Setting DNS for Windows Servers Using PowerShell

Setting DNS for Windows servers is straightforward using PowerShell. Utilizing Get-WMIObject Win32_NetworkAdapterConfiguration against a list of servers from a text file in a loop is the best way to handle a bulk dns change to your servers. I was prompted to share my PowerShell script after reading a post from Mike Tabor on his blog at MikeTabor.com titled How to update VMware Windows VM’s DNS using PowerCLI .

Mike Tabor goes through his process of taking an old script he found and updated it to more modern PowerCLI script. His script is very useful in that you can change the IP address in addition to setting dns for Windows servers in your VMware environment. He credits Jase McCarty who created the original script and helped Mike update it. I encourage you to go check it out.

Person's hand typing on a MacBook Pro with code on the screen
Scripting time

Set-ServersDNS

Here is my purely PowerShell script that I have been using for the past few years to make dns changes. It does not update IP addresses but does allow for changes to dns settings. Using a foreach loop with all the necessary dns settings through Get-WMIObject makes for a simplified script. But just because it is simplified doesn’t mean you can’t do mass amounts of damage to your environment. I always test against a few individual test servers just to make sure before I send this against all my Windows servers.

It does work on both physical and virtual Windows computers. Unfortunately we still have a few Windows physical servers so I will still utilize this script when setting dns for Windows servers. However, when I need to make a mass IP and dns change to virtual machine servers I will utilize Mike Tabor’s script. I expect that soon my environment will not have any physical Windows servers. All virtual is the goal!

Caution: Like all code you download from the internet, please understand and modify the code accordingly to prevent unforeseen production problems.  Also known as career-altering events. 

More From My Site

Schannel Set-Crypto PowerCLI Script

Backup VDS PowerCLI Script

vami_config_net To Change VCSA Hostname

Deleting Orphaned Virtual Desktops In VMware View

PowerShell SSL Certificate Script

Beyond SQL on VMware Best Practices

Going beyond SQL in VMware Best Practices has involved settings and configurations that are never mentioned in the SQL Server On VMware Best Practices Guide. Working in a healthcare environment means working with a large EMR (Electronic Medical Record) provider like EPIC. In tuning one of their many large sql databases they had some recommendations. Some of these are throwbacks to my old days of tweaking performance out of a desktop with settings like TCP parameter KeepAliveTime. How many of you go beyond the recommendations in the SQL Best Practice Guide?

floating book in quaint library
Knowledge shared becomes wisdom attained (Photo by Jaredd Craig on Unsplash)

I’ve listed here some of the settings that have been suggested for our larger more accessed and just plain busy sql servers:

ESXi Settings

Adjust the Round Robin IOPS limit from the default 1000 to 1 on each database LUN. Refer to VMware KBA 2069356 for more information on setting this parameter. (We already utilize Round Robin but each lun was set to the default)

Why would you want to make this change?
“The default of 1000 input/output operations per second (IOPS) sends 1000 I/O down each path before switching. If the load is such that a portion of the 1000 IOPS can saturate the bandwidth of the path, the remaining I/O must wait even if the storage array could service the requests. The IOPS or bytes limit can be adjusted downward allowing the path to be switched at a more frequent rate. The adjustment allows the bandwidth of additional paths to be used while the other path is currently saturated. “

How to make this change:

In ESXi 5.x/6.x:
for i in esxcfg-scsidevs -c |awk '{print $1}' | grep naa.xxxx; do esxcli storage nmp psp roundrobin deviceconfig set –type=iops –iops=1 –device=$i; done

Where, .xxxx matches the first few characters of your naa IDs.
 
To verify if the changes are applied, run this command:

esxcli storage nmp device list
 
You see output similar to:
 
Path Selection Policy: VMW_PSP_RR
Path Selection Policy Device Config: {policy=iops,iops=1,bytes=10485760,useANO=0;lastPathIndex=1: NumIOsPending=0,numBytesPending=0}
Path Selection Policy Device Custom Config:
Working Paths: vmhba33:C1:T4:L0, vmhba33:C0:T4:L0

Registry Settings

Configure Windows TCP Parameters in the Registry

The default setting for the Windows TCP parameter KeepAliveTime is two hours. This setting controls how often TCP sends a keep-alive packet to verify that an idle connection is still intact. Reducing it from two hours to five minutes helps windows detect and clean up stale network connections faster.


How to make this change:

Use regedit to create the DWORD KeepAliveTime (if it does not currently exist) at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ . Then modify the value to 300000 (time in milliseconds).

The default setting for the Windows TCP parameter TCPTimedWaitDelay is four minutes. This setting determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. By reducing the value of this entry, TCP/IP can release closed connections faster and provide more resources for new connections.

How to make this change:

Using regedit to create the REG_DWORD TCPTimedWaitDelay (if it does not currently exist) at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ . Then modify the value to 30 .

What kind of ESXi settings, Windows registry settings, config file changes, etc. do you implement in your environment that goes beyond the SQL Server On VMware Best Practices Guide ? As always, I look forward to your comments and sharing of knowledge.

Schannel Set-Crypto PowerCLI Script

Are you in need of configuring crypto or schannel (IIS) settings on more than a few Windows virtual machines?  The Set-Crypto PowerCLI script might be of interest to use in your VMware environment. Recently I had to configure all the Windows servers in our VMware environment to use the correct crypto/schannel settings.  The gold standard for Windows/IIS administrators for configuring crypto is a program called IISCrypto . 

Schannel Security
Schannel Security

I have been using IISCrypto for a few years now and it is hands down the easiest way to configure your Windows vms using the schannel settings you choose. It also has built-in ‘best practices’ settings for general security as well as pci and fips requirements.  This is a great tool for setting one server at a time but I needed to do this en masse.  I thought wouldn’t it be great if they had a command-line tool.  Well it turns out that they do have a command-line tool. It allowed me to create a script to configure all my servers for crypto/schannel settings.

Set-Crypto Schannel

The schannel PowerCLI script  Set-Crypto utilizes IISCrypto command-line, batch files, and template profiles created ahead of time based on ‘best practices’ for 2012R2 Windows Server and 2016 Windows Server respectively. You can also go to my Pastebin Set-Crypto folder to get the needed batch files and template profile files. You will need to get IISCrypto from Nartac software.  It is free to use but their site does not explain their licensing model so I do not know the implications of using their software.  Please contact Nartac software for more information regarding licensing.  Please read the assumptions at the beginning of the script. Always be sure to read and understand any code you download from the internet before running in a production environment.


Feel free to comment and give suggestions on how to improve this script or any others I have shared.  If you like this script you may want to check out one of my previous scripts Powershell SSL Certificate Script .