Home
  •  

Validate Signed Zones

Microsoft.Windows.DNSServer.2016.Task.Validate.DNSSEC (Task)

Validate the DNSSEC setting if the setup is configured for DNSSEC validations for given servers. Specify server names overriding Parameter1.

Element properties:

TargetMicrosoft.Windows.DNSServer.2016.Healthcheck.TaskTarget
AccessibilityInternal
CategoryCustom
EnabledTrue
RemotableFalse
Timeout300

Member Modules:

ID Module Type TypeId RunAs 
PA ProbeAction Microsoft.Windows.DNSServer.2016.ParametrizedPowershellProbe.PA Microsoft.Windows.DNSServer.2016.ActionAccount

Source Code:

<Task ID="Microsoft.Windows.DNSServer.2016.Task.Validate.DNSSEC" Accessibility="Internal" Target="Microsoft.Windows.DNSServer.2016.Healthcheck.TaskTarget" Enabled="true" Timeout="300" Remotable="true">

  <Category>Custom</Category>

  <ProbeAction ID="PA" TypeID="Microsoft.Windows.DNSServer.2016.ParametrizedPowershellProbe.PA" RunAs="Microsoft.Windows.DNSServer.2016.ActionAccount">

    <ScriptName>Microsoft.Windows.Server.DNS.Validate.DNSSEC.PA.ps1</ScriptName>

    <ScriptBody><Script>

                        

                            param ([String] $PrincipalName, [String] $Parameter1, [String] $Parameter2, [String] $Parameter3)

                            $SCRIPT_NAME = "DNSSECSettingsValidationProbe"

                            $ErrorActionPreference = "Stop"



# Event type constants

$EVENT_TYPE_LOG = 0

$EVENT_TYPE_ERROR = 1

$EVENT_TYPE_WARNING = 2

$EVENT_TYPE_INFORMATION = 4



# Typed property bag constants

$PROPERTY_TYPE_ALERT = 0

$PROPERTY_TYPE_EVENT = 1

$PROPERTY_TYPE_PERFORMANCE = 2

$PROPERTY_TYPE_STATE = 3



# State type constants

$STATE_SUCCESS = "Success"

$STATE_WARNING = "Warning"

$STATE_ERROR = "Error"



$momAPI = new-object -comObject MOM.ScriptAPI



$DNS_NOT_RUNNING_EVENT_ID = 7654

$DNS_NOT_RUNNING_SCRIPT_MESSAGE = "DNS Server Service is not running. Exiting."



function FuncCheckService{

 param($ServiceName)

 try

 {

	$arrService = Get-Service -Name $ServiceName

	if ($arrService.Status -ne "running")

	{ 

		return $false

	}

	return $true

 } 

 catch

 {

    return $false

 }

 }if($Parameter1 -eq $null -or $Parameter1 -eq "")

{

	Write-Host "Parameter1 for task can not be empty! Please specify required value."

	Return

}



$TargetObjects = $Parameter1 -split ";" | Where-Object {$_}



if($TargetObjects -ne $null)

{

	if($TargetObjects.Count -eq $null) # if single object returned

	{

		$ObjCount = 1

	}

	else

	{

		$ObjCount = $TargetObjects.Count

	}



	for ($i=0; $i -lt $ObjCount; $i++)

	{

	    if($ObjCount -eq 1)

		{

		    $Obj = $TargetObjects

		}

		else

		{

			$Obj = $TargetObjects.Item($i)

		}



		$zoneName = $Obj + "."

        try {

        $zoneRecords = Resolve-DnsName -Server $PrincipalName -Name $zoneName -DnssecOk -ErrorAction Stop| Where-Object {$_.QueryType -eq "RRSIG"} -ErrorAction Stop

		

        if (($zoneRecords -eq $null)-or ($zoneRecords.Count -le 0))

        {

            #Write-Host "Signed zone $zoneName DNSSEC setings validation failed at server $PrincipalName"

			Write-Host "The DNS query for signed zone $Obj did not get a DNSSEC response from server $PrincipalName"

			

        }

		else

        {

			#Write-Host "Signed zone $zoneName DNSSEC setings validation succeeded at server $PrincipalName"

			Write-Host "The signed zone $Obj on server $PrincipalName contains a RRSIG record"

        }

		}

		catch

        {            

            Write-Host "An Error Has Occurred in Resolve-DnsName cmdlet. Server: $PrincipalName,  Zone: $Obj"

        }

	}

}

</Script></ScriptBody>

    <PrincipalName>$Target/Host/Host/Property[Type='Windows!Microsoft.Windows.Computer']/PrincipalName$</PrincipalName>

    <Parameter1/>

    <Parameter2/>

    <Parameter3/>

    <TimeoutSeconds>300</TimeoutSeconds>

  </ProbeAction>

</Task>