Monthly Archives: May 2018

Protect DNS zones against accidental deletions

Good Day.

Today I am sharing with you the procedure to protect you DNS zones from accidental deletions. Its always a best practice to protect DNS zones from being deleted accidentally, this is a high risk issue for AD admins.

Note: After these steps, you will not be able to delete or change the scope of replication for the DNS Zone unless you first unprotect the zone from accidental deletion.

There are couple of ways to prevent DNS zones accidental deletions.

  • DNS Zones stored in the Domain Partition:

Open Active directory users and computers with advanced view.

Go to Active Directory Users and Computers \ Domain Name \ System \ Microsoft DNS \ DNS Zone name, Right click and select properties, Select the Object Tab.

1

Note: The above flag will only be visible in Active Directory Users and Computers if you have stored the DNS Zone in the Domain Partition. You can check where your DNS Zone is stored in DNS Management UI. As an example, the below screenshot shows the replication scope set as “All domain controllers in this domain (for Windows 2000 compatibility)”

2

However powershell is an amazing tool to administer DNS especially when having complex environments with hundreds of DNS zones:

 

  • Enumerate all DNS Zones not protected from deletion in the Domain partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
  • Set the protect from accidental deletion flag: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

Now we can use the above for both domain and forest wide partitions.

  • DNS Zones stored in Domain wide application partitions:
    • Enumerate all DNS Zones not protected from deletion in the domain application partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
    • Set the protect from accidental deletion flag: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

  • DNS Zones stored in Forest wide application partitions:
    • Enumerate all DNS Zones not protected from deletion in the Forest Wide application partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
    • Set the protect from accidental deletion flag: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

  • Check the protect from accidental deletion flag:
    • Forest wide application partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
    • Domain wide application partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
    • Domain Partition: Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

All the above is needed when following Microsoft active directory risk assessment procedures.

Best Regards.

Hisham Mezher