421 > dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25 To delete a resource record, use the following command: > dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData> The following command deletes an A record in the rallencorp.com zone: > dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25 13.7.2.3 Using VBScript ' This code shows how to add an A record and PTR record using ' the DNS WMI Provider ' SCRIPT CONFIGURATION strForwardRRAdd = "test-xp.rallencorp.com. IN A 192.32.64.13" strReverseRRAdd = "13.64.32.192.in-addr.arpa IN PTR test-xp.rallencorp.com" strForwardDomain = "rallencorp.com" strReverseDomain = "192.in-addr.arpa." ' END CONFIGURATION set objDNS = GetObject("winMgmts:root\MicrosoftDNS") set objRR = objDNS.Get("MicrosoftDNS_ResourceRecord") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") ' Create the A record strNull = objRR.CreateInstanceFromTextRepresentation( _ objDNSServer.Name, _ strForwardDomain, _ strForwardRRAdd, _ objOutParam) set objRR2 = objDNS.Get(objOutParam) WScript.Echo "Created Record: " & objRR2.TextRepresentation ' Create the PTR record strNull = objRR.CreateInstanceFromTextRepresentation( _ objDNSServer.Name, _ strReverseDomain, _ strReverseRRAdd, _ objOutParam) set objRR2 = objDNS.Get(objOutParam) WScript.Echo "Created Record: " & objRR2.TextRepresentation ' This code shows how to delete an A and PTR record for the record ' I created in the previous example. strHostName = "test-xp.rallencorp.com." set objDNS = GetObject("winMgmts:root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objRRs = objDNS.ExecQuery(" select * " & _ " from MicrosoftDNS_ResourceRecord " & _ " where OwnerName = """ & strHostName & """" & _ " Or RecordData = """ & strHostName & """") if objRRs.Count < 1 then 422 WScript.Echo "No matches found for " & strHostName else for each objRR in objRRs objRR.Delete_ WScript.Echo "Deleted " & objRR.TextRepresentation next end if 13.7.3 Discussion 13.7.3.1 Using a graphical user interface The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then I'd recommend writing a batch file around dnscmd or preferably, use the DNS WMI Provider. 13.7.3.2 Using a command-line interface Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, require quite a bit more data. The help pages for /recordadd and /recorddelete display the required information for each record type. 13.7.3.3 Using VBScript In the first example, I created A and PTR records using the CreateInstanceFrom TextRepresentation method, which is a MicrosoftDNS_ResourceRecord method that allows you to create resource records by passing in the textual version of the record. This is the textual representation of the A record used in the example: test-xp.rallencorp.com IN A 192.32.64.13 The first parameter to this method is the DNS server name, the second is the name of the domain to add the record to, the third is the resource record, and the last is an out parameter that returns a reference to the new resource record. In the second example, I find all resource records that match a certain hostname and delete them. This is done by first using a WQL query to find all resource records where the OwnerName equals the target host name (this will match any A records) and where RecordData equals the target host name (this will match any PTR records). The Delete_ method is called on each matching record, removing them on the DNS server. 13.7.4 See Also MSDN: MicrosoftDNS_ResourceRecord 423 Recipe 13.8 Querying Resource Records 13.8.1 Problem You want to query resource records. 13.8.2 Solution 13.8.2.1 Using a graphical user interface The DNS Management snap-in does not provide an interface for searching resource records. 13.8.2.2 Using a command-line interface In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match: > nslookup -type=<RecordType> <RecordName> 13.8.2.3 Using VBScript ' This code prints the resource records that match ' the specified name ' SCRIPT CONFIGURATION strQuery = "<RecordName>" ' END CONFIGURATION set objDNS = GetObject("winMgmts:root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objRRs = objDNS.ExecQuery(" select * " & _ " from MicrosoftDNS_ResourceRecord" & _ " where OwnerName = """ & strQuery & """" & _ " Or DomainName = """ & strQuery & """" & _ " Or RecordData = """ & strQuery & """") if objRRs.Count < 1 then WScript.Echo "No matches found for " & strHostName & " of " _ & strRecordType & " type" else for each objRR in objRRs WScript.Echo objRR.TextRepresentation next end if 13.8.3 Discussion 13.8.3.1 Using a command-line interface You can leave off the -type switch and the command will find any A, PTR, and CNAME records that match <RecordName>. You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters. 424 13.8.3.2 Using VBScript In the VBScript solution a WQL query was used to find all matching resource records. This is a good example of how powerful the DNS WMI Provider can be. The query attempts to find any object of the MicrosoftDNS_ResourceRecord class that has an OwnerName, DomainName, or RecordData field equal to the <RecordName>. This is not the most efficient query if the server supports multiple large zones, so you may want restrict it to search for specific types of records by adding criteria to match RecordType = <Type>. 13.8.4 See Also MSDN: MicrosoftDNS_ResourceRecord Recipe 13.9 Modifying the DNS Server Configuration 13.9.1 Problem You want to modify the DNS Server settings. 13.9.2 Solution 13.9.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Click on the server, right-click on it, and select Properties. 4. There will be several tabs you can choose from to edit the server settings. 5. Click OK to commit the changes after you've completed your modifications. 13.9.2.2 Using a command-line interface With the following command, replace <Setting> with the name of the setting to modify and <Value> with the value to set: > dnscmd <DNSServerName> /config /<Setting> <Value> 13.9.2.3 Using VBScript set objDNS = GetObject("winMgmts:root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") objDNSServer.<Setting> = <Value> ' e.g. objDNSServer.AllowUpdate = TRUE objDNSServer.Put_ 425 13.9.3 Discussion The Microsoft DNS server supports a variety of settings to configure everything from scavenging and forwarders to logging. With the DNS Management snap-in, the settings are spread over several tabs in the Properties property page. You can get a list of these settings by simply running dnscmd /config from a command line. For the CLI and VBScript solutions, the setting names are nearly identical. In the VBScript solution, be sure to call the Put_ method after you are done configuring settings in order for the changes to take effect. 13.9.4 See Also MSDN: MicrosoftDNS_Server Recipe 13.10 Scavenging Old Resource Records 13.10.1 Problem You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies to only resource records that were added via DDNS, but you can also scavenge manually added, also referred to as static, records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records. 13.10.2 Solution The following solutions will show how to enable automatic scavenging on all AD-integrated zones. 13.10.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Click on the server, right-click on it, and select Set Aging/Scavenging for all zones. 4. Check the box beside Scavenge stale resource records. 5. Configure the No-Refresh and Refresh intervals as necessary and click OK. 6. Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK. 7. Right-click on the server again and select Properties. 8. Select the Advanced tab. 9. Check the box beside Enable automatic scavenging of stale resource records. 10. Configure the scavenging period as necessary. 11. Click OK. 426 13.10.2.2 Using a command-line interface > dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes> > dnscmd <DNSServerName> /config /DefaultAgingState 1 > dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes> > dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes> > dnscmd <DNSServerName> /config AllZones /aging 1 13.10.2.3 Using VBScript ' This code enables scavenging for all AD-integrated zones ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" intScavengingInterval = <ScavengingMinutes> intNoRefreshInterval = <NoRefreshMinutes> intRefreshInterval = <RefreshMinutes> ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") objDNSServer.ScavengingInterval = intScavengingInterval objDNSServer.DefaultNoRefreshInterval = intNoRefreshInterval objDNSServer.DefaultRefreshInterval = intRefreshInterval objDNSServer.DefaultAgingState = TRUE objDNSServer.Put_ WScript.Echo "Configured server scavenging settings" set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _ "Where DnsServerName = '" & _ objDNSServer.Name & "'" & _ " And DsIntegrated = TRUE") WScript.Echo "Configuring AD-integrated zones: " for each objZone in objZones WScript.Echo " " & objZone.Name & " HERE: " & objZone.Aging objZone.Aging = 1 objZone.Put_ next 13.10.3 Discussion There are four settings you need to be aware of before enabling scavenging. You must use caution when enabling scavenging because an incorrect configuration could lead to resource records getting deleted by mistake. The first setting you have to configure is the scavenging interval. This is the interval in which the DNS server will kick off the scavenging process. It is disabled by default so that scavenging does not take place unless you enable this setting. The default value is 168 hours, which is equivalent to 7 days. The second setting is the default aging state for new zones. If you want all new zones to be configured for scavenging, set this to 1. 427 The next two settings control how records get scavenged. The no refresh interval determines how long before a dynamically updated record can be updated again. This setting is necessary to reduce how often a DNS server has to update its timestamp of the resource record. The default value is 168 hours (7 days). That means that after a resource record has been dynamically updated, the server will not accept another dynamic update for the same record for another 7 days. If the IP address or some other data for the record changes, the server will accept that. The refresh interval setting is the amount of time after the no refresh interval that a client has to update its record before it is considered old or stale. The default value for this setting is also 168 hours (7 days). If you use the default values, the combination of the no refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for up to 14 days after its last update. In actuality, it could be up to 21 days before the record is deleted if the record became stale right after the last scavenge process completed—7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process). Recipe 13.11 Clearing the DNS Cache 13.11.1 Problem You want to clear the DNS cache. The DNS cache contains resource records that are cached for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the resolver on any Windows client (servers and workstations), and the other to the cache used by the Microsoft DNS server. 13.11.2 Solution To flush the client resolver cache, use the following command: > ipconfig /flushdns To flush the DNS server cache, use any of the following solutions. 13.11.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. Right-click on DNS in the left pane and select Connect to DNS Server. 3. Enter the server you want to connect to and click Enter. 4. Right-click on the server and select Clear Cache. 