The network team recently asked for a scripted solution to clear the DNS cache on a number of servers. The scripting part was actually easy:
[Array] $ServerList = "Server1", "Server2", "Server3", "Server4", "Server5"
[Int] $ServerArrayPointer = 0
For ($ServerArrayPointer = 0; $ServerArrayPointer -lt $ServerList.length; $ServerArrayPointer++)
Write-Host "Clearing cache on: [$($ServerList $ServerArrayPointer])]"
(Get-WMIObject -Computer $($ServerList[$ServerArrayPointer]) -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Cache").ClearCache()
Write-Host "`nPress any key to continue"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
The much trickier part is the permissions, the network team are not administrators on the DNS servers since these servers are also domain controllers and that would require them to be domain admins. They are in a group called "networkadmins_gg_tm".
There are two permissions required to make this work. Firstly they will need permissions over the properties and methods within the appropriate WMI namespace i.e. root\MicrosoftDNS. This is easily achieved by navigating to:
ManageComputer|Configuration|WMIControl|Properties|Security|root and highlight the namespace and hit the security button.
The group will need all permissions except "edit permissions" and, of course, special permissions. This will need to be done on every server. The next step is to grant them DCOM remote execution rights, this can be done via group policy. The GPO settings are as follows:
ComputerConfiguration|Policies|Windows Settings|Security Settings|LocalPolicies\SecurityOptions|Other
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
This setting is in SDDL Syntax but you can hit the edit button and add a security group in the normal GUI way. The group will need all four local and remote launch permissions.
That's it! Just do a GPUPDATE on all the servers to get the new policy, allow time for replication to other sites and run the script.
Post a Comment