Thursday, June 14, 2012

Find Deleted DNS records with the DNSTombstoned attribute and ADFIND

ADFind is an invaluable resource for searching fields and pretty much anything in the heart of AD.
I wanted to enable some changed scavenging rules and be able to watch what was deleted during that new scavenge.
It took some searching to figure out exactly what I wanted (because the help window in a command prompt drives me bonkers).

adfind -nodn -csv -f (dnstombstoned=TRUE) > test.csv

And a breakdown of all of these commands are:

-nodn will strip the distinguished name, so instead of dc=blah,dc=blah,dc=domain,dc=com etc etc, you just get the name

-csv for csv output

-f filters to the specific attribute and its state (=true means it is tombstoned obviously)

> test.csv this is the standard fare for exporting/piping text to a text file instead of to the command window

I hope this helps someone else who may want to just be able to watch their tombstoned records.


If you want to look at these records in depth.
adsiedit allows you to view and edit all domain fields (so be careful), however you can see this attribute on any field if you need to and even edit it.
All records are located in:
dc=domaindnszones,dc=domain,dc=com


Posted by admin in
Permalink
Page 1 of 1 pages