DNS dynamicupdate with powershell


First post, hopefully I will do it right :slight_smile:

I have a test environment on my workstation, running VMware Workstation. I have a DC (Window Server 2012 R2), a client machine (Windows 8.1), and a few servers (Window Server 2012 R2). I want to be able to build some VM’s running Window Server, and configure them via DSC. Before doing anything without DSC though, I was planning on connecting remotely and configuring by doing something like this:

$computername = $(read-host "Enter computer name")
$ipaddress = $(read-host "Enter IP address")
$prefix= $(read-host "Enter IP prefix (ie, 24)")
$dns =  $(read-host "Enter DNS server address")
Invoke-command -computername $computername -credential $(get-credential) -scriptblock {
	Get-netIPinterface -addressfamily IPv4 -DHCP enabled -connectionstate Connected | 
	Net-netipaddress -Ipaddress $ipaddress -prefixlength $prefix -addressfamily IPv4 ; 
	Set-dnsclientserveraddress -serveraddress $dns ;
	} -indisconnectedsession

My problem isn’t the code, I main problem is that I can’t run an “invoke-command” to the newly built VM because I can only see them via IP. They are getting a DHCP request, but they are not authorised for DNS (because they are not in the domain). I know the DHCP lease is there because I can run:

{get-dhcpserverv4lease -scopeID | select hostname, IPaddress, Leaseexpirytime -last 1 | ft -AutoSize}

and see the lease. But the DNS update is “pending”.

So, using powershell, how do I disable Secure Only updates on the DNS server? And/or, is there a better way of doing this? I can see the settings, but can’t figure out how to modify it.

Get-DnsServer  | select * -Expand serverzone | select dynamicupdate     

Read up on “Secrets of PowerShell Remoting.” You can remote in using the IP address, if you add the IP address to your local TrustedHosts list, and specify a credential when connecting. That’ll get you in to configure it initially, and then you can take it out of TrustedHosts once it’s in your domain.

DNS isn’t really the issue. Without being in the same domain as the target, you’d have to mangle with TrustedHosts anyway. Active Directory is the thing.

With that said, I’m not sure I would disabled Secure Only updates on DNS. Secure Only is a Good Thing, and strictly to get into the VM to configure it, you don’t need DNS anyway. Just use the IP address. Push a config to them that gets them in the domain, or that configures them to pull a config from a pull server - neither of those operations depends on AD.

Super. That sounds like a much better and more scalable approach, I will give it a go. Thanks Don!

Hi Greg,

You can configure your DHCP server if Windows to register the DNS entries for the clients. The zones needs to be configured for secure updates for this to work.


We have configured DNS registration via the DHCP server for our backup network at work.


Thanks Daniel. That could be a good way for me to tackle it in production.