%3CLINGO-SUB%20id%3D%22lingo-sub-256731%22%20slang%3D%22en-US%22%3EHow%20to%20Save%20the%20DNS%20Cheese.%20Protect%20AD-Integrated%20DNS%20Zones%20from%20Accidental%20Deletions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-256731%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TechNet%20on%20Nov%2025%2C%202013%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20As%20a%20quick%20follow%20on%20to%20our%20recent%20post%20about%20DNS%20deletion%20auditing%2C%20here's%20an%20ounce%20of%20prevention%26nbsp%3Bfor%20you%20-%20well%20actually%20about%203%20tons%20worth%20-%26nbsp%3Bcourtesy%20of%20Brent%20Whitlow%2C%20Bryan%20Zink%20and%20your%20blogger-de%20jure%2C%20Hilde.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Our%20co-workers%2C%20peers%20and%20others%20'out%20there'%20have%20covered%20this%20but%20we%20wanted%20to%20get%20our%20own%20'variation%20on%20a%20theme'%20post%20out%20as%20a%20logical%20follow%20up%20(or%20some%20might%20say%20prequel)%20to%20the%20DNS%20auditing%20post.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%20are%20the%20links%20to%20two%20of%20the%20other%20great%20posts%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%20AskDS%20Post%20%E2%80%93%20%3CA%3E%20http%3A%2F%2Fblogs.technet.com%2Fb%2Faskds%2Farchive%2F2013%2F06%2F04%2Ftwo-lines-that-can-save-your-ad-from-a-crisis.aspx%3C%2FA%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20Eric%20Jansen's%20Post%20-%20%3CA%3E%20http%3A%2F%2Fcbfive.com%2Fblog%2Fprotecting-dns-zones-from-accidental-deletion%2F%3C%2FA%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%20Let's%20roll%20%E2%80%A6%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E****%20EDIT%20****%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20As%20with%20any%20changes%2C%20folks%20should%20%3CSTRONG%3E%20%3CSPAN%3E%20always%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20exercise%20caution%20and%20test%20things%26nbsp%3Bout%20in%20a%20lab%20BEFORE%20implementing%20any%20changes%20to%20production.%26nbsp%3B%20I%20normally%26nbsp%3Bcall%20this%20out%20in%20my%20posts%20but%20I%20didn't%20do%20that%20here.%20%3C%2FSPAN%3E%20%3CSPAN%3E%20My%20sincerest%20apologies.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Additionally%2C%20as%20with%20most%26nbsp%3Bcode%2C%20the%20PowerShell%20code%20found%20here%20should%20be%20considered%20'sample%20code.'%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20****%20END%20EDIT%20*****%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20For%20DNS%20%3CSTRONG%3E%20zones%20in%20the%20legacy%20%22domain%22%20partition%20%3C%2FSTRONG%3E%20%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20You%20can%20use%20the%20AD%20Users%20and%20Computers%20GUI%20to%20expose%20%3CSTRONG%3E%20%3CEM%3E%20one%20of%20the%20best%20checkboxes%20in%20the%20history%20of%20Active%20Directory%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%20%E2%80%A6%20or%2C%20further%20below%2C%20we%20can%20use%20PowerShell%20(of%20course!)%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20467px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51253iD06711F0C313AF51%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20zones%20in%20the%20Domain-wide%20and%20Forest-wide%20Application%20Partitions%20are%20stored%20elsewhere%20within%20AD%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20289px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51254i30143B6BB25CEC3D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20protect%20those%2C%20we%20use%20PowerShell%20to%20toggle%20the%20'protectedfromaccidentaldeletion'%20attribute%20on%20zone%20objects%20in%20application%20partitions%20since%20they%20aren't%20exposed%20anywhere%20in%20the%20GUI.%20Yet%20%3C%2FSPAN%3E%20%3CSPAN%3E%20J%20%3C%2FSPAN%3E%20(hey%20Product%20Group%2C%20did%20you%20catch%20that%20subtle%20feature%20request%3F)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20%3CSPAN%3E%20%3CSTRONG%3E%20Domain-wide%20application%20partitions%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Enumerate%20all%20vulnerable%20zones%20into%20a%20nice%20UI%20box%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DDomainDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20514px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51255i3B24253BD431E55C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3EProtect%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DDomainDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Set-ADObject%20%E2%80%93ProtectedFromAccidentalDeletion%20%24true%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3ECheck%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3EGet-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DDomainDnsZones%2CDC%3Ddomain%2CDC%3Dlab%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24True%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20510px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51256iFF3511D5C0726019%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%3E%3CSTRONG%3EForest-wide%20application%20partitions%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Enumerate%20all%20vulnerable%20zones%20into%20a%20nice%20UI%20box%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DForestDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20518px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51257i76CFDEFD766C7B35%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3EProtect%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DForestDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Set-ADObject%20%E2%80%93ProtectedFromAccidentalDeletion%20%24true%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3ECheck%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22DC%3DForestDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24True%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20514px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51258i0B4A1E705563B41B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%3E%3CSTRONG%3ELegacy%20domain%20partition%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20Enumerate%20all%20vulnerable%20zones%20into%20a%20nice%20UI%20box%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22CN%3DMicrosoftDNS%2CCN%3DSystem%2CDC%3Ddomain%2CDC%3Dlab%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20510px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51259iEA94FBAE674AAC13%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3EProtect%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22CN%3DMicrosoftDNS%2CCN%3DSystem%2CDC%3Ddomain%2CDC%3Dlab%20%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24False%7D%20%7C%20Set-ADObject%20%E2%80%93ProtectedFromAccidentalDeletion%20%24true%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%3ECheck%20'em%20%3C%2FSPAN%3E%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Get-ADObject%20-Filter%20'ObjectClass%20-like%20%22dnszone%22'%20-SearchScope%20Subtree%20-SearchBase%20%22CN%3DMicrosoftDNS%2CCN%3DSystem%2CDC%3Ddomain%2CDC%3Dlab%20%22%20-properties%20ProtectedFromAccidentalDeletion%20%7C%20where%20%7B%24_.ProtectedFromAccidentalDeletion%20-eq%20%24True%7D%20%7C%20Select%20name%2Cprotectedfromaccidentaldeletion%20%7C%20out-gridview%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20517px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F51260iEB9C6EF2F4734819%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENOTE%3A%20Should%20you%20need%20to%20delete%20one%20of%20the%20zones%20in%20the%20future%2C%20simply%20flip%20the%20'ProtectedFromAccidentalDeletion'%20attribute%20for%20the%20target%20zone%20to%20FALSE%20with%20PowerShell%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%22%3E%20Set-ADObject%20%22DC%3DDOMAIN_APP_PARTITION.COM%2CDC%3DDomainDnsZones%2CDC%3Ddomain%2CDC%3Dlab%22%20protectedFromAccidentalDeletion%20%24False%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20there%20you%20have%20a%20few%20resources%20to%20help%20you%20%E2%80%A6%20now%20get%20out%20there%20and%20%3CSPAN%3E%20%3CSTRONG%3E%20protect%20the%20cheese!%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-256731%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Nov%2025%2C%202013%20As%20a%20quick%20follow%20on%20to%20our%20recent%20post%20about%20DNS%20deletion%20auditing%2C%20here's%20an%20ounce%20of%20prevention%26nbsp%3Bfor%20you%20-%20well%20actually%20about%203%20tons%20worth%20-%26nbsp%3Bcourtesy%20of%20Brent%20Whitlow%2C%20Bryan%20Zink%20and%20your%20blogger-de%20jure%2C%20Hilde.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-256731%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBrentWhitlow%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBryanZink%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMichael%20Hildebrand%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

