SyntaxHighlighter.config.bloggerMode=true; SyntaxHighlighter.all();

Monday, February 9, 2015

DNS Scavenging using Powershell

Solving a potential DNS Scavenging Mess!
I used to work for a company that had a very large AD-Integrated DNS zone with more than 100,000 A records in it. We, the Engineering team, decided to enable DNS Scavenging in the zone to delete the stale records. In other words, records that for one reason or another, would not update themselves and the Timestamp was already older than what we wanted. We had a very mixed environment with mostly 65% of the computers were Macs and over 100 Linux servers. Although those machines were bound to the domain and were always connected to the network, many would still fail to update the records in DNS. This behavior caused an issue where the automatic Windows DNS Scavenging deleted legit records of our Linux servers and it caused and great problem. (Thank God for backups!).

I decided to come up with a workaround... Instead of using the default DNS Scavenging provided in DNS manager, I decided to write a Powershell script that would get the stale records from the zone and match them with the computer object in AD. Then use, the OperatingSystem field value of that computer object to decide whether I would delete the A record or not. In the end, you can have the script send you an email with the report so you can have a Windows scheduled task do that for you every Saturday or so!

Below is the code:

<#
Written by Mr. Hiraldo - Tips4teks.blogspot.com.
This script is provided AS IS and I am not responsible for any damages caused. Removing DNS records could be a problem on your network. Contact your administrator and REALLY think this through before using it.
#>
Import-Module activedirectory
#Change value DeletingEnabled to $true if you want to delete the Stale DNS Records
$DeletingEnabled = $true
Function DeleteDNSRecord($Record)
{
    $Owner = $Record.OwnerName
    $IPAddress = $Record.IPAddress

    Write-host "Deleting $Owner $IPAddress"
    Get-WmiObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" -Filter "IPAddress = '$IPAddress' AND OwnerName = '$Owner'" | Remove-WmiObject
    if($?)
    {
        return "Yes"
    }
    else
    {
        return "No"
    }
}

#The variable Pathdir is used for logging later. Configure to whatever folder you'd like.
$Pathdir = "C:\Scripts\DNSScavenging"
$reportObject = @()
$NotInAD = @()
$TotalAgingInterval = 14 #It will delete records older than what specified here.
$Date = get-date -format 'yyyy.MM.dd'
$ServerName = "DC1.tips4teks.net" #Choose your DNS server here.
$ContainerName = "tips4teks.net"
$DomainZone = "DomainDNSZones." + $ContainerName

$MinTimeStamp = [Int](New-TimeSpan `
  -Start $(Get-Date("01/01/1601 00:00")) `
  -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours
Write-Host "Gathering DNS A Records... Please wait" -ForegroundColor Yellow
Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter `
  "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" `
 | Select-Object OwnerName, `
  @{n="TimeStamp";e={(Get-Date("01/01/1601")).AddHours($_.TimeStamp)}}, IPAddress, TTL | Export-csv -path "$Pathdir\AllStaleDNSRecords.csv"
Write-Host "Gathering DNS A Records completed!" -ForegroundColor Green
Write-Host "Searching DNS A Records in AD... Please wait" -ForegroundColor Yellow
  $DNSRecords = Import-Csv -Path "$Pathdir\AllStaleDNSRecords.csv"
  foreach ($Record in $DNSRecords)
  {
      if (($Record.OwnerName -ne $ContainerName)-and ($Record.OwnerName -ne $DomainZone))
      {
          $hostname = $Record.OwnerName
          $IPAddress = $Record.IPAddress
          $ADObject = Get-ADComputer -filter {(DNSHostName -like $hostname)} -Properties OperatingSystem, DistinguishedName
          if($ADObject -ne $null)
          {
              if(($ADObject.OperatingSystem -ne $null) -and (($ADObject.Operatingsystem -like "*Windows XP*") -or ($ADObject.OperatingSystem -like "*Windows 7*") -or ($ADObject.OperatingSystem -like "*Windows 8*") -or ($ADObject.OperatingSystem -like "Mac OS X")))
              {
                  $output = "" | Select DNSOwnerName, ADName,OperatingSystem, IPAddress, TTL, TimeStamp, Deleted, DistinguishedName
                  $output.DNSOwnerName = $hostname
                  $output.ADName = $ADObject.Name
                  $output.OperatingSystem = $ADObject.OperatingSystem
                  $output.IPAddress = $IPAddress
                  $output.TTL = $Record.TTL
                  $output.TimeStamp = $Record.TimeStamp
                  $output.DistinguishedName = $ADObject.DistinguishedName              
                  if ($DeletingEnabled -eq $true)
                  {
                    $output.Deleted = DeleteDNSRecord($Record)
                  }
                  else
                  {
                    $output.Deleted = "Deleting Not Enabled"
                  }
               
