This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 72%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
I found a PowerShell Script that uses the SCCM Configuration Items and Baselines to ensure DNS is set correctly. This script is awesome however it allow allows you to set to DNS servers. I need to set 4. I am not sure what I am doing wrong any help would be appreciated.
URL for the original: https://social.technet.microsoft.com/wiki/contents/articles/20527.central-management-of-dns-configuration-compliance-and-updates.aspx
DIscovery:
$server1 = "x.x.x.x"
$server2 = "y.y.y.y"
$server3 = "c.c.c.c"
$server4 = "a.a.a.a"
$IPList = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName .
$i = 0
$nicwithdnscount = 0
$conformity = "Not Compliant"
if ($IPList.Count -ne $null)
{
while ($i -ne $IPList.Count)
{
try{
if ($IPList[$i].DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 4
}
if (($IPList[$i].DNSServerSearchOrder[0] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[1] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[2] -And ($IPList[$i].DNSServerSearchOrder[3]))
{
if (($IPList[$i].DNSServerSearchOrder[0] -eq $server1) -AND ($IPList[$i].DNSServerSearchOrder[1] -eq $server2) -AND ($IPList[$i].DNSSearchOrder[2] -eq $server3) -AND ($IPList[$i].DNSSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
catch
{
}
$i = $i + 1
if ($nicwithdnscount -ne 1)
{
$conformity = "Not Compliant"
}
}
}
else
{
try{
if ($IPList.DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 1
}
if (($IPList.DNSServerSearchOrder[0] -ne $null) -AND ($IPList.DNSServerSearchOrder[1] -ne $null) -AND ($IPList.DNSServerSearchOrder[2] -ne $null) -AND ($IPList.DNSServerSearchOrder[3] -ne $null))
{
if (($IPList.DNSServerSearchOrder[0] -eq $server1) -AND ($IPList.DNSServerSearchOrder[1] -eq $server2) -AND ($IPList.DNSServerSearchOrder[2] -eq $server3) -AND ($IPList.DNSServerSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
catch
{
}
}
Return $conformity
Remediation script
$server1 = "x.x.x.x"
$server2 = "y.y.y.y"
$server3 = "c.c.c.c"
$server4 = "a.a.a.a"
$IPList = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName .
$i = 0
$nicwithdnscount = 0
$conformity = "Not Compliant"
if ($IPList.Count -ne $null)
{
while ($i -ne $IPList.Count)
{
try{
if ($IPList[$i].DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 1
}
if (($IPList[$i].DNSServerSearchOrder[4] -eq $null))
{
if (($IPList[$i].DNSServerSearchOrder[0] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[1] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[2] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[3] -ne $null))
{
if (($IPList[$i].DNSServerSearchOrder[0] -eq $server1) -AND ($IPList[$i].DNSServerSearchOrder[1] -eq $server2) -AND ($IPList[$i].DNSServerSearchOrder[2] -eq $server3) -AND ($IPList[$i].DNSServerSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
}
catch
{
}
$i = $i + 1
if ($nicwithdnscount -ne 1)
{
$conformity = "Not Compliant"
}
}
}
else
{
try{
if ($IPList.DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 1
}
if (($IPList.DNSServerSearchOrder[4] -eq $null))
{
if (($IPList.DNSServerSearchOrder[0] -ne $null) -AND ($IPList.DNSServerSearchOrder[1] -ne $null) -AND ($IPList.DNSServerSearchOrder[2] -ne $null) -AND ($IPList.DNSServerSearchOrder[3] -ne $null))
{
if (($IPList.DNSServerSearchOrder[0] -eq $server1) -AND ($IPList.DNSServerSearchOrder[1] -eq $server2) -AND ($IPList.DNSServerSearchOrder[2] -eq $server3) -AND ($IPList.DNSServerSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
}
catch
{
}
}
$i = 0
if (($conformity -eq "Not Compliant") -AND ($nicwithdnscount -eq 1))
{
if ($IPList.Count -ne $null)
{
while ($i -ne $IPList.Count)
{
try{
if ($IPList[$i].DNSServerSearchOrder[0] -ne $null)
{
$arrDNSServers = $server1, $server2, $server3, $server4
$IPList[$i].SetDNSServerSearchOrder($arrDNSServers)
}
}
catch
{
}
$i = $i + 1
}
}
else
{
try{
if ($IPList.DNSServerSearchOrder[0] -ne $null)
{
$arrDNSServers = $server1, $server2, $server3, $server4
$IPList.SetDNSServerSearchOrder($arrDNSServers)
}
}
catch
{
}
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Those scripts sure go through a lot of unnecessary work!
#
# DISCOVERY
#
$MandatoryDNSServers = "x.x.x.x","y.y.y.y","1.1.1.1","2.2.2.2"
# Get all all IPEnabled NICs on local machine
[array]$IPLists = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName .
ForEach ($IPList in $IPLists){
$res = [PSCustomObject]@{
Description = $IPList.Description
Index = $IPList.Index
Conformity = "Not Compliant"
}
if ( $IPList.DNSServerSearchOrder.Count -gt 0){ # if the DNSDerverSearchOrder is populated
if ($MandatoryDNSServers.Count -gt $IPList.DNSServerSearchOrder.Count -OR # and the number of mandatory servers is greater than the number of DNS servers on this NIC
$null -eq $IPList.DNSServerSearchOrder[0]){ # or the first DNS server is empty
return $res # return "Not Compliant"
}
}
else{
$AllGood = $true
$dnsservers = $IPList.DNSServerSearchOrder # get the list of DNS servers from the NIC
for ($i=0; $i -le $MandatoryDNSServers.GetUpperBound(0); $i++){
if ($MandatoryDNSServers[$i] -ne $dnsservers[$i]){ # compare 2 lists by postion (with $MandatoryDNSServers controlling the loop)
$AllGood = $false
break # stop loop if a no-match is found
}
}
if ($AllGood){
$res.Conformity = "Compliant"
}
return $res
}
}
The remediation can take the output of the discovery script and set the search order like this:
#
# REMEDIATION
#
# Takes the Interface Index as a parameter
param(
[int]$Index
)
$MandatoryDNSServers = "x.x.x.x","y.y.y.y","1.1.1.1","2.2.2.2"
Set-DnsClientServerAddress -ServerAddresses $MandatoryDNSServers -InterfaceIndex $Index
I'm not familiar with SCCM, so if you have to run the discovery followed by remediation to correct non-compliant NICs then in the remediation part don't return the PSCustomObject. Just use it set the DNS servers if the "Conformity" property is ""Not Compliant" and take the Interface Index from the "Index" property.
@Rich Matheisen let me try them and let you know.
Hi, @Benjamin Hagen
Thank you for posting in Microsoft Q&A forum.
You may try to run discovery script and remediation script Separately to see if the script can run correctly.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Yes, i understand that. The issue is since editing the script to what i believe is adding 4 DNS servers both the discovery and remindation script fail. Which means someplace in there my syntex is wrong. If someone who is smarter then can help point where i made my mistake i would appreciate it. Hell i dont even know if the script i am "copying off" can do what i want!
Hi, @Benjamin Hagen
I modified the discovery script, it doesn't have a syntax wrong now:
$server1 = "x.x.x.x"
$server2 = "y.y.y.y"
$server3 = "1.1.1.1"
$server4 = "2.2.2.2"
$IPList = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName .
$i = 0
$nicwithdnscount = 0
$conformity = "Not Compliant"
if ($IPList.Count -ne $null)
{
while ($i -ne $IPList.Count)
{
try{
if ($IPList[$i].DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 1
}
if (($IPList[$i].DNSServerSearchOrder[0] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[1] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[2] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[3] -ne $null))
{
if (($IPList[$i].DNSServerSearchOrder[0] -eq $server1) -AND ($IPList[$i].DNSServerSearchOrder[1] -eq $server2) -AND ($IPList[$i].DNSServerSearchOrder[2] -eq $server3) -AND ($IPList[$i].DNSServerSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
catch
{
}
$i = $i + 1
if ($nicwithdnscount -ne 1)
{
$conformity = "Not Compliant"
}
}
}
else
{
try{
if ($IPList.DNSServerSearchOrder[0] -ne $null)
{
$nicwithdnscount = $nicwithdnscount + 1
}
if (($IPList.DNSServerSearchOrder[0] -ne $null) -AND ($IPList.DNSServerSearchOrder[1] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[2] -ne $null) -AND ($IPList[$i].DNSServerSearchOrder[3] -ne $null))
{
if (($IPList.DNSServerSearchOrder[0] -eq $server1) -AND ($IPList.DNSServerSearchOrder[1] -eq $server2) -AND ($IPList[$i].DNSServerSearchOrder[2] -eq $server3) -AND ($IPList[$i].DNSServerSearchOrder[3] -eq $server4))
{
$conformity = "Compliant"
}
else
{
$conformity = "Not Compliant"
}
}
}
catch
{
}
}
Return $conformity
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thank you @AllenLiu-MSFT . Sorry for the late reply I was out of the office on Friday. I am trying it now and will let you know if that works!
@AllenLiu-MSFT my test box is still showing noncompliant.