| Author | Messages | |
Marty1_0
Posts:73
 | | 03/01/2006 12:34 PM |
| | Message body was not found. | | | |
| lists1
Posts:4
| | 03/01/2006 1:23 AM |
| Hello Bart,
AFAIK DNS is not designed being queried with a wildcard -
which would open up a attack surface you definitelly don't want. Closest thing
you can do is performing a LS-Command against a DNS-Server (e.g. with nslookup),
however this requires the DNS-Server to allow zone transfers to the machine
where you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT : Query DNS
using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards, but
untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| Marty1_0
Posts:73
| | 03/01/2006 2:44 AM |
| Best regards,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Hello Bart,
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| AD000001290
Posts:0
| | 03/01/2006 2:53 AM |
| It appears as though you need an object lifecycle
process :)
This has been discussed before - check out the archives.
Does DNS scavenging help you at all, in the short
term?
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: 01 March 2006 14:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS
using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the
other hand we want to keep our environment clean when a server is at the end of
lifecycle.
In a lot of cases the server is already powered off some week before we
start cleaning the different environments (to be sure there is nothing
forgotten). In case of a cluster, you have several hosts registered into DNS and
IP's for all the resources. We're looking into a way to retrieve that info
without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B.
Simon-Weidner lists@xxxxxxxxxxxxxxxxxx>
wrote:
Hello
Bart,
AFAIK DNS
is not designed being queried with a wildcard - which would open up a attack
surface you definitelly don't want. Closest thing you can do is performing a
LS-Command against a DNS-Server ( e.g. with nslookup), however this requires
the DNS-Server to allow zone transfers to the machine where you perform the
ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards,
but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
BartPLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| efleis1
Posts:0
| | 03/01/2006 4:10 AM |
| Can you be more specific? Can
you show us a specific query you wanted to issue that failed?
Seeing a specific search might let us know
a bit better what you are really after.
~Eric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Bart Van den WyngaertSent: Wed 3/1/2006 6:42
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir]
OT : Query DNS using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the
other hand we want to keep our environment clean when a server is at the end of
lifecycle.
In a lot of cases the server is already powered off some week before we
start cleaning the different environments (to be sure there is nothing
forgotten). In case of a cluster, you have several hosts registered into DNS and
IP's for all the resources. We're looking into a way to retrieve that info
without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B.
Simon-Weidner lists@xxxxxxxxxxxxxxxxxx>
wrote:
Hello
Bart,
AFAIK DNS
is not designed being queried with a wildcard - which would open up a attack
surface you definitelly don't want. Closest thing you can do is performing a
LS-Command against a DNS-Server ( e.g. with nslookup), however this requires
the DNS-Server to allow zone transfers to the machine where you perform the
ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards,
but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| AD000001391
Posts:0
| | 03/01/2006 8:11 AM |
| Hello,
Against what are you trying to perform a query. it's
possible to perform a query against AD by using a csvde
command.
When using these command you are able to use some
wildcards.
Regards,
Daniel
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 15:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS
using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the
other hand we want to keep our environment clean when a server is at the end of
lifecycle.
In a lot of cases the server is already powered off some week before we
start cleaning the different environments (to be sure there is nothing
forgotten). In case of a cluster, you have several hosts registered into DNS and
IP's for all the resources. We're looking into a way to retrieve that info
without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B.
Simon-Weidner lists@xxxxxxxxxxxxxxxxxx>
wrote:
Hello
Bart,
AFAIK DNS
is not designed being queried with a wildcard - which would open up a attack
surface you definitelly don't want. Closest thing you can do is performing a
LS-Command against a DNS-Server ( e.g. with nslookup), however this requires
the DNS-Server to allow zone transfers to the machine where you perform the
ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards,
but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| lists1
Posts:4
| | 03/01/2006 10:27 AM |
| Very true point - as long as you don't need it to be a
DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the
container hosting the DNS-Zones (out of my head since none of my test-dcs is
currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the
domain or the application partition).
However keep in mind that those LDAP-Queries are getting
expensive when not querying all of them but specific and the wildcard is in
front - e.g. querying at *.domain.com is heavy on the server, server01.* would
be OK.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Paessens,
DanielSent: Wednesday, March 01, 2006 9:10 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] OT : Query DNS
using wildcards?
Hello,
Against what are you trying to perform a query. it's
possible to perform a query against AD by using a csvde
command.
When using these command you are able to use some
wildcards.
Regards,
Daniel
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 15:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS
using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the
other hand we want to keep our environment clean when a server is at the end
of lifecycle.
In a lot of cases the server is already powered off some week before we
start cleaning the different environments (to be sure there is nothing
forgotten). In case of a cluster, you have several hosts registered into DNS
and IP's for all the resources. We're looking into a way to retrieve that info
without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B.
Simon-Weidner lists@xxxxxxxxxxxxxxxxxx>
wrote:
Hello
Bart,
AFAIK
DNS is not designed being queried with a wildcard - which would open up a
attack surface you definitelly don't want. Closest thing you can do is
performing a LS-Command against a DNS-Server ( e.g. with nslookup), however
this requires the DNS-Server to allow zone transfers to the machine where
you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den
WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards,
but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| Marty1_0
Posts:73
| | 03/02/2006 9:45 AM |
| We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description.
Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...
I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool.... I'll get back to you.
Many thanks,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition).
However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front -
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner
Website:
http://www.windowsserverfaq.org Profile:
http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Paessens, DanielSent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT : Query DNS using wildcards?
Hello,
Against what are you trying to perform a query. it's possible to perform a query against AD by using a csvde command.
When using these command you are able to use some wildcards.
Regards,
Daniel
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 15:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.
In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Hello Bart,
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| amulnick
Posts:138
| | 03/05/2006 2:41 AM |
| If not AD-Integrated, you could just copy the zone files :)
Am I missing something you need to do?
Al
On 3/2/06, Bart Van den Wyngaert wrote:
Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations.
We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description.
Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...
I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool.... I'll get back to you.
Many thanks,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition).
However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front -
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner
Website:
http://www.windowsserverfaq.org Profile:
http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Paessens, DanielSent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT : Query DNS using wildcards?
Hello,
Against what are you trying to perform a query. it's possible to perform a query against AD by using a csvde command.
When using these command you are able to use some wildcards.
Regards,
Daniel
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 15:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.
In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Hello Bart,
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| Marty1_0
Posts:73
| | 03/06/2006 11:08 AM |
| As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query the DNS server to retrieve all records related to that server/cluster and then delete them.
Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment. This is mostly the case for migrations so that the owners are sure they haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registered in the DNS. If we should have a workaround, we don't need to this anymore and we just break the array, run a script that looks everything up and removes the registrations.
I'm having already a small idea of a way to perform the check, although not ideal. Extracting the zones to a .txt file which a script can loop through searching for certain strings. Ideal solution would be to look for * records and delete them as they are being found. But as already indicated by other people, this is not available... At least not to our knowledge.
Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with that part... Although I'm trying to find out if there is nobody interested in adapting the DNS infra to make my life easier, but that rather working on the political road ;-)
I could understand that it doesn't make a lot of sense, but that's the way of working at this moment. And I have to deal with it and try handle it the best possible way. So in short: looking for a way to retrieve all records like "*string*" in DNS so I can remove them all and keep the DNS tidy...
Best regards,
Bart
On 3/5/06, Al Mulnick wrote:
It sounds like what you really want is to move those records to another server. I don't recall if this is AD integrated or not, and if so, what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one way to get all of the records in the zones into text files. You could also use WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is not what you want to do. One other method, which is very much a zone transfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information as would a backup (either AD based (see above if that's what you need) or server file based.
If not AD-Integrated, you could just copy the zone files :)
Am I missing something you need to do?
Al
On 3/2/06, Bart Van den Wyngaert wrote:
Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the end of it's lifecycle, we shut it down for some weeks (in case of migration scenario) and then remove all it's registrations.
We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (server itself, cluster resources, ...). So it would be like a DNS query... But if there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description.
Also there is a part that is always related to the server, but there are extensions (ex. cluster resources), that's why I started talking about wildcards...
I'll have a look into the dsquery tool you mentioned, as I'm not familiar with that tool.... I'll get back to you.
Many thanks,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in the container hosting the DNS-Zones (out of my head since none of my test-dcs is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition).
However keep in mind that those LDAP-Queries are getting expensive when not querying all of them but specific and the wildcard is in front -
e.g. querying at *.domain.com is heavy on the server, server01.* would be OK.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner
Website:
http://www.windowsserverfaq.org Profile:
http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Paessens, DanielSent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT : Query DNS using wildcards?
Hello,
Against what are you trying to perform a query. it's possible to perform a query against AD by using a csvde command.
When using these command you are able to use some wildcards.
Regards,
Daniel
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 15:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hello Ulf,
I agree on the point that it would open up an attack surface, but on the other hand we want to keep our environment clean when a server is at the end of lifecycle.
In a lot of cases the server is already powered off some week before we start cleaning the different environments (to be sure there is nothing forgotten). In case of a cluster, you have several hosts registered into DNS and IP's for all the resources. We're looking into a way to retrieve that info without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Hello Bart,
AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want. Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command.
Ulf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bart Van den WyngaertSent: Wednesday, March 01, 2006 1:34 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT : Query DNS using wildcards?
Hi all,
We're looking at this moment for a way to query DNS using wildcards, but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart | | | |
| deji
Posts:140
| | 03/06/2006 11:45 AM |
| >>>Extracting the zones to a .txt file which a script can loop through
searching for certain strings. Ideal solution would be to look for *
records and delete them as they are being found. But as already indicated by
other people, this is not available......
Why not? If it's a standard zone, you could just read the zone file, using
filesystemobject, do a Readline, and if you see in the line,
delete the line.
Or did I misread you?
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bart Van den Wyngaert
Sent: Mon 3/6/2006 3:07 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] OT : Query DNS using wildcards?
Hi Al,
Thanks for your answer. It's not zone transfers I'm looking for, but your
answer nevertheless pointed me towards another road with a lot of thoughts!
We are used to register DNS records manually by script. All other records are
added manually. When a server is at the end of it's life, we clean all it's
registrations. In case of a cluster, including all records for it's cluster
resources.
As this process is totally manually and there are some with quiet a lot of
records pointing to cluster resources, we're looking for a way to query the
DNS server to retrieve all records related to that server/cluster and then
delete them.
Additionally a lot of servers/clusters are being powered off some week
already before we format them and unregister everything in our environment.
This is mostly the case for migrations so that the owners are sure they
haven't forgotten a little thing ;-) Currently we have to boot the server
again to have a script running locally to retrieve IP's and names registered
in the DNS. If we should have a workaround, we don't need to this anymore and
we just break the array, run a script that looks everything up and removes
the registrations.
I'm having already a small idea of a way to perform the check, although not
ideal. Extracting the zones to a .txt file which a script can loop through
searching for certain strings. Ideal solution would be to look for *
records and delete them as they are being found. But as already indicated by
other people, this is not available... At least not to our knowledge.
Another possible to solution is to review the DNS infrastructure, like for
example aging. But, and it's not my choice, I have nothing to see with that
part... Although I'm trying to find out if there is nobody interested in
adapting the DNS infra to make my life easier, but that rather working on the
political road ;-)
I could understand that it doesn't make a lot of sense, but that's the way of
working at this moment. And I have to deal with it and try handle it the best
possible way. So in short: looking for a way to retrieve all records like
"*string*" in DNS so I can remove them all and keep the DNS tidy...
Best regards,
Bart
On 3/5/06, Al Mulnick wrote:
It sounds like what you really want is to move those records to
another server. I don't recall if this is AD integrated or not, and if so,
what the scope of those records is set to. However, setting up a second
server and using zone transfer to that server (for backup purposes) is one
way to get all of the records in the zones into text files. You could also
use WMI scripts/programs to cull that information or you could realize that
if it is AD integrated that data exists elsewhere and that copying it off is
not what you want to do. One other method, which is very much a zone
transfer is to use the nslookup ls -d zonename command which puts that
information to std i/o. Using dnscmd would be able to gather that information
as would a backup (either AD based (see above if that's what you need) or
server file based.
If not AD-Integrated, you could just copy the zone files :)
Am I missing something you need to do?
Al
On 3/2/06, Bart Van den Wyngaert wrote:
Well I kind of need a DNS query. We used to register our DNS
records manually and also remove them. But in case the server is at the end
of it's lifecycle, we shut it down for some weeks (in case of migration
scenario) and then remove all it's registrations.
We're looking into a way that we don't need to power on the
server again, but still are able to remove all DNS registrations (server
itself, cluster resources, ...). So it would be like a DNS query... But if
there is something in AD that we can use as reference... Something like an
LDAP query for AD, but then on DNS seems like the best description.
Also there is a part that is always related to the server,
but there are extensions (ex. cluster resources), that's why I started
talking about wildcards...
I'll have a look into the dsquery tool you mentioned, as I'm
not familiar with that tool.... I'll get back to you.
Many thanks,
Bart
On 3/1/06, Ulf B. Simon-Weidner
wrote:
Very true point - as long as you don't need it to be
a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects in
the container hosting the DNS-Zones (out of my head since none of my test-dcs
is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the
domain or the application partition).
However keep in mind that those LDAP-Queries are
getting expensive when not querying all of them but specific and the wildcard
is in front - e.g. querying at *.domain.com is heavy on the server,
server01.* would be OK.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Paessens, Daniel
Sent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT : Query DNS using
wildcards?
Hello,
Against what are you trying to perform a query. it's
possible to perform a query against AD by using a csvde command.
When using these command you are able to use some
wildcards.
Regards,
Daniel
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Bart Van den
Wyngaert
Sent: Wednesday, March 01, 2006 15:43
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] OT : Query DNS using
wildcards?
Hello Ulf,
I agree on the point that it would open up an attack
surface, but on the other hand we want to keep our environment clean when a
server is at the end of lifecycle.
In a lot of cases the server is already powered off
some week before we start cleaning the different environments (to be sure
there is nothing forgotten). In case of a cluster, you have several hosts
registered into DNS and IP's for all the resources. We're looking into a way
to retrieve that info without the need to power on the server again...
Best regards,
Bart
On 3/1/06, Ulf B. Simon-Weidner
wrote:
Hello Bart,
AFAIK DNS is not designed being queried with
a wildcard - which would open up a attack surface you definitelly don't want.
Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone
transfers to the machine where you perform the ls-command.
Ulf
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Bart Van den
Wyngaert
Sent: Wednesday, March 01, 2006 1:34 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] OT : Query DNS using
wildcards?
Hi all,
We're looking at this moment for a way to
query DNS using wildcards, but untill now, no luck!
Does anybody knows a way to do this?
Thanks,
Bart
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Marty1_0
Posts:73
| | 03/07/2006 10:06 AM |
| | Message body was not found. | | | |
| amulnick
Posts:138
| | 03/08/2006 3:40 AM |
| Hi Dèjì,
This is such moment when a person says to himself (or herself ofcourse) "Why didn't I think about that?!".
Yes that is a solution! Hope they only are willing to accept it...
Many thanks!
Bart
On 3/7/06, deji@xxxxxxxxxxxxxx wrote:
>>>Extracting the zones to a .txt file which a script can loop throughsearching for certain strings. Ideal solution would be to look for *
records and delete them as they are being found. But as already indicated byother people, this is not available......Why not? If it's a standard zone, you could just read the zone file, usingfilesystemobject, do a Readline, and if you see in the line,
delete the line.Or did I misread you?Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Services
www.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon________________________________From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bart Van den WyngaertSent: Mon 3/6/2006 3:07 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] OT : Query DNS using wildcards? Hi Al,Thanks for your answer. It's not zone transfers I'm looking for, but youranswer nevertheless pointed me towards another road with a lot of thoughts!
We are used to register DNS records manually by script. All other records are added manually. When a server is at the end of it's life, we clean all it'sregistrations. In case of a cluster, including all records for it's cluster
resources.As this process is totally manually and there are some with quiet a lot of records pointing to cluster resources, we're looking for a way to query theDNS server to retrieve all records related to that server/cluster and then
delete them.Additionally a lot of servers/clusters are being powered off some week already before we format them and unregister everything in our environment.This is mostly the case for migrations so that the owners are sure they
haven't forgotten a little thing ;-) Currently we have to boot the server again to have a script running locally to retrieve IP's and names registeredin the DNS. If we should have a workaround, we don't need to this anymore and
we just break the array, run a script that looks everything up and removes the registrations.I'm having already a small idea of a way to perform the check, although notideal. Extracting the zones to a .txt file which a script can loop through
searching for certain strings. Ideal solution would be to look for * records and delete them as they are being found. But as already indicated byother people, this is not available... At least not to our knowledge.
