How to Save the DNS Cheese. Protect AD-Integrated DNS Zones from Accidental Deletions

Published Sep 20 2018 12:43 AM 4,197 Views

First published on TechNet on Nov 25, 2013

As a quick follow on to our recent post about DNS deletion auditing, here's an ounce of prevention for you - well actually about 3 tons worth - courtesy of Brent Whitlow, Bryan Zink and your blogger-de jure, Hilde.

Our co-workers, peers and others 'out there' have covered this but we wanted to get our own 'variation on a theme' post out as a logical follow up (or some might say prequel) to the DNS auditing post.

 

Here are the links to two of the other great posts:

Let's roll …

 

**** EDIT ****

As with any changes, folks should always exercise caution and test things out in a lab BEFORE implementing any changes to production.  I normally call this out in my posts but I didn't do that here. My sincerest apologies.

Additionally, as with most code, the PowerShell code found here should be considered 'sample code.'

**** END EDIT *****

 

For DNS zones in the legacy "domain" partition :

You can use the AD Users and Computers GUI to expose one of the best checkboxes in the history of Active Directory … or, further below, we can use PowerShell (of course!)

 

 

The zones in the Domain-wide and Forest-wide Application Partitions are stored elsewhere within AD:

 

To protect those, we use PowerShell to toggle the 'protectedfromaccidentaldeletion' attribute on zone objects in application partitions since they aren't exposed anywhere in the GUI. Yet J (hey Product Group, did you catch that subtle feature request?)

 

 

Domain-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Forest-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Legacy domain partition

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

NOTE: Should you need to delete one of the zones in the future, simply flip the 'ProtectedFromAccidentalDeletion' attribute for the target zone to FALSE with PowerShell:

Set-ADObject "DC=DOMAIN_APP_PARTITION.COM,DC=DomainDnsZones,DC=domain,DC=lab" protectedFromAccidentalDeletion $False

 

So there you have a few resources to help you … now get out there and protect the cheese!

 

Version history
Last update:
‎Feb 19 2020 08:17 PM
Updated by: