As a quick follow on to our recent post about DNS deletion auditing, here's an ounce of prevention for you - well actually about 3 tons worth - courtesy of Brent Whitlow, Bryan Zink and your blogger-de jure, Hilde.
Our co-workers, peers and others 'out there' have covered this but we wanted to get our own 'variation on a theme' post out as a logical follow up (or some might say prequel) to the DNS auditing post.
Here are the links to two of the other great posts:
As with any changes, folks should always exercise caution and test things out in a lab BEFORE implementing any changes to production. I normally call this out in my posts but I didn't do that here. My sincerest apologies.
Additionally, as with most code, the PowerShell code found here should be considered 'sample code.'
**** END EDIT *****
For DNS zones in the legacy "domain" partition :
You can use the AD Users and Computers GUI to expose one of the best checkboxes in the history of Active Directory … or, further below, we can use PowerShell (of course!)
The zones in the Domain-wide and Forest-wide Application Partitions are stored elsewhere within AD:
To protect those, we use PowerShell to toggle the 'protectedfromaccidentaldeletion' attribute on zone objects in application partitions since they aren't exposed anywhere in the GUI. Yet J (hey Product Group, did you catch that subtle feature request?)
Domain-wide application partitions
Enumerate all vulnerable zones into a nice UI box: