Hi Al,
Thanks for your answer. It's not zone transfers I'm looking for, but your answer nevertheless pointed me towards another road with a lot of thoughts!
We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it's registrations. In case of a cluster, including all records for it's cluster resources.
As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them.
Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations.
I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for <server>* records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge.
Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-)
I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like "*string*" in DNS so I can remove them all and keep the DNS tidy...
Best regards,
Bart
On 3/5/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
It sounds like what you really want is to move those records to another server. I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do. One other method, which is very much a zone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based.If not AD-Integrated, you could just copy the zone files :)
Am I missing something you need to do?Al
On 3/2/06, Bart Van den Wyngaert <[EMAIL PROTECTED] > wrote:Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations.We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description.Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool.... I'll get back to you.Many thanks,Bart
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED] > wrote:Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition).However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front - e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paessens, Daniel
Sent: Wednesday, March 01, 2006 9:10 PMSubject: RE: [ActiveDir] OT : Query DNS using wildcards?
Hello,Against what are you trying to perform a query. it's possible to perform a query against AD by using a csvde command.When using these command you are able to use some wildcards.Regards,Daniel
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bart Van den Wyngaert
Sent: Wednesday, March 01, 2006 15:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hello Ulf,I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again...Best regards,Bart
On 3/1/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED] > wrote:Hello Bart,AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server ( e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.Ulf
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bart Van den Wyngaert
Sent: Wednesday, March 01, 2006 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT : Query DNS using wildcards?
Hi all,We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!Does anybody knows a way to do this?Thanks,Bart
