4 Replies Latest reply on Aug 24, 2010 9:56 PM by Daniel Goetzman

    windows DNS compliancy troubles

    Alessandro Iacopetti

      i'm currently trying to write some compliance rules to check my windows dns client configuration as:

      1) check that the server has 2 specific DNS

      2) check that the server has at least 2 DNS (doesn't matter what they are)

      3) check that the server has at least 1 DNS (regardless of value)


      dns settings are buried in the registry under a semi-random key, so i can't just put that key in the part section

      so i wrote an extended object that execute a


      netsh interface ip show dns


      which shows then dns ip buried into some badly formatted text garbage

      i'm parsing it with the generic grammar


      so far rule 1 is the only one working


      Extended Object Entry dns//* Must Not Exist OR ((Name contains "10.xx.xx.xx") OR (Name contains "10.yy.yy.yy") OR (Name does not match ..[0-9].))


      which means that the lines output of the show dns command should be either the first ip o the second ip, or it should not contain any other ip


      but i can't find a way to write the other 2 rules

        • 2. Re: windows DNS compliancy troubles
          Daniel Goetzman

          I find myself in the need of a Windows DNS Client Configuration Compliance Job complete with Remediation...

          My exploration of this topic (a Unix type myself I admit) has found the same issues;


          1. DNS Server values are in the registry under this device ID hash that is not a static path to the values needed in the registry. ugh!
          2. "netsh interface ip show config" will display the data, but not in a format fit for a grammer file! (I could maybe scrape the data as it is returned using NSH commands to filter the output for a EO?)
          3. Finally, Compliance is one thing, a BlPackage to remediate is another. netsh again, but how to target the interface that needs to have it's values reset as it will vary depending on the target server. Can the NIC name detected during Compliance be passed to the BlPackage used to remediate?


          Also, the link to the old forums is no longer valid, so if the link in the previous posting had a solution, I would like to obtain that wisdom!


          Help! This was SO easy to do on the Unix/Linux systems with a Compliance Job!


          • 3. Re: windows DNS compliancy troubles

            You could use windows shell scripting. A combination of WMI/WSH. I did this for a customer a long time ago.

            • 4. Re: windows DNS compliancy troubles
              Daniel Goetzman

              Just wanted to follow up on this thread...


              First, using wmic is the way to go for automating windows servers with Bladelogic, in my opinion. I found in other postings here on this forum, why I was not able to get wmic to return data and not hang when used as the command for Extended Objects. Working example;


                  cmd /c "echo QUIT | wmic nicconfig where IPEnabled=TRUE get description, ipaddress, dnsdomain /format:csv"


              The key points being;


              1) The "echo "QUIT |" before the wmic command that will allow wmic to exit and return data instead of hanging. AND...

              2) Using the "/format:csv" to output the data in a format that we can parse in Bladelogic using the csv grammer file!


              Works great! And by using the "where" clause, "wmic nicconfig" figures out what interfaces are enabled for IP and only returns data for those interfaces. I don't have to deal with the Device ID's in the registry!


              Remediation is simple, use "wmic nicconfig" in the BlPackage and again, only the interfaces that match the "where" criteria will be modified;


                  wmic nicconfig where (IPEnabled=TRUE and DHCPEnabled=FALSE) call dnsserversearchorder={"#.#.#.#","#.#.#.#"}


              and in this example only the interfaces that are IP Enabled and not using DHCP will have the dns servers set in the search list!


              The only limitation that I found using wmic is that not all Windows servers have wmic installed and working. Mostly Windows 2000 servers that do not have .net installed. Windows 2003 and beyond seem to have .net and wmic installed by default.


              This basic technique can be used to query and set any of the other values available under "wmic nicconfig".