Another possible to solution is to review the DNS infrastructure, like for example aging. But, and it's not my choice, I have nothing to see with thatpart... Although I'm trying to find out if there is nobody interested in
adapting the DNS infra to make my life easier, but that rather working on the political road ;-)I could understand that it doesn't make a lot of sense, but that's the way ofworking at this moment. And I have to deal with it and try handle it the best
possible way. So in short: looking for a way to retrieve all records like "*string*" in DNS so I can remove them all and keep the DNS tidy...Best regards,BartOn 3/5/06, Al Mulnick wrote: It sounds like what you really want is to move those records to
another server. I don't recall if this is AD integrated or not, and if so,what the scope of those records is set to. However, setting up a second server and using zone transfer to that server (for backup purposes) is one
way to get all of the records in the zones into text files. You could alsouse WMI scripts/programs to cull that information or you could realize that if it is AD integrated that data exists elsewhere and that copying it off is
not what you want to do. One other method, which is very much a zonetransfer is to use the nslookup ls -d zonename command which puts that information to std i/o. Using dnscmd would be able to gather that information
as would a backup (either AD based (see above if that's what you need) orserver file based. If not AD-Integrated, you could just copy the zone files :) Am I missing something you need to do?
Al On 3/2/06, Bart Van den Wyngaert wrote:
Well I kind of need a DNS query. We used to register our DNS records manually and also remove them. But in case the server is at the endof it's lifecycle, we shut it down for some weeks (in case of migration
scenario) and then remove all it's registrations. We're looking into a way that we don't need to power on the server again, but still are able to remove all DNS registrations (serveritself, cluster resources, ...). So it would be like a DNS query... But if
there is something in AD that we can use as reference... Something like an LDAP query for AD, but then on DNS seems like the best description. Also there is a part that is always related to the server,
but there are extensions (ex. cluster resources), that's why I started talking about wildcards... I'll have a look into the dsquery tool you mentioned, as I'mnot familiar with that tool.... I'll get back to you.
Many thanks, Bart On 3/1/06, Ulf B. Simon-Weidner wrote: Very true point - as long as you don't need it to be a DNS-Query you can use dsquery or admod to query for the dnsNode-Objects inthe container hosting the DNS-Zones (out of my head since none of my test-dcs
is currenty running: cn=MicrosoftDNS,cn=system,dc=xxx where xxx is either the domain or the application partition). However keep in mind that those LDAP-Queries aregetting expensive when not querying all of them but specific and the wildcard
is in front - e.g . querying at *.domain.com is heavy on the server,server01.* would be OK. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner
Website:
http://www.windowsserverfaq.org Profile:
http://mvp.support.microsoft.com/profile=""
________________________________ From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Paessens, Daniel Sent: Wednesday, March 01, 2006 9:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] OT : Query DNS using
wildcards? Hello, Against what are you trying to perform a query. it'spossible to perform a query against AD by using a csvde command. When using these command you are able to use some
wildcards. Regards, Daniel________________________________ From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Bart Van den Wyngaert Sent: Wednesday, March 01, 2006 15:43
To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: Re: [ActiveDir] OT : Query DNS using
wildcards? Hello Ulf, I agree on the point that it would open up an attacksurface, but on the other hand we want to keep our environment clean when a
server is at the end of lifecycle. In a lot of cases the server is already powered offsome week before we start cleaning the different environments (to be surethere is nothing forgotten). In case of a cluster, you have several hosts
registered into DNS and IP's for all the resources. We're looking into a wayto retrieve that info without the need to power on the server again... Best regards, Bart
On 3/1/06, Ulf B. Simon-Weidner wrote:
Hello Bart, AFAIK DNS is not designed being queried with a wildcard - which would open up a attack surface you definitelly don't want.Closest thing you can do is performing a LS-Command against a DNS-Server (
e.g. with nslookup), however this requires the DNS-Server to allow zone transfers to the machine where you perform the ls-command. Ulf________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Bart Van den
Wyngaert Sent: Wednesday, March 01, 2006 1:34 PM To:
ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] OT : Query DNS usingwildcards? Hi all, We're looking at this moment for a way to
query DNS using wildcards, but untill now, no luck! Does anybody knows a way to do this? Thanks, Bart
List info : http://www.activedir.org/List.aspxList FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|