DNS Health Check

Identify and manage inactive computers

DnsHealthCheck.vbs

Description

Identifies potential problem entries in Microsoft DNS

Version

1.0

Last Mod

December 2010

Client

NA

Language

VbScript

Finish Level

Smooth

Description

Reads DNS server information and compares forward lookup, Host/A, record entries with reverse lookup, PTR, entries. Entries are analyzed looking for missing, duplicate or "crossed" references in each zone.

Default behavior uses the DNS server configured for the computer running the script and analyzes all forward lookup zones. Several command line arguments customize behavior.

Configuration

The following items are configurable via command line arguments:

  • DNS server used
  • Forward lookup zone(s) analyzed
  • Age limit for declaring stale records
  • Log file name and location

Following is the on-screen help offered by executing with a ? switch.

      Usage:

      DnsHealthCheck [/Server:ServerName]

      [/Zone:ZoneList]

      [/Stale:n]

      [LogPath:Folder]

      [/LogFile:Filename]

      [?]

      All arguments optional

      /Server: - Specify DNS Server used.

      Default, DNS Server configured for local host.

      /ZoneList: - Specify comma-separated list of forward zones to analyze.

      Default, all zones on selected DNS Server.

      /Stale: - Specify age limit, in days, to evaluate record aging.

      Default, 14

      /LogPath: - Specify folder for log.

      Default, Current directory

      /LogFile: - Specify file base name.

      Default, DnsInfo

      Note: Arguments include colon (:) and are followed immediately

      by value without intervening space.

      If value includes spaces, enclose in quotes.

Forward/Reverse lookup zone data elements should be the same on all Microsoft DNS servers in the environment. As a best practice, aging/scavenging activities are active on only one, or very few, servers. Server and Zone properties listed show these parameters.

Stale records are dynamically created, by DHCP, and not updated within the period, in days, specified by this parameter. The default, thirty (30) days, is very conservative. The best value to use depends on the lease length configured for DHCP scopes. By default, clients renew/update records at 50% of the lease period. If that attempt fails another attempt is made at 87.5% of lease period. An aggressive setting for the stale record threshold would be the shortest DHCP lease period used.

The log file contains the same information echoed to the console and is located in the current folder, by default. The file name uses a base name, DnsInfo by default, and includes a date/time component.

Execution

The script can be run from any workstation/server. The default behavior is to use the first DNS server configured for the first network adapter with DNS server configuration information. This is overridden with the /Server: command line argument.

Access to the server is Read Only, via remote WMI. Therefore, the target server must have WMI enabled and the user running the script must have permission to access the server via WMI. Access and permissions are tested by the script and reported if there is a problem.

The executable version, DnsHealthCheck.exe, is the same as the VBS script, but forces the script to run in console, CScript, mode. If running the VBS script, please invoke it with the CScript.exe engine, either by changing the default script engine or on the command line as:

      CScript DnsHealthCheck.vbs

Documentation

Most errors reported stem from not configuring aging/scavenging, the installed default. TechNet has a lot of articles on configuring scavenging. Here is a good blog entry discussing the issue. (active as of 12/2010)

TechNet blog entry about configuring scavenging

 Download

Up