }  
       elseif($_ -imatch "ScavengingInterval"){  
          $value = ([regex]::Match($_, "= .+$")).value -replace "= ",""  
          $sObject.ScavengingInterval = $value  
          $value = $null  
       }  
       elseif($_ -imatch "DefaultAgingState"){  
          $value = ([regex]::Match($_, "= .+$")).value -replace "= ",""  
          $sObject.ScavengingInterval = $value  
          $value = $null  
       }  
    }  
    $sObject  
 }  
   

Find PDC in a domain (not just current domain) - AD

Here's a question for a nice outage on a quiet spring evening, you've got issues with a PDC, you want to make sure you check out all the PDCs in all your Active Directory domains, how can you find the PDCs quickly in each domain without running nltest query fsmo against all domains one by one?

Side note: The Active Directory Domain Controller which holds the PDC (Primary Domain Controller) role in a Domain is not uber-critical to be up and running in every minute, but if it's up and not performing well...well that's a different issue. If the PDC is down, that only means the password change sync is slow, so users may get weird behavior when changing password and using that against another domain controller in a short period of time. The other roles like primary time source, GPO and DFS master server in case of replication conflicts...etc. are not massively important.
The biggest issue is when it's sporadically responding or sometimes doesn't, that makes the behavior of applications contacting the PDC unpredictable and hard to troubleshoot.

First step, let's list our PDCs in all domains. If you have several forests and domains it's not that easy as it sounds first. There are several ways and if you have Windows 2012 R2 with AD tools installed, it's fairly easy:

PS C:\> Import-Module ActiveDirectory
PS C:\> (Get-ADForest -identity tatooine.com).domains | %{(Get-ADDomain -server $_).PDCEmulator

But if you want to make sure you have a script which gets the PDC of a specified domain without dependency on the ActiveDirectory PowerShell Module, here are two native ways to do it


With a normal LDAP search:
PS C:\> $domainDN = "dc=tatooine,dc=com"
PS C:\> $searchRoot = new-object System.DirectoryServices.DirectoryEntry(LDAP://$domainDN)
PS C:\> $searcherObj = new-object Systen.DirectoryServices.DirectorySearcher
PS C:\> $searcherObj.Filter = ("(objClass=top)")
PS C:\> $tmpstr = $searcherObj.SearchRoot.Properties.Item("fsmoroleowner").Value
PS C:\> $pdc = $tmpstr.split(",")[1].split("=")[1]


Via .net Directory context:
PS C:\> $domainFQDN = "tatooine.com"
PS C:\> $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$domainFQDN)
PS C:\> $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
PS C:\> $domain.pdcRoleOwner


Advanced stuff, list all PDCs of all domains in 1 forest:
PS C:\> $ForestRootDomainFQDN = "tatooine.com"
PS C:\> $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest",$ForestRootDomainFQDN)
PS C:\> $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($context)
PS C:\> $forest.Domains | %{$_.pdcRoleOwner.name}

You've got the names of the PDCs, so you can go and fix them ;)

t

Verify forward and reverse DNS records - OS

DNS is a fairly simple and usually reliable service - when it works. People don't really think about it unless there are weird issues with an application and they spent 2 days troubleshooting it and just because they want to make sure they looked at everything, they check DNS and it turns out that those weird issues are in fact caused by e.g. missing reverse records.

These issues manifest in applications behaving strangely often providing uselessly generic errors messages or even worse, some misleading ones. After a very tedious issue over a weekend which required repeated checkouts across a globally distributed AD integrated DNS zone, I thought I wouldn't do this manually all the time with excel magic but via a script.

Steps needed to be made:

• Take a list of server names (ideally FQDNs)
• Perform a forward lookup to get the IP address(es) of each server
• Take those IPs and perform a reverse lookup on them
• Mark each host and IP with error if either the forward or reverse lookups fail or the reverse lookup provides a different hostname than the server name provided

Forward lookup (filtering on IPv4 only):
[array]$IPAddresses = [System.Net.Dns]::GetHostAddresses($obj.ComputerName) | ?{$_.AddressFamily -eq "InterNetwork"} | %{$_.IPAddressToString}

Reverse lookup:
$tmpreverse = [System.Net.Dns]::GetHostByAddress($_).HostName

Output:

The full script (simplified version):

 $hostlist = @($input)  
   
