Get all of the conditional forwarders setup in an Active Directory domain

Just a quick post here as I found myself needing to find out what conditional forwarders each domain controller in an Active Directory domain had configured. We have nearly a hundred domain controllers and so going manually one-by-one was simply not an option.

I whipped up this PowerShell script and figured that someone else out there might need something similar. It is parallelized (the number of $instances can be changed to do more/less parallel work) and then just dumps it to a CSV-ish file.

$instances = 10

Get-AdDomainController -Filter * | ForEach-Object -ThrottleLimit $instances -Parallel {
    $dc = $_
    Write-Host $dc.Name
    $zones = Get-DnsServerZone -ComputerName $dc.Name | Where-Object {$_.ZoneType -eq "Forwarder" }
    $string = $dc.Name + ","
     ForEach ($zone in $zones) {
         $string = $string + $zone.ZoneName + ","
    Write-Host $string
    $string | Out-File -FilePath ".\zones.txt" -Append 

There’s a lot of room for improvement here obviously, but it should at least get you going.

Renew an Azure DevOps Service Connection’s expired secret

We ran into an issue this morning where we needed to renew our Azure DevOps Service Connection’s expired secret but there is no officially supported way to do this. The error was AADSTS7000215 - invalid clientid or secret. Thankfully, it’s not that difficult to solve.

Fake a change

  1. Open your project in ADO ([GROUP]/[PROJECT])
  2. At the bottom-left, choose Project settings
  3. In the Pipelines section, choose Service connections
  4. Select the service connection you’re having issues with
  5. If you click the Edit Service Principal link, you should see a red warning at the top of the page stating that one or more secrets for this service principal have expired; you can verify this by clicking the Certificates and secrets link on the blade and seeing that the single secret expired in the past
  6. Close this tab
  7. Click the Edit button
  8. You’ll notice there is no visible way to actually refresh the secret, however if you first click Verify (which should fail), make a simple change to the Description (add an extra space, for example; anything to make it different than it was)
  9. Now click Save
  10. Now if you re-open the Edit Service Principal link, you should no longer see the warning about expired secrets, and if you go to the Certificates and secrets link on the blade, there should be exactly one secret and should be valid for 2 years from today’s date

Now, if you ever need to renew an Azure DevOps Service Connection’s expired secret, hopefully you can avoid wasting precious time by trying to figure out how to do it manually and just trick the system into doing it for you.

Purge a soft-deleted Azure API Management instance

Azure recently implemented a change to the API Management service whereby deleting the instance only puts it into a soft-deleted state rather than completely nuking it from orbit. This may be desirable for data recovery purposes but it means that if you run a terraform destroy on an environment with an APIM instance on it and then you try and rebuild that environment, it will fail due to the fact that the name you’re trying to use is being held onto by the previously removed instance. So since neither Azure CLI nor Az PowerShell natively support purging, I’m going to show you how to manually purge a soft-deleted Azure API Management instance.

NOTE: The below script uses the basic Az PowerShell tools but with a little elbow grease could be adapted to bash/zsh (provided you have a way of retrieving your Azure access token using OAuth).

$token = Get-AzAccessToken

$request = @{
    Method = 'DELETE'
    Uri    = "{subscriptionGuid}/providers/Microsoft.ApiManagement/locations/{region}/deletedservices/{apimName}?api-version=2020-06-01-preview"
    Headers = @{
        Authorization = "Bearer $($token.Token)"

Invoke-RestMethod @request

The only values you’ll need to supply are the subscriptionGuid, region, and apimName in the Uri.

Now the next time you’re stuck wondering why you can’t tear down and rebuild your environments with your IaC tool of choice, you’ll know how to purge a soft-deleted Azure API Management instance.

Source: Microsoft docs

Posts navigation