Summary: Using Windows PowerShell to remove Stale / Dead Domain Controller records.
Q: Hey, Doctor Scripto!
How can I quickly clean up all my dead Domain Controller’s DNS records?
A:
That’s a great question. The good Doctor also knows the very person to answer it best. My good friend Patrick Mercier, An Active Directory PFE who loves working with PowerShell.
Take it away Patrick!
Whether it’s as part of Active Directory Disaster Recovery, or because you had an old Domain Controller you needed to get rid of, cleaning up all the DNS records of a now dead DC left behind can be tedious: that is, unless you use PowerShell
So, as an Active Directory PFE, one of the common things we help customers out with is removing Domain Controllers from the environment. Sometimes that’s as simple as the old DC that has to go away or as scary as having recovered AD from backup and having to remove all other DCs as we rebuild. Regardless of the scenario, cleaning DNS is a critical part of this and I’ve frequently found it to be the part that scares customers the most.
I was cleaning up records manually one day and as I typically do, I thought to myself, there has to be a better way… and there is.
Before I continue though, this is not an Active Directory Disaster Recovery article. It’s not a DNS clean up article. If you’re looking for detailed explanations of all the DNS records this will delete, you’ll want to go find an article about Active Directory DNS! What I will do, is demonstrate an easy way to delete all DNS records related to a Domain Controller with a single PowerShell command.
First, let’s create an array of all the records in the zone _msdcs.contoso.com:
$dnsrecords = Get-DnsServerResourceRecord -ZoneName “_msdcs.contoso.com”
This outputs everything in our zone.
What we get though isn’t the full picture. The data we need to filter on is part of the “RecordData” data column which in and of itself is an array of data. And to isolate the DC we want to clean up, we’ll need to filter the resulting data. For that, we’ll filter on some of the attributes available in the RecordData record set, specifically, IPv4Address, NameServer and DomainName.
$deadDC = $dnsrecords | Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” -or $_.RecordData.NameServer -eq “DC02.contoso.com.” -or $_.RecordData.DomainName -eq “DC02.contoso.com.”}
Sweet, now I have all the DNS records for my dead Domain Controller in one array!
From here, it’s super easy to delete them all, simply by calling the Remove-DnsServerResourceRecord cmdlet against the array and the zone! Because any good domain administrator has a bit of paranoia built in, let’s run that as a “What if” to confirm:
$deadDC | Remove-DnsServerResourceRecord -ZoneName “_msdcs.contoso.com” -whatif
And now, that I’ve got some peace of mind that nothing I need is being deleted, I simply remove the what if and the records are gone! No manual clean up.
So, if I were to bring all those components into one command, the result is:
Get-DnsServerResourceRecord -ZoneName “_msdcs.contoso.com” | `
Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” `
-or $_.RecordData.NameServer -eq “DC02.contoso.com.” -or `
$_.RecordData.DomainName -eq “DC02.contoso.com.”} | Remove-DnsServerResourceRecord -ZoneName “_msdcs.contoso.com” -force
Simple really.
Thanks Patrick for an excellent tip to making all of this happen!
So that is all there is to using PowerShell to cleanup dead Domain Controller records.
I invite you to follow the Scripting Guys on Twitter and Facebook. If you have any questions, send email to them at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow.
Until then always remember that with Great PowerShell comes Great Responsibility.
Your Good friend, Dr. Scripto
Windows PowerShell, Patrick Mercier, Scripter
