Earlier I wrote about a project to “true-up” server and zone settings on the enterprise Domain Name System (DNS) servers, and first solo use of PowerShell in order to accomplish the goal. The script I wrote that monitors for changes to the settings on the Windows DNS servers is complete. It’s been running in the developer environment for the last two weeks. I am happy to report that, after making some harmless test changes to some of the DNS servers there, it is working as intended – it detected the changes and spammed the development environment support mailbox with the specific server and details of the change detected. It will be deployed to production next month.
The other script I wrote uses the interface to the Windows Management Instrumentation to dump the zone metadata to a CSV file that can then be filtered and analyzed in a spreadsheet program. This allows me to zero in on zones that are not properly configured without having to go through tens of thousands of zones individually by hand.
Some members of my engineering group have asked me if I can marry the two scripts as to expand the notification functionality to detect changes in zone metadata. It’s a pretty tall order given that just the zone metadata is about 15mb in size and the server notification portion is much smaller, about 15 registry entries per server which equals about 6k. The short answer is that it can probably be done. But, guys, when it comes to PowerShell, I have to learn to crawl before I can run a marathon.
The next question I was asked was whether I might be able to use the script to make automated changes, like if someone makes an unauthorized change to the zone metadata the script can change it back. I went back to the marathon analogy because, from what I’ve read, it’s a bit tricky to make updates to either the metadata or the actual data the zone contains through WMI; and on Windows 2008 R2, using WMI is the only option with PowerShell. All of the zone metadata has to be reapplied at once. It would be like recreating the zone. I haven’t tested it yet, but in theory, it would probably blow away the zone data too if I tried doing that. So, not only would all of the zone metadata have to be reset, but the script would have to export all of the zone data first, recreate the zone metadata, then import what it saved, hoping that nothing changed while in process. It can be done with non-directory integrated zones. But it’s sort of an ugly thing to do with integrated zones, which most of our zones are, that I wouldn’t recommend. But, being a somewhat effective novice, I might be pleasantly surprised once I get into the details of trying it. I’ll just cross my fingers.
PS: I had no idea I would end up being asked to write a full-featured Windows DNS monitoring software package!! EEP!