none
Powershell Add DNS Domain Suffix Search Order

    Question

  • I am racking my brain here.

    Using Powershell script to add DNS domain suffixes to machines remotely.

    Multiple Machines, Multiple Domains.

    I am a Domain Admin on our main Domain but not on the others.

    How do I supply credentials to run this script for the different domains? 

    I know you can create PS Credential objects.
    The issue is that in order to change the Suffixes you have to use the type accelerator [wmiclass] rather than get-wmiobject and the TA only takes a string as an argument. 

    $objWMI = get-wmiobject -class win32_networkadapterconfiguration -computername $strComputerName -credentials...
    #Unfortunately, this object nor the members it contains have the setDNSDomainSuffixSearchOrder Method

    $clsWMI = [wmiclass]"\\$strComputerName\root\cimv2:win32_networkadapterconfiguration"
    #Unfortunately, this does not allow us to supply credentials. I can use this if it is in my domain.


    Is there a way to do this aside from editing the registry directly, etc.? 

    The goal here is to be able to change this from any machine on any of the domains.

    My thoughts are that maybe there is a way to get to the same class object as the TA is but with being able to supply credentials, perhaps via a .NET? 


    Any Help is much appreciated 
    • Edited by Mercbot7 Thursday, July 30, 2009 1:09 PM
    Thursday, July 30, 2009 1:07 PM

Answers

  • Yes this is what I was looking for!

    This worked for me.

    $strComputerName = "foo"
    $psCredentials = Get-Credentials
    $aryDNSSuffixes = "Hello.com", "World.org"

    invoke-wmimethod -Class win32_networkadapterconfiguration -Name setDNSSuffixSearchOrder -Credential $psCredentials -ComputerName $strComputerName -ArgumentList @($aryDNSSuffixes), $null

    The weirdest thing about it is the ArgumentList, it takes an array object and you have to have the second item $null

    I didn't read into msdn too deep

    http://technet.microsoft.com/en-us/library/dd315300.aspx
    • Marked as answer by Mercbot7 Thursday, July 30, 2009 5:35 PM
    • Edited by Mercbot7 Thursday, August 06, 2009 1:40 PM
    Thursday, July 30, 2009 5:35 PM

All replies

  • Have you tried just setting the property?

    Thursday, July 30, 2009 1:24 PM
    Moderator
  • btw... if and when you are able to use Powershell v2 they have solved this issue with invoke-wmimethod (to call static methods on WMI classes.)
    Brandon Shell [MVP]
    • Proposed as answer by lunarpowered Sunday, February 12, 2012 2:25 PM
    Thursday, July 30, 2009 1:32 PM
    Moderator
  • To your orginal question

    Here is the regkey


    HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList
    Brandon Shell [MVP]
    Thursday, July 30, 2009 1:36 PM
    Moderator
  • Here is how you would do it in v2

    $DNSSuffix = @("child.domain.com"),@("domain.com")
    Invoke-WmiMethod -path Win32_NetworkAdapterConfiguration -Name SetDNSSuffixSearchOrder -ArgumentList $DNSSuffix
    Brandon Shell [MVP]
    Thursday, July 30, 2009 1:44 PM
    Moderator
  • Yes, unfortunately, you cannot change the property. It is read only.

    Thanks!
    Thursday, July 30, 2009 1:45 PM
  • I was not aware. I will have to try that! I will let you know if that worked!

    Thanks!
    Thursday, July 30, 2009 1:45 PM
  • Yeah, we want AVOID using the reg key if possible. I think we can it is just a matter of figuring it out.

    Thanks!
    Thursday, July 30, 2009 1:46 PM
  • It seems to me  your options are the regkey or Powershell v2
    Brandon Shell [MVP]
    Thursday, July 30, 2009 1:48 PM
    Moderator
  • There is no way to do this via .NET?
    Thursday, July 30, 2009 1:51 PM
  • Sorry, I am now looking at invoke-wmimethod and it looks like that is what I need. I will post the results.

    Thanks!
    Thursday, July 30, 2009 1:53 PM
  • Yes this is what I was looking for!

