First published on TechNet on Nov 25, 2013
As a quick follow on to our recent post about DNS deletion auditing, here's an ounce of prevention for you - well actually about 3 tons worth - courtesy of Brent Whitlow, Bryan Zink and your blogger-de jure, Hilde.
Our co-workers, peers and others 'out there' have covered this but we wanted to get our own 'variation on a theme' post out as a logical follow up (or some might say prequel) to the DNS auditing post.
Here are the links to two of the other great posts:
- AskDS Post – http://blogs.technet.com/b/askds/archive/2013/06/04/two-lines-that-can-save-your-ad-from-a-crisis.a...
- Eric Jansen's Post - http://cbfive.com/blog/protecting-dns-zones-from-accidental-deletion/
Let's roll …
**** EDIT ****
As with any changes, folks should always exercise caution and test things out in a lab BEFORE implementing any changes to production. I normally call this out in my posts but I didn't do that here. My sincerest apologies.
Additionally, as with most code, the PowerShell code found here should be considered 'sample code.'
**** END EDIT *****
For DNS zones in the legacy "domain" partition :
You can use the AD Users and Computers GUI to expose one of the best checkboxes in the history of Active Directory … or, further below, we can use PowerShell (of course!)
The zones in the Domain-wide and Forest-wide Application Partitions are stored elsewhere within AD:
To protect those, we use PowerShell to toggle the 'protectedfromaccidentaldeletion' attribute on zone objects in application partitions since they aren't exposed anywhere in the GUI. Yet J (hey Product Group, did you catch that subtle feature request?)
Domain-wide application partitions
Enumerate all vulnerable zones into a nice UI box:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
Protect 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
Check 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
Forest-wide application partitions
Enumerate all vulnerable zones into a nice UI box:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
Protect 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
Check 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
Legacy domain partition
Enumerate all vulnerable zones into a nice UI box:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
Protect 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
Check 'em
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
NOTE: Should you need to delete one of the zones in the future, simply flip the 'ProtectedFromAccidentalDeletion' attribute for the target zone to FALSE with PowerShell:
Set-ADObject "DC=DOMAIN_APP_PARTITION.COM,DC=DomainDnsZones,DC=domain,DC=lab" -protectedFromAccidentalDeletion $False
So there you have a few resources to help you … now get out there and protect the cheese!