How to Save the DNS Cheese. Protect AD-Integrated DNS Zones from Accidental Deletions

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

As a quick follow on to our recent post about DNS deletion auditing, here's an ounce of prevention for you – well actually about 3 tons worth – courtesy of Brent Whitlow, Bryan Zink and your blogger-de jure, Hilde.

Our co-workers, peers and others 'out there' have covered this but we wanted to get our own 'variation on a theme' post out as a logical follow up (or some might say prequel) to the DNS auditing post.

Here are the links to two of the other great posts:

Let's roll …

**** EDIT ****

As with any changes, folks should always exercise caution and test things out in a lab BEFORE implementing any changes to production.  I normally call this out in my posts but I didn't do that here.  My sincerest apologies. 

Additionally, as with most code, the PowerShell code found here should be considered 'sample code.'

**** END EDIT ***** 

For DNS zones in the legacy "domain" partition:

You can use the AD Users and Computers GUI to expose one of the best checkboxes in the history of Active Directory… or, further below, we can use PowerShell (of course!)

 

 

The zones in the Domain-wide and Forest-wide Application Partitions are stored elsewhere within AD:

To protect those, we use PowerShell to toggle the 'protectedfromaccidentaldeletion' attribute on zone objects in application partitions since they aren't exposed anywhere in the GUI. Yet J (hey Product Group, did you catch that subtle feature request?)

 

Domain-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

 

Forest-wide application partitions

Enumerate all vulnerable zones into a nice UI box:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

 

Legacy domain partition

Enumerate all vulnerable zones into a nice UI box:

 Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

 

Protect 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

 

Check 'em

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "CN=MicrosoftDNS,CN=System,DC=domain,DC=lab " -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

 

 

NOTE: Should you need to delete one of the zones in the future, simply flip the 'ProtectedFromAccidentalDeletion' attribute for the target zone to FALSE with PowerShell:

Set-ADObject "DC=DOMAIN_APP_PARTITION.COM,DC=DomainDnsZones,DC=domain,DC=lab" protectedFromAccidentalDeletion $False

So there you have a few resources to help you … now get out there and protect the cheese!