 # running through the list of hosts  
 $hostlist | %{  
      $obj = "" | Select ComputerName,Ping,IPNumber,ForwardLookup,ReverseLookup,Result  
      $obj.ComputerName = $_  
   
      # ping each host  
      if(Test-Connection $_ -quiet){  
           $obj.Ping = "OK"  
     $obj.Result = "OK"  
      }  
      else{  
           $obj.Ping = "Error"  
     $obj.Result = "Error"  
      }  
        
      # lookup IP addresses of the given host  
      [array]$IPAddresses = [System.Net.Dns]::GetHostAddresses($obj.ComputerName) | ?{$_.AddressFamily -eq "InterNetwork"} | %{$_.IPAddressToString}  
   
      # caputer count of IPs  
      $obj.IPNumber = ($IPAddresses | measure).count  
        
      # if there were IPs returned from DNS, go through each IP  
   if($IPAddresses){  
     $obj.ForwardLookup = "OK"  
   
        $IPAddresses | %{  
             $tmpreverse = $null  
                  
                # perform reverse lookup on the given IP  
             $tmpreverse = [System.Net.Dns]::GetHostByAddress($_).HostName  
             if($tmpreverse){  
                  
                     # if the returned host name is the same as the name being processed from the input, the result is OK  
                  if($tmpreverse -ieq $obj.ComputerName){  
                       $obj.ReverseLookup += "$_ : OK `n"  
                  }  
                  else{  
                       $obj.ReverseLookup += "$_ different hostname: $tmpreverse `n"  
                       $obj.Result = "Error"  
                  }  
             }  
             else{  
                  $obj.ReverseLookup = "No host found"  
                  $obj.Result = "Error"  
             }  
     }  
      }  
      else{  
           $obj.ForwardLookup = "No IP found"  
           $obj.Result = "Error"  
      }  
        
      # return the output object  
      $obj  
 }  

t

Move page file remotely - OS

With many servers in the environment, there are inevitably a bunch of them which are old, they have small disk capacity but they are needed "just for another couple of months" until the new system is up... and a couple of years later you are still the chosen one to keep them alive.

There are many challenges with these old boxes, so let me pick one: there's not enough disk space on drive C: and there's not much more to delete anymore. Last resort: move the pagefile to another drive (if there's one in the box). Let's script it to be able to make this change on many servers remotely.

Need to check a couple of things:

• the original page file's details
• target drive exists
• it has sufficient space to accommodate the page file (based on MaximumSize)
• target drive is local and is not hosted on SAN

Create the output object and get data of the current page file:
$obj = "" | Select ComputerName,OldPageFile,OldInitSize,OldMaxSize,Result
$obj.ComputerName = $srv
$pagefiledata = gwmi -ComputerName $srv -Class Win32_PageFileSetting

Get details of the volume where we want to move the page file (check whether it exists, whether there's enough space on it - here the limit is the size of the current page file twice)
$targetvolume = gwmi -ComputerName $srv -Class Win32_LogicalDisk -Filter "name='$movetodrive'"

Create new page file:
$result = Set-WmiInstance -ComputerName $srv -Class Win32_PageFileSetting -Arguments @{name="$targetfilename";InitialSize=$obj.OldInitSize;MaximumSize=$obj.OldMaxSize;}

Sometimes - especially on Windows Server 2003 - the Set-WmiInstance can't create the page file if the InitialSize and MaximumSize are set in the same command, for that the workaround is to create the page file as system managed (without additional parameters) and set the size afterwards.
$result = Set-WmiInstance -ComputerName $srv -Class Win32_PageFileSetting -Arguments @{name="$targetfilename"}

if($result.name -eq $targetfilename){
  $newPGFile = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name '$($targetfilename.replace("\","\\"))'"
  $newPGFile.InitialSize = $obj.OldInitSize
  $newPGFile.MaximumSize = $obj.OldMaxtSize
  $FinalResult = $newPGFile.Put()
}

If we do this, the script should check all the parameters we set and the existence of the new page file as part of error handling:
$checkoutPGFile = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name '$($targetfilename.replace("\","\\"))'"
if(!($checkoutPGFile -and ($checkoutPGFile.Maximumsize -eq $obj.OldMaxSize) -and ($checkoutPGFile.Maximumsize -eq $obj.OldMaxSize))){...

