Central Management of DNS Configuration Compliance and Updates

DNS settings are usually set manually on servers. That is why it might be challenging for IT administrators to make Bulk updates when they need to point to new DNS servers or update the DNS Server search order, especially for medium and large size data centers.

This Wiki article provides methods to centrally manage the updates of DNS configuration on servers and make sure that they are compliant with the company standard.

Using SCCM to centrally manage updates and compliance of DNS configuration:

SCCM is the best candidate to handle the Bulk checks and updates of DNS configuration on servers it manages. This is because of its Compliance Settings feature that allows the configuration of Compliance rules to discover current configurations and remediate a non-compliance if required.

All you need is:

• A PowerShell script to check that the DNS configuration is compliant with your company standard
• A PowerShell script to update the DNS configuration if a server is not compliant with your company standard
• An SCCM Compliance settings item and baseline to allow applying the check of compliance and the remediation if required

PowerShellscript to check the DNS configuration

Below is a PowerShell script that can be used to check that the DNS configuration of a server is compliant with your company standard (the script was developed to check the primary and secondary DNS servers). You just need to replace $server1 and $server2 variables with the IP addresses of DNS servers you use. The script will return Compliant if the DNS configuration of your server is compliant to your standard and Not Compliant if it is not.

# CheckDNSConfiguration_v1.0.ps1 # input : n/a # output : none (logs) # Version 1.0 # Changelog : n/a # MALEK Ahmed - 15 / 04 / 2013   #Main $server1 = "x.x.x.x" $server2 = "y.y.y.y" $IPList = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . $i = 0 $nicwithdnscount = 0 $conformity = "Not Compliant" if ($IPList.Count -ne $null) { while ($i -ne $IPList.Count) { try{ if ($IPList[$i].DNSServerSearchOrder[0] -ne $null) { $nicwithdnscount = $nicwithdnscount + 1 }  if (($IPList[$i].DNSServerSearchOrder[0] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[1] -ne $null)) { if (($IPList[$i].DNSServerSearchOrder[0] -eq $server1) -AND ($IPList[$i].DNSServerSearchOrder[1] -eq $server2)) { $conformity = "Compliant" } else { $conformity = "Not Compliant" } } } catch { } $i = $i + 1 if ($nicwithdnscount -ne 1) { $conformity = "Not Compliant" } } } else { try{ if ($IPList.DNSServerSearchOrder[0] -ne $null) { $nicwithdnscount = $nicwithdnscount + 1 } if (($IPList.DNSServerSearchOrder[0] -ne $null) -AND ($IPList.DNSServerSearchOrder[1] -ne $null)) { if (($IPList.DNSServerSearchOrder[0] -eq $server1) -AND ($IPList.DNSServerSearchOrder[1] -eq $server2)) { $conformity = "Compliant" } else { $conformity = "Not Compliant" } } } catch { } } Return $conformity

PowerShell to update DNS configuration

Below is a PowerShell script that can be used to update the DNS configuration if a server is not compliant with your company standard (The script was developed to update the primary and secondary DNS servers if required). You just need to replace $server1 and $server2 variables with the IP addresses of DNS servers you use.

# RemediationDNSConfiguration_v1.0.ps1 # input : n/a # output : none (logs) # Version 1.0 # Changelog : n/a # MALEK Ahmed - 26 / 04 / 2013   #--------Main  $server1 = "x.x.x.x" $server2 = "y.y.y.y" $IPList = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . $i = 0 $nicwithdnscount = 0 $conformity = "Not Compliant" if ($IPList.Count -ne $null) { while ($i -ne $IPList.Count) { try{ if ($IPList[$i].DNSServerSearchOrder[0] -ne $null) { $nicwithdnscount = $nicwithdnscount + 1 } if (($IPList[$i].DNSServerSearchOrder[2] -eq $null)) { if (($IPList[$i].DNSServerSearchOrder[0] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[1] -ne $null)) { if (($IPList[$i].DNSServerSearchOrder[0] -eq $server1) -AND ($IPList[$i].DNSServerSearchOrder[1] -eq $server2))  { $conformity = "Compliant" } else { $conformity = "Not Compliant" } } } } catch { } $i = $i + 1 if ($nicwithdnscount -ne 1) { $conformity = "Not Compliant" } } } else { try{ if ($IPList.DNSServerSearchOrder[0] -ne $null) { $nicwithdnscount = $nicwithdnscount + 1 } if (($IPList.DNSServerSearchOrder[2] -eq $null)) { if (($IPList.DNSServerSearchOrder[0] -ne $null) -AND ($IPList.DNSServerSearchOrder[1] -ne $null)) { if (($IPList.DNSServerSearchOrder[0] -eq $server1) -AND ($IPList.DNSServerSearchOrder[1] -eq $server2)) { $conformity = "Compliant" } else { $conformity = "Not Compliant" } } } } catch { } } $i = 0 if (($conformity -eq "Not Compliant") -AND ($nicwithdnscount -eq 1)) { if ($IPList.Count -ne $null) { while ($i -ne $IPList.Count) { try{ if ($IPList[$i].DNSServerSearchOrder[0] -ne $null) { $arrDNSServers = $server1, $server2 $IPList[$i].SetDNSServerSearchOrder($arrDNSServers) } } catch { } $i = $i + 1 }  } else { try{ if ($IPList.DNSServerSearchOrder[0] -ne $null) { $arrDNSServers = $server1, $server2 $IPList.SetDNSServerSearchOrder($arrDNSServers) } } catch { } } }

For the creation of SCCM Compliance Settings item and baseline, you can refer to the following Microsoft article:

Compliance Settings in Configuration Manager: http://technet.microsoft.com/en-us/library/gg681958.aspx

Remark: You will need to set that the server DNS configuration is set as compliant only if the value returned by the PowerShell script is equal to Compliant.

Once you prepared your new SCCM Compliance Settings baseline, you need to apply it on the target collections so that the checks and changes take effect (You can create multiple Compliance Settings baselines to apply different DNS configurations on different collections).

Another advantage of SCCM is that it allows generating reports to have a better view of compliance and remediation. That is very useful to have a global view of what is happening on your servers.

Using a Group Policy startup script to centrally manage updates and compliance of DNS configuration

Using a Group Policy startup script to centrally manage updates and compliance of DNS settings is also an option.

Compared to SCCM, this method has the following drawbacks:

• The changes can be applied only after rebooting your servers
• There are no reports that can be used by default to check the compliance and updates status

To manage the updates of DNS configuration by using a Group Policy startup script, you can proceed like the following:

• Create a new GPO then go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) and then double-click Startup

• Select PowerShell scripts and then add the remediation script (That is the second script provided under “Using SCCM to centrally manage updates and compliance of DNS configuration”)

After that, you need to link the GPO to the target Organizational Units or Site.

 

See Also

• How to manage your DC/DNS servers with dynamic IPs in Windows Azure
•  Active Directory Replication Issues – Basic Troubleshooting Steps (Single AD Domain in a Single AD Forest)

Other Languages

• Wiki: Централизованное управление параметрами соответствия и обновлением конфигурацией DNS на серверах (ru-RU)