13.11.2.2 Using a command-line interface The following command will clear the cache on <DNSServerName>. You can leave out <DNSServerName> to run against the local server: > dnscmd <DNSServerName> /clearcache 428 13.11.2.3 Using VBScript ' This code clears the DNS server cache on the specified server. ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com ' END CONFIGURATION set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objDNSCache = objDNS.Get("MicrosoftDNS_Cache.ContainerName="" Cache""" & _ ",DnsServerName=""" & objDNSServer.Name & _ """,Name="" Cache""") objDNSCache.ClearCache WScript.Echo "Cleared server cache" 13.11.3 Discussion The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server; for example, with the nslookup command. <DeletedRepeatedText> The second type of cache is only for Microsoft DNS servers. It is a cache of all DNS requests the server has made to resolve queries from clients. You can view this cache by browsing the Cached Lookups folder for a server in the DNS Management snap-in. This folder is not shown by default, so you'll need to select Advanced from the View menu. With both the client and server cache, the records are removed from the cache after the record's TTL or Time To Live value expires. The TTL is used to age records so that clients and servers have to rerequest them at a later point and receive any changes that may have occurred. Recipe 13.12 Verifying That a Domain Controller Can Register Its Resource Records 13.12.1 Problem You want to verify DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services. 13.12.2 Solution 13.12.2.1 Using a command-line interface This test is available only with the Windows Server 2003 version of dcdiag. 429 With the following dcdiag command, replace dc1 with the DNS name of the domain the domain controller is in. This command has to be run directly on the domain controller you want to test. > dcdiag /test:RegisterInDNS /DnsDomain:dc1 Starting test: RegisterInDNS DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller Locator records in DNS. The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name. dc1 passed test RegisterInDNS 13.12.3 Discussion With the default setup, domain controllers attempt to dynamically register the resource records necessary for them to be located by Active Directory clients and other domain controllers. The domain controllers must have their resource records populated in DNS in order to function. It can be very tedious and error-prone to register all of the records manually, which is why allowing the domain controllers to use dynamic DNS (DDNS) to automatically register and update their records can be much easier from a support standpoint. The Windows Server 2003 version of the dcdiag command provides a new RegisterInDNS switch that allows you to test whether or not the DC can register its records. In the solution above, I showed the output if the domain controller passes the test. Here is the output if an error occurs: Starting test: RegisterInDNS This domain controller cannot register domain controller Locator DNS records. This is because either the DNS server with IP address 6.10.45.14 does not support dynamic updates or the zone rallencorp.com is configured to prevent dynamic updates. In order for this domain controller to be located by other domain members and domain controllers, the domain controller Locator DNS records must be added to DNS. You have the following options: 1. Configure the rallencorp.com zone and the DNS server with IP address 6.10.45.14 to allow dynamic updates. If the DNS server does not support dynamic updates, you might need to upgrade it. 2. Migrate the rallencorp.com zone to a DNS server that supports dynamic updates (for example, a Windows 2000 DNS server). 3. Delegate the zones _msdcs.rallencorp.com, _sites.rallencorp.com, _tcp.rallencorp.com, and _udp.rallencorp.com to a DNS server that supports dynamic updates (for example, a Windows 2000 DNS server); or 4. Manually add to the DNS records specified in the 430 systemroot\system32\config\netlogon.dns file. DcDiag cannot reach a conclusive result because it cannot interpret the following message that was returned: 9501. dc1 failed test RegisterInDNS As you can see, it offers several options for resolving the problem. The information provided will also vary depending on the error encountered. 13.12.4 See Also Recipe 13.13 for registering a domain controller's resource records Recipe 13.13 Registering a Domain Controller's Resource Records 13.13.1 Problem You want to manually force registration of a domain controller's resource records. This may be necessary if you've made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records. 13.13.2 Solution 13.13.2.1 Using a command-line interface > nltest /dsregdns /server:<DomainControllerName> 13.13.3 Discussion The Windows Server 2003 version of nltest provides a /dsregdns switch that allows you to force registration of the domain controller-specific resource records. You can also force reregistration of its resource records by restarting the NetLogon service on the domain controller. The NetLogon service automatically attempts to reregister a domain controller's resource records every hour, so if you can wait that long, you do not need to use the nltest command. 13.13.4 See Also Recipe 13.12 for verifying if a domain controller is registering its resource records . dynamically updated, the server will not accept another dynamic update for the same record for another 7 days. If the IP address or some other data for the record changes, the server will accept that DNS lookup is performed on a workstation or server; for example, with the nslookup command. <DeletedRepeatedText> The second type of cache is only for Microsoft DNS servers. It is a. entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server