If all is good with the new page file, we can get rid of the old one, of course this will require a reboot but I decided to leave it to the scheduled reboots of the servers.
$oldPageFileObject = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name = '$searchString'"
$oldPageFileObject.Delete()

The full script which can take a list of hosts from the pipe, does all the checks looks like this (obviously I stripped out all the logging and fancy stuff so the essence of it is easier to see):

   
 $hostlist = @($input)  
   
 $objColl = @()  
 $movetodrive = "D:"  
 $targetfilename = $movetodrive + "\pagefile.sys"  
   
 foreach($srv in $hostlist){  
    $obj = "" | Select ComputerName,OldPageFile,OldInitSize,OldMaxSize,Result  
    $obj.ComputerName = $srv  
   
    $pagefiledata = gwmi -ComputerName $srv -Class Win32_PageFileSetting  
      
    if($pagefiledata){  
       $obj.OldPageFile = $pagefiledata.name  
       $obj.OldInitSize = $pagefiledata.Initialsize  
       $obj.OldMaxSize = $pagefiledata.Maximumsize  
         
       $targetvolume = gwmi -ComputerName $srv -Class Win32_LogicalDisk -Filter "name='$movetodrive'"  
         
       if(!$targetvolume){  
          $obj.Result = "$movetodrive does not exist"  
          $objColl += $obj  
          Continue  
       }  
         
       if(($targetvolume.Freespace / 1MB) -lt ($obj.OldMaxSize * 2)){  
          $obj.Result = "Not enough space on $movetodrive"  
          $objColl += $obj  
          Continue  
       }  
         
       $result = Set-WmiInstance -ComputerName $srv -Class Win32_PageFileSetting -Arguments @{name="$targetfilename";InitialSize=$obj.OldInitSize;MaximumSize=$obj.OldMaxSize;}  
         
       # this is needed in case the WMI instance can't be created with all parameters in one go  
       if(!($result.name -eq $targetfilename)){  
          $result = Set-WmiInstance -ComputerName $srv -Class Win32_PageFileSetting -Arguments @{name="$targetfilename"}  
         
          if($result.name -eq $targetfilename){  
             $newPGFile = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name '$($targetfilename.replace("\","\\"))'"  
             $newPGFile.InitialSize = $obj.OldInitSize  
             $newPGFile.MaximumSize = $obj.OldMaxtSize  
             $FinalResult = $newPGFile.Put()  
          }  
            
          $checkoutPGFile = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name '$($targetfilename.replace("\","\\"))'"  
          if(!($checkoutPGFile -and ($checkoutPGFile.Maximumsize -eq $obj.OldMaxSize) -and ($checkoutPGFile.Maximumsize -eq $obj.OldMaxSize))){  
             $obj.Result = "Could not create new page file"  
             $objColl += $obj  
             Continue     
          }  
       }  
         
       if($result.name -eq $targetfilename){  
          $searchString = $obj.OldPageFile.replace("\","\\")  
          $oldPageFileObject = gwmi -ComputerName $srv -Query "Select * from Win32_PageFileSetting where name = '$searchString'"  
          $oldPageFileObject.Delete()  
       }  
         
       if((gwmi -ComputerName $srv -Class Win32_PageFileSetting).name -eq $targetfilename){  
          $obj.Result = "SUCCESS - please reboot the host"  
       }  
       else{  
          $obj.Result = "Could not move page file"  
       }  
    }  
      
    $objColl += $obj  
 }  
   
 $objColl  
   

t

Determine if a drive is SAN drive - OS

If you have servers connected to SAN you would think that you don't really have to worry about the physical representation of your volumes, in other words, you don't need to know how many physical drives (spindles) are behind your e.g. D: drive.
Life is not simple. There are times when you need to know if a volume is on a local hard disk or is on a SAN LUN. An example would be when you need to move the pagefile out of drive C:, you might not want to put that on the SAN disk (there can be several reasons, one is that the volume may be in a dynamic or clustered disk group and can fail over to another node or just simply because SAN disk space is expensive therefore using it for paging is not the best use of you dollars.)

Now we have a case: we have a drive letter and we want to decide if the volume is on a SAN disk or not. Of course we want to do this remotely and on 100+ servers.
The philosophical problem with this is that engineers spent so much effort in the last decades on creating storage systems and disk manager sub-systems to hide the complex details of a storage - including multipath fiber channels, SAN switches, disk arrays...etc.) from the OS and to make sure that the OS can see a volume and does not need to worry about how it's presented and what's behind it. So any API that could be used to track down SAN drives remotely are vendor specific (it's different for EMulex, Qlogic or whatever HBA driver). I need something universal.

