Have you ever gone to the properties of a zone, and looked at the Name Server tab to find a bunch of “unknown” servers? I see it all the time, but sometimes I’ll see 30 or more DC/DNS servers that have been removed from customer environments over the years. For whatever reason, admins rarely clean the old name servers up; probably because when you have to remove those name servers from each and every zone, and you have hundreds or thousands of zones, you lose interest in clicking that remove button so many times.

name_server

Fortunately, PowerShell is here to save the day yet again. I’m no scripter (so use at your own risk!), but I’ve been dabbling with PowerShell a lot lately, and it’s been making my life easier each day that I use it. For this case, I made a short script using the ActiveDirectory and DNSServer Modules in PowerShell v3. That said, you’ll need to run this from a Windows 8 or Windows Server 2012 machine, with the Active Directory and DNS tools installed. The code is below, with notes for everything going on. Hopefully this helps someone out in some capacity.  Just copy the below to a .ps1 file, name it accordingly, and give it a test drive.

Import-Module ActiveDirectory,DNSServer

#Inputs the DC/DNS Server that has been removed from the environment into the $UnknownDNSServer variable.

$UnknownDNSServer = Read-Host "Enter the old Name Server's FQDN"

#Finds the PDC Emulator and stores it in the $PDCE variable.

$PDCE = Get-ADDomainController -Discover -Service PrimaryDC

#Finds the DNS zones on the PDCE

$DNSZones = Get-DnsServerZone -ComputerName $PDCE

#For each of the zones in the DNSZones variable, it removes the old NS record from the zone that's defined in $UnknownDNSServer.

$DNSZones | ForEach-Object {

Try {$_ | Remove-DNSServerResourceRecord –Name “@” –RRType NS –RecordData $UnknownDNSServer -ComputerName $PDCE -Force}

Catch{[System.Exception] "UH oh..got an error"}

}

===========================================================================

Keep in mind that the GUI doesn’t have to say “unknown” to be an old Name Server. The “unknown” just means that the servers associated A-Record has been deleted, or the name simply can’t be resolved. There could be a scenario where a DC/DNS Server got demoted to a member server and still has a valid A-Record, so it doesn’t say “unknown”, but it may not be a DNS server anymore. That said, you’d want to verify all of the name servers in at least a few random zones to see if this scenario applies. If so, clean those up too. Conversely, you could have a valid Name Server that says unknown, because it’s A-Record is missing, so you wouldn’t want to remove that one; you just need to pay attention to what you’re doing and you’ll be fine.

If your environment doesn’t allow Windows 8 or Windows Server 2012 machines as of yet, and you can’t use the new DNS cmdlets, you can use an older method to clean things up, it’s just not as pretty:

For /f “delims=” %a in (ZonesWithUnknownServer.txt) do dnscmd.exe <DnsServer> /recorddelete %a @ NS <FQDN of old server> /f

That part isn’t too bad, it’s just a little more manual labor since you’ll need to populate the ZonesWithUnknownServer.txt file. You could do that using DNSCMD /enumzones and then just parse the output for the zones that you want, or there are other PowerShell queries with v2 that you could use to generate a list, see my previous blog here for hints on how to do that with PowerShell.

Also, as always, you’ll want to test this in a lab first. Worst case is that you remove the wrong name server(s) from all of your zones, but not to worry, if they’re valid, they should re-populate as being name servers again for said zones in approximately 20 minutes or less, or with the cycling of the DNS Server service if you didn’t want to wait.