    This worked for me.

    $strComputerName = "foo"
    $psCredentials = Get-Credentials
    $aryDNSSuffixes = "Hello.com", "World.org"

    invoke-wmimethod -Class win32_networkadapterconfiguration -Name setDNSSuffixSearchOrder -Credential $psCredentials -ComputerName $strComputerName -ArgumentList @($aryDNSSuffixes), $null

    The weirdest thing about it is the ArgumentList, it takes an array object and you have to have the second item $null

    I didn't read into msdn too deep

    http://technet.microsoft.com/en-us/library/dd315300.aspx
    • Marked as answer by Mercbot7 Thursday, July 30, 2009 5:35 PM
    • Edited by Mercbot7 Thursday, August 06, 2009 1:40 PM
    Thursday, July 30, 2009 5:35 PM
  • This is not entirely the case any longer, as well as the original author has overlooked the case with multiple NICs on the same computer.

    That Invoke-WmiMethod call, if "approved/fulfilled", will alter the DNSSuffixSearchOrder for every NIC found by PowerShell on said machine.

    I'm struggling to make sure it only affects the NIC I'm interested in it affecting...

    foreach($pc in $ComputerName){
    $NICs = @()
    $NICs += Get-WmiObject -Class Win32_NetworkAdapterConfiguration -ComputerName $pc -Filter "IPEnabled = 'TRUE' AND DHCPEnabled = 'FALSE'"

    foreach($NIC in $NICs){
    (....)
    $NIC | Invoke-WmiMethod -Class Win32_NetworkAdapterConfiguration -Name SetDNSSuffixSearchOrder -ArgumentList $newDNSSuffix,$null

    (...)}}

    The line in the innermost foreach-loop is something I can't get to work, getting any error from Access Denied to "No such Method", whilst trying to make it work manually, before I put it into my script function.

    Can anyone help figuring out the correct way to make sure that:

    1. It only affects ONE given NIC on a given remote computer
    2. It actually goes through, I'm getting all kinds of errors, don't 
      sharing it with you, but thought to spare you the spam until someone
      asks for it.

    Appreciated, thanks

    Tuesday, August 21, 2012 7:09 AM
  • This topic has been closed for years.  Can you please start a new topic with you r question.  You can include a link back to this topic if needed.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, August 21, 2012 10:51 AM
    Tuesday, August 21, 2012 10:50 AM
  • Never made a post/topic here before, no clue how. Just saw that I could reply when looking at the google hit google gave me.

    But I fixed it anyhow, here's a link to how.

    http://powershell.com/cs/forums/p/10792/18524.aspx#18524

    I think on one side it could be prudent keeping it here if others get guided here by google like me,
    but I'm willing to make a new post if you're willing to tell/show me how, or at least what forum this thread is in. 

    Sorry for being so newbish...

    -x10


    • Edited by x10an14 Wednesday, August 22, 2012 10:50 AM
    Wednesday, August 22, 2012 10:50 AM
  • Never made a post/topic here before, no clue how. Just saw that I could reply when looking at the google hit google gave me.

    But I fixed it anyhow, here's a link to how.

    http://powershell.com/cs/forums/p/10792/18524.aspx#18524

    I think on one side it could be prudent keeping it here if others get guided here by google like me,
    but I'm willing to make a new post if you're willing to tell/show me how, or at least what forum this thread is in. 

    Sorry for being so newbish...

    -x10


    Not a fix and it does not do anything different than what the WMI class does.  Ther is only one search order per machine.  It is impossible to have a search order per adapter.  Go back an look at yur post and think a long time about what you are doing.  I think you will eventually see that nothing is different except that setting the registry doe not affect the adapter immediately.

    If you need to pusue this then you can start a new thread forum is clearly listed at the top of the page as it is with all web sites.  Ther is even a nice littel button for starting a newtopic.