I was poking around the WMI classes and noticed that bits of information are in several classes, so started connecting the dots - nothing scientific, just trial and error as usual. If you look long enough you can connect the drive letter to a PNPDeviceID which can tell you if the physical drive is local or SAN, here is an example:

• Win32_LogicalDiskToPartition: D: -> Disk #0, Partition#0
• Win32_DiskDriveToPartition: Disk #0, Partition#0 -> PHYSICALDRIVE2
• Win32_DiskDrive: PHYSICALDRIVE2 -> MPIO\DISK&....
  If the PNPDeviceID starts with MPIO (which stands for MultiPath I/O) then it's a drive hosted on SAN Array which the host can see on multiple fiber channels.

Just need a bit of regex matching to walk through this in Powershell:

1. Get the disk number where the volume is hosted (and the partition number as well):
   $DriveletterToDiskNumberQuery = gwmi -ComputerName $srv -Class Win32_LogicalDiskToPartition | ?{$_.Dependent -imatch "Win32_LogicalDisk\.DeviceID=`"$driveletter\:`""} | select -First 1 | %{$_.Antecedent}
2. Need to parse the exact Disk # from the long text which is in the WMI instance:
   $DriveletterToDiskNumber = ([regex]::Match($DriveletterToDiskNumberQuery, "Disk #\d+, Partition #\d+")).Value
3. Take the disk number and lookup the DeviceID:
   $DiskNumberToDevideIDQuery = gwmi -ComputerName $srv -Class Win32_DiskDriveToDiskPartition | ?{$_.Dependent -imatch $DriveletterToDiskNumber} | select -First 1 | %{$_.Antecedent}
4. Parse the DeviceID from the long text:
   $DiskNumberToDevideID = ([regex]::Match($DiskNumberToDevideIDQuery, "PHYSICALDRIVE\d+")).Value
5. Get the PNPDeviceID of the given device to see if it's MPIO or not:
   gwmi -ComputerName $srv -Class Win32_DiskDrive | ?{$_.DeviceID -imatch $DiskNumberToDevideID} | Select -First 1 | %{$_.PNPDeviceID}

A simple script which takes the list of hosts from the pipe and outputs and object with the hostname, the PNPDeviceID and the Drive Type would look like this (without handling errors e.g. when there's no drive D or the host is not accessible...etc.):

 $hostlist = @($input)  
 $driveletter = "D"  
   
 foreach($srv in $hostlist){  
    $obj = "" | Select ComputerName,DriveType,PNPDeviceID  
    $obj.ComputerName = $srv  
   
    # Get the list Disk # for the given volume  
    $DriveletterToDiskNumberQuery = gwmi -ComputerName $srv -Class Win32_LogicalDiskToPartition | ?{$_.Dependent -imatch "Win32_LogicalDisk\.DeviceID=`"$driveletter\:`""} | select -First 1 | %{$_.Antecedent}  
   
    # parse the Disk and partition # from the text  
    $DriveletterToDiskNumber = ([regex]::Match($DriveletterToDiskNumberQuery, "Disk #\d+, Partition #\d+")).Value  
   
    # Get the DeviceID of the given Disk #  
    $DiskNumberToDevideIDQuery = gwmi -ComputerName $srv -Class Win32_DiskDriveToDiskPartition | ?{$_.Dependent -imatch $DriveletterToDiskNumber} | select -First 1 | %{$_.Antecedent}  
      
    # parse the DeviceID from the text  
    $DiskNumberToDevideID = ([regex]::Match($DiskNumberToDevideIDQuery, "PHYSICALDRIVE\d+")).Value  
   
    # get the PNPDeviceID of the given Device  
    $obj.PNPDeviceID = gwmi -ComputerName $srv -Class Win32_DiskDrive | ?{$_.DeviceID -imatch $DiskNumberToDevideID} | Select -First 1 | %{$_.PNPDeviceID}  
   
    if($obj.PNPDeviceID -imatch "^mpio"){  
       $obj.DriveType = "SAN"  
    }  
    else{  
       $obj.DriveType = "Local"  
    }  
   
    $obj  
 }  

t