Windows Cluster / DNS: Assign Full Rights to Cluster, Listener and Computer Objects (Bug workaround)

dns-cluster-permissions.ps1

# Get a listing of all clusters (CLUS)
$clusters = Get-ADComputer -Filter "Name -like 'CLUS'"

#Set Domain
$DNSServer = (Get-ADDomain).PDCEMulator

#Set DNS Zone
$DNSZone = "dev.contoso.com"

#Iterate through the list of clusters get dns and add the appropriate full control objects (listener, cluster)
foreach( $cluster in $clusters ){
    #Get listener name from Cluster
    $listener = Get-ADComputer -Identity $cluster.name

    #Get DNS Records for Cluster and Listener
    $dnsCluster = Get-DnsServerResourceRecord -computername $DNSServer -zonename $DNSZone -Name $cluster.name
    $dnsListener = Get-DnsServerResourceRecord -computername $DNSServer -zonename $DNSZone -Name $listener.name
    Write-Host "Updating DNS on" $dnsCluster.HostName
    Write-Host "Updating DNS on" $dnsListener.HostName

    #Get ACL for the Cluster and Listener Records
    $dnsClusterACL = get-acl -Path ad:"$($dnsCluster.DistinguishedName)"
    $dnsListenerACL = get-acl -Path ad:"$($dnsListener.DistinguishedName)"

    #Set up the New Permissions
    $clusterSID = New-Object System.Security.Principal.SecurityIdentifier $cluster.SID.Value
    $listenerSID = New-Object System.Security.Principal.SecurityIdentifier $listener.SID.Value
    $clusterACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $clusterSID, "GenericAll", "Allow"
    $listenerACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $listenerSID, "GenericAll", "Allow"

    #add the Rules to the ACL Objects
    $dnsClusterACL.AddAccessRule($clusterACE)
    $dnsClusterACL.AddAccessRule($listenerACE)
    $dnsListenerACL.AddAccessRule($clusterACE)
    $dnsListenerACL.AddAccessRule($listenerACE)

    #Set the ACL to the updated ACL List
    $dnsClusterACL | set-acl -Path ad:"$($dnsCluster.DistinguishedName)"
    $dnsListenerACL | set-acl -Path ad:"$($dnsListener.DistinguishedName)"
}