                  $reportObject += $output

              }
           

          }
          else
              {
                Write-Host "Record doesn't exist in AD and will be deleted." $hostname
                $Erroutput = "" | Select DNSOwnerName, IPAddress, TTL, TimeStamp, Deleted
                $Erroutput.DNSOwnerName = $Record.OwnerName
                $Erroutput.IPAddress = $Record.IPAddress
                $Erroutput.TTL = $Record.TTL
                $Erroutput.TimeStamp = $Record.TimeStamp
                if ($DeletingEnabled -eq $true)
                {
                    $Erroutput.Deleted = DeleteDNSRecord($Record)
                }
                else
                {
                    $Erroutput.Deleted = "Deleting Not Enabled"
                }
   
                $NotInAD += $Erroutput
              }

      }

  }
  Write-Host "Scavenging Maintenance Complete! Exporting to CSV.." -ForegroundColor Green
  $reportObject | Export-csv -path "$Pathdir\DNSRecords-to-delete-with-ADinfo-$Date.csv"
  $NotInAD | Export-csv -path "$Pathdir\DNSRecords-NotInAD-Deleted-$Date.csv"

$to = "MrHiraldo@tips4teks.net"
$Subject = "DNS Scavenging Report for $Date"
$Body = "Hello Team,`nThe following reports attached show the DNS records scanvenged from zone $ContainerName"
$Relay = "relay.tips4teks.net"
$From = "DNSScavenging@tips4teks.net"
$Attach = "$Pathdir\DNSRecords-to-delete-with-ADinfo-$Date.csv", "$Pathdir\DNSRecords-NotInAD-Deleted-$Date.csv"
#Send the Email and attachment
Send-MailMessage -to $to -Subject $Subject -Body $Body -SmtpServer $Relay -Attachments $Attach -From $From

Tuesday, June 25, 2013

Recently, I was in the need to change the description on multiple Active Directory accounts that I had exported from an OU to CSV. They were over 500 so doing it one by one would have been a time consuming task. That's when I decided to do a simple by working script to accomplish this task.

I'm using Powershell but you can other languages such as VBS. I prefer Powershell because it's more robust yet simpler to use and understand and it's the future of Windows Scripting.


Here's the script:

##############################################################
# Change-Description-To-Users.ps1                                                                 #
# Created by tips4teks.blogspot.com                                                                #
# This script changes the description of AD accounts to whatever is specified # 
##############################################################

Import-module ActiveDirectory
#Declare the path to the CSV file where you have the accounts by Distinguished Name. 
#The first row of the column should be named "DistinguishedName" without quotes.
$CSV='C:\users-to-edit.csv'

#Declare the new description that will be applied to all the accounts in the CSV file.
$Description='Account Disabled by tips4teks.blogspot.com'

#Read the CSV file and change the description to each user object based on the parameters specified.
import-csv -path $CSV | foreach-object { Set-ADUser -identity $_.DistinguishedName -Description $Description}

Thursday, January 10, 2013

Deleting Domino Policies from Local Lotus Notes Client


Some enterprises lock down Lotus Notes settings via Domino Policies and occasionally, while troubleshooting, you may find out that certain settings are grayed out. If you don't have Domino Administrator rights to edit the policies, it may become problematic and you may be forced to remove the policies from the local machine.

