Monday, 1 July 2013

Adding secondary zones to all DNS servers in an AD domain with PowerShell 3.0

One of the advantages of AD Integrated DNS is that adding or editing a zone on one server automatically replicates that action onto all the others, but that only works when the domain is an AD Integrated Primary. If you're dealing with secondary zones that doesn't apply, and things work like they do in a non-AD environment.

Adding a secondary zone needs to be done on each DNS server within the AD domain individually, which if you have a lot of DNS servers could be a lot of work. Add to that the more servers you're working with, the more chance of a mistake being made on one of them.

To get around this I wanted to script a way to create a secondary zone on all the DNS servers at once.

The first step is getting a list of the DNS servers on the domain. You could manually create and maintain a list of servers, but I prefer to assume things will change and get the script to allow for this. To generate a list of DNS servers I use the following :

    $dnserversldap = [ADSI]"LDAP://ou=Domain Controllers,dc=mydomain,dc=co,dc=uk"
    $objsearcher = new-object system.directoryservices.directorysearcher
    $objsearcher.searchroot = $dnserversldap
    $objsearcher.filter = "(objectcategory=computer)"
    $proplist = "name","cn","lastlogon"
    foreach ($i in $proplist){$objsearcher.PropertiesToLoad.add($i)}
    $results = $objsearcher.findall()
    $serverlist = $

Note, I'm assuming in this example that all DNS servers are also AD DC's and therefore appear in the Domain Controllers OU, if that's not the case for you then you'd need to adjust it accordingly.

$serverlist now contains a list of DNS servers to work with.

From there I can simply use foreach to work through the list, and call the AddDnsServerSecondaryZone cmdlet to add the required secondary as follows :

    foreach ($dnsserver in $serverlist)
        Add-DnsServerSecondaryZone -Name $domain -ZoneFile $zonefile -MasterServers $ipaddr -ComputerName $dnsserver

Since I want this to be runnable at a PowerShell prompt rather than have to edit the script each time, I add the following at the beginning :

    $zonefile=$domain + ".dns"

which reads in the domain and IP Address arguments passed to the script, and then generates the .dns filename to be used in the command (since secondary zones aren't stored in AD).

You can download the completed script, which includes logging and error trapping, from since it also maintains the formatting.

No comments:

Post a comment