How to update the list of Name Servers on a DNS Zone with a Script

I was working with a customer this week doing some Active Directory cleanup tasks.  We were decommissioning the last of their Windows Server 2003 domain controllers so we could upgrade the domain and forest functional level to Windows Server 2008 R2 to take advantage of some new features.

After removing the last Windows Server 2003 domain controller we opened up the DNS console to cleanup all the references to the decommissioned server including SRV records and DNS zone name server entries.  Removing the name server entries from the forward lookup zones was easy to do manually since there were only a couple.  When we got to the reverse lookup zones we realized we needed some automation since there were over 20 reverse lookup zones to remove the obsolete name server entries from.

The following commands can be used to Add or Delete Name Server (NS) records from a zone:

Add Record

DNSCMD <DNS server> /RECORDADD <zone name> @ NS <name server FQDN>

Delete Record

DNSCMD <DNS server> /RECORDDELETE <zone name> @ NS <name server FQDN> /F

Notice the “/F” at the end of the delete command.  This suppresses the “Y/N?” prompt

To automate the task we created a script that uses a DOS FOR loop to iterate through the zones in a text file and remove the obsolete name server records.  I added the DNSCMD commands above to my standard FOR loop script template that includes logging.

The first thing we did was create a ZONES.TXT file containing all the reverse lookup zones we needed to modify.  We placed the ZONES.TXT file in the same directory as the script. 

The contents are shown below:

The contents of the UPDATE_NAME_SERVERS.CMD script is shown below:

:::::::::::::::::::::::::: BEGIN SCRIPT ::::::::::::::::::::::::::::::::

  :: DATE: 4:56 PM 12/16/2013
  :: PURPOSE: 
  :: The ZONES.TXT contains a list of zones (one server per line)
  :: to be modified


FOR /F “tokens=1” %%i in (zones.txt) DO (
   ECHO Running command on… %%i
   REM Delete Name Server (NS) records from a zone
   dnscmd /recorddelete %%i @ NS /f  >> %LOGFILENAME%

  REM USe this section to ADD Name Server (NS) Records
   REM Uncomment the DNSCMD line below to add NS records
   REM ============================================
   REM  dnscmd /recordadd %%i @ NS >> %LOGFILENAME%


  :::::::::::::::::::::::::: END SCRIPT :::::::::::::::::::::::::::::::::::

Remember when using sample scripts always test them in a lab environment first before using them in production.  If you found this useful or have feedback feel free to leave me a comment below.

Comments (9)

  1. Rupspan says:

    Fantasic! Cleanup script.  Most admins dont know that they have stale NS records and failed demotions.

  2. Thanks! says:

    Thanks, this script saved me a lot of time.

  3. Glennn says:

    This does not work

    DNS_ERROR_ZONE_DOES_NOT_EXIST     9601  (00002581)


  4. MuadDib says:

    @Glennn, Did any zones get updated? If no check your command syntax. Do you have a zones.txt file in the same folder as script?  Make sure script lines did not get wrapped when you copy/pasted.

  5. Glennn says:

    Schoolboy error DC. The zones were not in reverse order. I uploaded a new and improved generic script to work on any DNS server no hard coding required.

  6. Diwakar says:

    here, we know how many name server we need to clean but incase, we don't know the list whom we need to delete then what will do ?

    in my environment, AD never cleaned last 10 yeras

  7. SnappG says:

    Why not turn on scavenging and let the process do the dirty work?

    1. Jon says:

      Scavenging, while fantastic, won’t remove NS records from AD integrated zones after you demote a domain controller that was providing DNS. That’s the purpose of the script. That being said while the syntax seems to work, e.g.

      >dnscmd dc5 /recorddelete NS /f

      Deleted NS record(s) at
      Command completed successfully.

      it doesn’t actually remove the NS record for me;

      >dnscmd irv-corp-dc5 /enumrecords @
      Returned records:
      @ 3600 A
      3600 NS
      3600 NS
      3600 NS <====
      3600 SOA 18 900 600 604800 3600

      Command completed successfully.

      Which is lame, since I have 50+ AD integrated forward lookup zones (long story) and have a powershell script already enumerating the zones, and ready to run this command through a loop of them…

      1. Jon says:


        Syntax needed to be as shown;

        >dnscmd dc5 /recorddelete @ NS