First published on TechNet on Nov 25, 2013

As a quick follow on to our recent post about DNS deletion auditing, here's an ounce of prevention for you - well actually about 3 tons worth - courtesy of Brent Whitlow, Bryan Zink and your blogger-de jure, Hilde.

Our co-workers, peers and others 'out there' have covered this but we wanted to get our own 'variation on a theme' post out as a logical follow up (or some might say prequel) to the DNS auditing post.

 

Here are the links to two of the other great posts:

Let's roll …

 

**** EDIT ****

As with any changes, folks should always exercise caution and test things out in a lab BEFORE implementing any changes to production.  I normally call this out in my posts but I didn't do that here. My sincerest apologies.

Additionally, as with most code, the PowerShell code found here should be considered 'sample code.'

**** END EDIT *****

 

For DNS zones in the legacy "domain" partition :

You can use the AD Users and Computers GUI to expose one of the best checkboxes in the history of Active Directory … or, further below, we can use PowerShell (of course!)

 

 

The zones in the Domain-wide and Forest-wide Application Partitions are stored elsewhere within AD:

 

To protect those, we use PowerShell to toggle the 'protectedfromaccidentaldeletion' attribute on zone objects in application partitions since they aren't exposed anywhere in the GUI. Yet J (hey Product Group, did you catch that subtle feature request?)

 

 

Domain-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Forest-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Legacy domain partition

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

NOTE: Should you need to delete one of the zones in the future, simply flip the 'ProtectedFromAccidentalDeletion' attribute for the target zone to FALSE with PowerShell:

Set-ADObject "DC=DOMAIN_APP_PARTITION.COM,DC=DomainDnsZones,DC=domain,DC=lab" protectedFromAccidentalDeletion $False

 

So there you have a few resources to help you … now get out there and protect the cheese!