    YOU might also ask you question in the hardware and networking forums wher htey can explain how IOP networking is designed and why we have only one search order.  If yu set it at teh registry or with the class it is still the same thing so I don't hink any oof us can understand what the issues is.  This thread describes the accepted method of setting this value for the TCPIP netorking components.  It ha s no affect on VPNs or iSCSI deices ads they are setup and just respond to the system.  No search order is of any importance to these devices.  The router layer determines how to find things.  DNSS3erachOrder is just a way to add domains to an address that has no domain portion.

    If you do "ping test" and you have no test defined on the local machine then the suffixes will be added one at a time until a host can be found.

    In Windows we mostly never set this to anything  but the default..  It is a bit legacy.  Setting it without understanding what it is doing can make you network unusuable.

    I suspect you are relly wanting to change the DNS servers and search order which are per interface.

    # get the per adapter configuration
    $adapt=gwmi Win32_NetworkAdapterConfiguration -filter 'index=1'
    # dispaly teh current search order
    $adapt.DNSServerSearchOrder
    # set a new list
    $adapt.SetDNSServerSearchOrder(@('10.1.10.2','10.1.10.3'))


    ¯\_(ツ)_/¯

    Wednesday, August 22, 2012 2:41 PM
  • "Not a fix and it does not do anything different than what the WMI class does.  Ther is only one search order per machine.  It is impossible to have a search order per adapter."

    That's what I've been starting to suspect, but I didn't want to go out on a limb and just suppose it was so until I found some whitepaper-ish documentation that this was true.

    Anyway, thanks for confirming it =). And no, I know what the DNS suffixes are, do, and how they work. I just thought it would make sense to have them adapter specific in case you had VPN adapters (like many machines do). The script that's being referred to in the post of my previous link changes DNS Search Order, DNS Suffix Search order, DNS Domain, and Dynamic DNS registration settings =).

    Thursday, August 23, 2012 6:34 AM
  • No need for a white paper.  Having a suffix serach ordere that is adl=pter specific makes absolutely no sense.

    If you need a white paper I would start by looking at the IETF specifications for IP netowrking. SOme things are defined for host and some for a connection.  It is the 'host' address domain component that is being resolved.  The domain portion has been used to find a default domina.  It is huighly recommenedd that you do no use this in a Windows domain as the AD dns name of teh host is critical.

    This isetting has nothing to do with adapters.  It is all about name resolution for the 'host' request.  You cannot choose an adapter until you resolve the name.  It is the router that choos4es the route.  The route is specific to one and only one adapter.  In the end the ipaddress fo the 'discovered' FQDN is looked up and a 'route' is chosen.  The route is bound to an adapater.

    Run "route print" at a rpompt and inspect how a route is defned.

    Destination     Netmask              Gateway            Interface                Metric
    192.168.1.0    255.255.255.0    192.168.1.100   192.168.1.100       700

    The route to the domnain 192.168.1.0/24 is at 192.168.1.100 on interface 192.168.1.100.  Until we take teh name plus the suffix generated via the rule (search order or host default) and ask DNS for an IP we cannot know the interface that will service the request.

    Now does it make sense?

    If you are having issues with VPNs it is because the VPN is not configured correctly which is quite common.

    DNS search order, on the other hand, is specific to an interface and is settable via WMI at teh interfacxe level. 

    WMI does what it is supposed to do when configuring a network.  The is almost never a need to use the registry. If you so not accept the WMI settings then it is more likely that you misunderstand how networking is intended to work.  Changes made incorrectly can make a host unusable.

    Her eis an interesting but expired document from IETF on the issues with multi-homed hosts and how the solution is best managed by the application. In Windows this is the normal solution.  We choose a primary trnsport and port and all choices are routed over that path that cannot be resolved or are not bound to another path.  Thi sis done through the 'Advanced' network settings.

    http://tools.ietf.org/tools/rfcdiff/rfcdiff.pyht?url1=http://tools.ietf.org/id/draft-savolainen-mif-dns-server-selection-02.txt&url2=http://tools.ietf.org/id/draft-savolainen-mif-dns-server-selection-03.txt


    ¯\_(ツ)_/¯

    Thursday, August 23, 2012 11:47 AM