Tuesday, April 14, 2015

Use Powershell to Change Host's FQDN / Suffix

I'm attempting to setup 6 Windows Server 2012 R2 RDP Session Host servers all via the CLI using PowerShell.

When it came time to configure the machine's name, domain, and Primary FQDN, I could rename the computer (Rename-Computer), add it to a domain (Add-Computer), but I got stuck trying to update / change the Primary DNS suffix of this computer, as there was no way I could find - other than using ancient netdom.exe, not my idea of PowerShell.

I hacked around with this for a bit on some Windows Server 2012 R2 servers modifying the registry to make it happen. Updating Domain and NV Domain in the [HKLM\System\CurrentControlSet\Services\Tcpip\Parameters] initially seemed to work with no issue - https://technet.microsoft.com/en-us/library/aa998420%28v=exchg.80%29.aspx.

Later, I discovered that the SPN record information for AD computers also needed to be updated or you get "The security database on the server does not have a computer account for this workstation trust relationship" error.

Below is what I have been using and is seems to work, as long as it is Run as Administrator as a Local Administrator and from a Domain Admin account (if connected to an AD domain.)

Current version at https://github.com/cajeeper/PowerShell/blob/master/Update-HostFQDN.ps1

Latest change: Added updating the dnsHostName attribute - Thanks to Nan Zhang

$computerName = $env:computername

$DNSSuffix = "abc.com"

$oldDNSSuffix = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name "NV Domain")."NV Domain"

#Update primary DNS Suffix for FQDN
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name Domain -Value $DNSSuffix
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name "NV Domain" -Value $DNSSuffix

#Update DNS Suffix Search List - Win8/2012 and above - if needed
#Set-DnsClientGlobalSetting -SuffixSearchList $oldDNSSuffix,$DNSSuffix

#Update AD's SPN records for machine if part of an AD domain
if ((gwmi win32_computersystem).partofdomain -eq $true) {
     $searchAD = new-object System.DirectoryServices.DirectorySearcher
     $searchAD.filter = "(&(objectCategory=computer)(cn=$($computerName)))"
     $searchADItem = $searchAD.FindAll() | select -first 1
     $adObj= [ADSI] $searchADItem.Path
     $oldadObjSPN = $searchADItem.Properties.serviceprincipalname
     $adObj.Put('serviceprincipalname',($oldadObjSPN -replace $oldDNSSuffix, $DNSSuffix))
     $oldadObjDNS = $searchADItem.Properties.dnsHostName
     $adObj.Put('dnsHostName',($oldadObjDNS -replace $oldDNSSuffix, $DNSSuffix))
Formatted for web with http://codeformatter.blogspot.com/ 

Before changing DNS Suffix via CLI / PowerShell

Ran CLI / PowerShell script to update Primary DNS Suffix

After Running CLI / PowerShell script

Upward and onward!


William Braylen said...

English and American English are fundamentally the same in many regards. Be that as it may, there are some little yet essential contrasts in the way that some vocabulary gatherings are shaped. In this article we will investigate the part of postfixes. Suffix with "hero" or "rout"

Nan Zhang said...
This comment has been removed by the author.
Nan Zhang said...
This comment has been removed by the author.
Nan Zhang said...

Thanks for sharing.

I am surprised that there isn't a native call to accomplish this. Having said that it looks like in addition to the servicePrincipalName attribute, the dNSHostName attribute will also need to be updated. The article you reference also made mention of this. It seems a couple lines are needed to be added to your script to accomplish this.

Justin Bennett said...

Thanks for the feedback Nan. I wrote this script to solve my issue of changing the computer's name. dNSHostName should populate the changes the next time the system contacts A.D., but I'll go through and test it again when I get sometime and report back if this is the case.

Alex Neihaus said...

Thanks for this! It's so useful -- especially in AWS. I find I often am reconfiguring Windows Server instances' primary suffix that are not domain-joined to change which default Route 53 DNS server (public or private) short names are resolved from. Using the UI to do this is, at best, tedious. I've always wondered why PowerShell doesn't have cmdlets like "Get-FDQN" and "Update-PrimaryDNSSuffix". For the latter, this script is perfect.

Craig Hume said...

The set SPN is not required, just also change PrimaryDNS Suffix and NV PrimaryDNS suffix under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient in the registry. Easier that way.

Pat Richard said...

In my case, where I'm just adding the DNS suffix to a non-domain joined machine (Skype for Business edge servers), setting the two registry values is all we need.