How to remove Domino Policies from a Lotus Notes client.
It is important to know that the policies on a local Lotus Notes Client installation are saved on the names.nsf database so if you happened to recreate the names.nsf you most likely removed the policies with it.

If you want to remove the policies manually:

  • Open the main address book on the machine that you want to remove the policy from. Normally this is names.nsf.
  • While holding the keys CTRL + Shift, click on the "Menu View - Go To..." Note: Holding CTRL + Shift will show you hidden views.



  • Scroll down and choose the view $Policies and click OK.



  • Select the policies you may want to remove (In my case, I deleted them all) and click on "Delete Person" or simply the key "Delete" on your keyboard. You may get a prompt after that which you can click Yes.





After that, your locked down settings will be open until the Notes client gets the policy updates from the Domino Server.
Years ago, one of my users got the error: "Notes error: Special database object cannot be located" when trying to archive locally from her Lotus Notes. After I tried refreshing design template, views, emptying the trash with no success.




According to my old personal troubleshooting archive, I had read an article in the IBM forum, (the link is broken now) that said:
"In this case, the issue occurred when the Advance archiving setting "Log all archiving activity into the log database" was selected and the archive log template, ARCHLG50.NTF, was either corrupted or missing. The issue was resolved by unchecking the option, "Log all archiving activity into the log database" and by adding or replacing the ARCHLG50.NTF file on the workstation."

After reading this, it made a lot of sense to me. However, the Lotus Notes Archive log template was on my users machine and I needed to keep a log in the machine so disabling the archiving activity on the machine wouldn't be a solution. Thankfully, I found out the solution shortly! The Archive Log NSF file was corrupted and I just needed to recreate it.

How to recreate the archive log DB.


  • Open the advanced archive settings. (Open the Mail - Go to the "Actions" menu - Archive - Settings - Advanced.)





  • Change the name of the archive database to something else and save the settings. Ex. archive\l_NewDBName
  • Archive your mail database again. (Click on the Actions Menu - Archive - Archive Now)
Some companies lockdown those settings via Domino Policies and the options are grayed out. However, if you're not a Domino Admin who can edit the policies, you may need to remove the policies from the local client in order to resolve this issue. Take a look at my article on how to remove Domino Policies from a local  Lotus Notes client.


Tuesday, December 25, 2012

iTunes Store doesn't load on Windows XP or Windows 7

Some time ago, one of the users I support had an issue with the iTunes store. It wouldn't load at all and she would get a white screen and a spinning wheel trying to load the store. After having uninstalled and reinstalled iTunes with no luck, the IT muse enlightened me and I thought of resetting the Winsocks on Windows and Bingo! I got the issue resolved.

How to do a winsock reset
  • Open command prompt in elevated mode. (On Windows 7 and Above, click on the start menu type in CMD, right click on it and click on Run as administrator. On XP, click on Start - Run and type in CMD and hit OK ).

  • On the command prompt, type netsh winsock reset and hit enter.












After that restart the machine and try iTunes once again.

Saturday, December 22, 2012

iTunes does not open on Windows 7

Recently, I was helping a user whose computer wouldn't launch iTunes. This user had Windows 7 64 bits and I had already uninstalled iTunes and reinstalled the newest version of iTunes from the Apple site and yet the issue persisted. I had noticed that iTunesHelper.exe was running and that the process itunes.exe would also quickly launch and close itself so that told me there were some incompatibility issues with some other app or a service was not running.

Believe it or not the solution was uninstalling Quicktime! It looks like that computer had an old version of QuickTime that was no longer compatible with iTunes. After I uninstalled QuickTime, iTunes worked perfectly!

Thursday, December 20, 2012


This error normally occurs launching Citrix applications from Google Chrome for Mac after reinstalling the new Citrix Receiver.


The fix is very simple!
  1. Just navigate to the OS Volume (in the image below is Macintosh HD) then /Library/Internet Plug-Ins/
  2. Delete the plugin "CitrixICAClientPlugin.plugin".
  3. Relaunch the app from Chrome and you should be fine!


Content belongs to Tips4teks.blogspot.com. All Rights Reserved. Powered by Blogger.