Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • New Script: Update Active Directory DNS Reverse Lookup Zones from Sites and Services Subnets (Update-ReverseZonesFromSubnets.ps1)

    April 20, 2020

    Active Directory, DNS, PowerShell

    While Active Directory (AD) does not need DNS Reverse Lookup Zones, most Citrix and VMware products do. If you are visiting my website, you probably use Citrix and VMware products.  If you have heard or read any of my AD conference or CUGC presentations, you know how important AD Sites and Services Subnets and DNS Reverse Lookup Zones are to Citrix and VMware.

    This script was written specifically for a customer to help them with keeping their DNS Reverse Lookup Zones in sync with their Subnets. The customer’s CIO stated the script was useful to them, so it would be useful to the community. The CIO wanted this script made available to the community.

    If you would like to thank this CIO for the generous gift, send an email to Webster at carlwebster dot com, I will gather up the responses and send them to the CIO.

    I also want to thank all the testers. My always detailed and thorough tester David M., fellow CTP Trond Eirik Haavarstein (aka Mr. XenAppBlog), the testers from the IGEL Slack Community, and the World of EUC Slack Community.

    What does this script do?

    1. Get all the Subnets defined in Sites and Services
    2. Sort the Subnets
    3. Change the Subnet to a format that resembles a DNS Reverse Lookup Zone
    4. See if a matching Reverse Lookup Zone exists
    5. If the reverse zone does exist, there is nothing to do
    6. If the reverse zone doesn’t exist, depending on whether -WhatIf or -Confirm is used, create the Reverse Lookup Zone
    7. Log everything done
    8. Create a text file of all actions
    9. Optionally, email the text file

    The first problem encountered, was the difference in how Subnets and Reverse Lookup Zones are stored.

    Let’s look at Subnets for 10.0.0.0/8, 172.16.0.0/16, 192.168.168.0/24, and 192.168.168.168/32, as shown in Figure 1.

    Figure 1
    Figure 1

    Subnets as stored as a.b.c.d/nn and a reverse zone is stored as c.b.a.in-addr.arpa.

    It is a simple task of splitting the Subnet into an array and then creating a temp zone with:

    $SubnetArray = $Subnet.split("./")
    $SubnetMask = [int]$SubnetArray[($SubnetArray.count-1)]
    
    If($SubnetMask -le 8)
    {
    $RevZone = "$($SubnetArray[0]).in-addr.arpa"
    }
    ElseIf($SubnetMask -le 16)
    {
    $RevZone = "$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
    }
    ElseIf($SubnetMask -le 24)
    {
    $RevZone = "$($SubnetArray[2]).$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
    }
    Else
    {
    $RevZone = "$($SubnetArray2[0]).$($SubnetArray[2]).$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
    }
    

    Creating a reverse lookup zone is different. You create a reverse lookup zone by using the Subnet! For example, you create a reverse zone by using “192.168.1.0/24”, but you retrieve the reverse zone by using “1.168.192.in-addr.arpa”.

    To show you what the script does, I deleted the Reverse Lookup Zones I created to get the screenshot for Figure 1.

    Figure 2 shows my DNS before the script runs.

    Figure 2
    Figure 2

    Figure 3 shows the script in action.

    Figure 3
    Figure 3

    Figure 4 shows DNS after the script ran.

    Figure 4
    Figure 4

    Note: You cannot create a /32 Reverse Lookup Zone in the DNS console, but I did with PowerShell.

    Figure 5 shows the contents of the text file generated by the script.

    Figure 5
    Figure 5

    What happens if the script is rerun now that all the Subnets have DNS Reverse Lookup Zones? Figures 6 and 7 show what happens.

    Figure 6
    Figure 6
    Figure 7
    Figure 7

    The script supports -WhatIf and -Confirm as shown in Figures 8 through 13.

    Figure 8
    Figure 8
    Figure 9
    Figure 9
    Figure 10
    Figure 10
    Figure 11
    Figure 11
    Figure 12
    Figure 12
    Figure 13
    Figure 13

    The main customer request for this script was to run it as a scheduled task and email the text file without saving the email credentials.

    This requires using an unauthenticated email sent through an email relay server. This turned out to be simple to implement. I found the solution on ServerFault.

    The solution was only three lines of PowerShell.

    
    $anonUsername = "anonymous"
    $anonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force
    $anonCredentials = New-Object System.Management.Automation.PSCredential($anonUsername,$anonPassword)
    
    

    For on-premises Exchange, what the script requires to use an unauthenticated email is the From email account is “anonymous”. i.e. anonymous@emaildomain.tld.

    The help text shows an example.

    
    .EXAMPLE
    PS C:\PSScript > .\Get-SubnetsFromReverseZones.ps1
    -SmtpServer mailrelay.domain.tld
    -From Anonymous@domain.tld
    -To ITGroup@domain.tld
    
    ***SENDING UNAUTHENTICATED EMAIL***
    
    The script will use the email server mailrelay.domain.tld, sending from
    anonymous@domain.tld, sending to ITGroup@domain.tld.
    
    To send unauthenticated email using an email relay server requires the From email account
    to use the name Anonymous.
    
    The script will use the default SMTP port 25 and will not use SSL.
    
    ***GMAIL/G SUITE SMTP RELAY***
    https://support.google.com/a/answer/2956491?hl=en
    https://support.google.com/a/answer/176600?hl=en
    
    To send email using a Gmail or g-suite account, you may have to turn ON
    the "Less secure app access" option on your account.
    ***GMAIL/G SUITE SMTP RELAY***
    
    The script will generate an anonymous secure password for the anonymous@domain.tld
    account.
    
    .EXAMPLE
    	PS C:\PSScript > .\Get-SubnetsFromReverseZones.ps1 
    	-SmtpServer labaddomain-com.mail.protection.outlook.com
    	-UseSSL
    	-From SomeEmailAddress@labaddomain.com 
    	-To ITGroupDL@labaddomain.com	
    
    	***OFFICE 365 Example***
    
    	https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3
    	
    	This uses Option 2 from the above link.
    	
    	***OFFICE 365 Example***
    
    	The script will use the email server labaddomain-com.mail.protection.outlook.com, sending from 
    	SomeEmailAddress@labaddomain.com, sending to ITGroupDL@labaddomain.com.
    
    	The script will use the default SMTP port 25 and will use SSL.
    
    

    I tested this on the customer’s network and it worked the first time.

    I have not tested the GMAIL/G Suite or Office 365 relay examples.

    Adding the on-premises anonymous email capability required a change to a core script function (Function SendEmail), which means I will update every script using this function as soon as I can.

    I want to again thank the customer for allowing me to give this script to the community and to all the testers.

    If you find any issues with the script or any enhancement requests, send me an email.

    I am creating the mirror image of this script to process reverse lookup zones and report (not create) on any missing subnets in Sites and Services.

    You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

    Thanks

    Webster

     







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    2 Responses to “New Script: Update Active Directory DNS Reverse Lookup Zones from Sites and Services Subnets (Update-ReverseZonesFromSubnets.ps1)”

    1. Matthew Watford Says:

      Carl, can this be modified to look at DHCP instead of Sites and Services? Thanks.

      Reply

      • Carl Webster Says:

        What does DHCP have to do with DNS Reverse Lookup Zones?

        This script was created based on my recommendations for conducting hundreds of AD audits and remediations. Having DNS reverse lookup Zones is important for most SBC and VDI products. Not everyone uses Microsoft DHCP, but everyone using AD uses AD Sites and Services. Of course, this script is useless if you are using something other than Microsoft DNS.

        Thanks

        Webster

        Reply

    Leave a Reply