BlueTuxedo
A tiny tool built to find and fix common misconfigurations in Active Directory-integrated DNS
Install / Use
/learn @jakehildreth/BlueTuxedoREADME
BlueTuxedo
A tiny tool built to find and fix common misconfigurations in Active Directory-Integrated DNS (and a little DHCP as a treat).
How can BlueTuxedo help you?
Watch the presentation from BSidesCharm.
Quick Start:
# Install from PSGallery
Install-Module -Name BlueTuxedo -Scope CurrentUser
Invoke-BlueTuxedo
# Clone from GitHub and Import
git clone https://github.com/jakehildreth/BlueTuxedo.git
cd BlueTuxedo
Import-Module .\BlueTuxedo.psd1 -Force
Invoke-BlueTuxedo
# Use the testing branch - probably broken, but 🤷♀️
git clone https://github.com/jakehildreth/BlueTuxedo.git
cd BlueTuxedo
git checkout testing
Import-Module .\BlueTuxedo.psd1 -Force
Invoke-BlueTuxedo
Running Invoke-BlueTuxedo with no paramters will Get stuff, Test it, then offer code for how to Repair identified issues (where possible).
Get Stuff
- ADI Zones
- Conditional Forwarder
- Dangling SPNs [^1]
- DHCP Dynamic Update service account configuration
- DnsAdmins Membership
- DnsUpdateProxy Membership
- Forwarder Configuration
- Global Query Block List (GQBL)
- Non-ADI Zone Auditing
- Query Resolution Policies
- Security Descriptors
- Socket Pool Configuration
- Tombstoned DNS Records
- Wildcard Record
- WPAD Record
- Zone Scopes
- Zone Scope Containers
Test Stuff
| Item | Test Condition |
|---------|---------------|
| ADI Zones | Is Legacy Zone? |
| ADI Zones | Are Secure Updates enabled? |
| DHCP Dynamic Update service account | Exists on each DHCP server? |
| Dangling SPNs | Exist? |
| DnsAdmins Membership | Is non-zero? |
| DnsUpdateProxy Membership | Is non-zero? |
| Forwarder Configuration | Exist? |
| Global Query Block List (GQBL) | Contains wpad/isatap |
| Non-ADI Zones | Exist? |
| Query Resolution Policies | Exist? |
| Security Descriptor (ACEs) | Standard/Expected? |
| Security Descriptor (Ownership) | Standard/Expected? |
| Socket Pool Configuration | Is maximum? |
| Tombstoned DNS Records | Exist? |
| Wildcard Record | Exists & correct type? |
| WPAD Record | Exists & correct type? |
| Zone Scopes | Exist? |
| Zone Scope Containers | Exists & empty? |
Repair Stuff
| Item | Fix | |-|-| | ADI Zones | Convert Legacy (Windows 2000 Compatible) Zones to Modern | | Dangling SPNs | Delete SPN from Account | | Socket Pool Configuration | Set Socket Pool Configuration to Maximum | | Tombstoned DNS Records | Delete Tombstoned DNS Record | | Wildcard Record | Create Proper Wildcard Record | | WPAD Record | Create Proper WPAD Record |
[^1]: A "Dangling SPN" is a Service Principal Name (SPN) in which the host portion of the SPN does not resolve to an IP address.
Related Skills
node-connect
351.4kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
110.7kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
351.4kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
351.4kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
