How can I roll over the Kerberos decryption key of the AZUREADSSOACC computer account

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.


We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you are running Azure AD Connect:

Step 1. Get list of AD forests where Seamless SSO has been enabled
1.First, download, and install Azure AD PowerShell.
2.Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3.Import the Seamless SSO PowerShell module using this command:

Import-Module .\AzureADSSO.psd1.

4.Run PowerShell as an Administrator. In PowerShell, call


This command should give you a popup to enter your tenant’s Global Administrator credentials.

5.Call Get-AzureADSSOStatus. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

1.Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.

how to install Azure RM module for powershell

You need to download and install the module for azure DNS first

First check the power shell version because Azure RM module need power shell 5.0 at least.


Install-Module -Name AzureRM

By default, the PowerShell gallery isn’t configured as a trusted repository for PowerShellGet. The first time you use the PSGallery you see the following prompt:
Untrusted repository

You are installing the modules from an untrusted repository. If you trust this repository, change its Installation Policy value by running the

Set-PSRepository cmdlet.

Are you sure you want to install the modules from ‘PSGallery’?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):

# Import the module into the PowerShell session
Import-Module AzureRM
# Connect to Azure with an interactive dialog for sign-in

Update-Module -Name AzureRM

How to import/export DNS zone file to Azure DNS using CLI

Login to Azure using CLI

az login

az account set -s <Subscription Name>

To Import Zone File:-
az network dns zone import -g <ResourceGroupName> -n <ZoneName> -f  <ZoneFileFullPath>

To Test imported zone file:-
az network dns record-set list -g <ResourceGroupName> -z <ZoneName>

Stellar Phoenix Mailbox Exchange Recovery – Product Review

I recommend Stellar Phoenix Mailbox Exchange Recovery Software to repair corrupt EDB files in case there is an issue with Exchange Server or the Exchange Database.

Earlier this month, our office suffered a major power outage. Since the power backup did not respond in due time, the sudden power outage led to the accidental shutdown of Exchange system, and ‘Dirty pages’ in the database resulted in Dirty Shutdown error.

One of the frustrating challenges that Exchange Administrators come across is Exchange Server NOT working up-to-the-mark thus resulting in corrupt Exchange database. Typically, this error is caused due to an accidental power outage.

Troubleshooting the Exchange Database error with Stellar Phoenix Mailbox Exchange Recovery

The problem named “Exchange not accessible” is the most unwanted issue for all Exchange Administrators as business communication comes to an end in real time. Thankfully, we were fortunate enough to tackle this problem as we discovered a specialized Exchange database repair software called Stellar Phoenix Mailbox Exchange Recovery software.

Installing the software was easy. We used the Download Link on the product page of the website and followed the steps available on Installation Guide to install Stellar Phoenix Mailbox Exchange Recovery software on our system.

Here’s how we benefitted from this software:

Easy-to-use Graphical User Interface: Using a software requires proper training, which may stretch for hours, but Mailbox Exchange recovery software from Stellar provided an easy-to-work and easy-to-navigate user interface and made the repair process straightforward.

Convenient Search Functionality: This software enabled us to search for the right Exchange Database file. Sometimes, it is not easy to locate the exact location of the file then this software’s ‘Find’ functionality helps in establishing the right data in no time.

Repairs large and multiple EDB files: This software successfully repairs the EDB files irrespective of the size of the data. Additionally, it also fixes numerous EDBs at the same time.


Extensive Scan Option: We were not sure of the level of corruption in EDB files. Hence the advanced scanning option of ‘Extensive scan’ helped us in scoring better results with a little time investment. After selecting the file for repair, the software provides ‘Select Scan Mode’ option. We clicked upon Extensive scan option followed by OK, to start the extensive scanning process.


Elaborate format to preview and verify entire data: Once the scanning is complete, we could witness the EDB as a whole on the screen. This preview was well categorized into three main sections with Left pane consisting of EDB Filename under Root node; the middle pane displaying a list of recovered emails and other mail components; and when we clicked on an item in the middle pane, then its constituents are shown on the Right of the dashboard.

A far-reaching utility which recovers Deleted mailboxes: This preview also contains all the Deleted Exchange Mailboxes. Some of these mailboxes were deleted accidentally, and it was good to see all these mailboxes in the EDB file again.

Search Criteria enables searching specific email: We needed to test particular emails to validate recovered data. Here Search Criteria came in handy which allows searching as per Date, To, From, Subject, Attachments and more. Scanning displays the entire list of mail components, but by filling some details of specific emails, software eases the search process and in turn verification of mailbox data.


Saves Scanned File as PST or exports directly to Exchange Server: Repaired mailboxes are saved as PST file. We could also export these mailboxes directly to Live Exchange server with the help of Stellar Phoenix Mailbox Exchange Recovery software. Other saving and exporting options are also available including exporting the scanned file directly to Office 365.

Save and Load Scan Info: One of the interesting features which will help us in the future. The scanned file can be saved as DAT file. This DAT file can be loaded in the software even after the time gap to save the mailbox data after some time. Since the scanned data is free from corruption, we saved this scanned file at a secure location. It will serve the purpose of backup to date.

The software also generates a Log Report stating the number of repaired mailboxes and other recovery details.

Here’s the process to fix corrupt Exchange Database File

Stellar Phoenix Mailbox Exchange Recovery software is easy to download and install and equally easy to work with. Its user interface lets the user glide through the functions, and the software ensures that the recovery process is performed with ease. Follow the link to get the steps involved in Exchange database recovery.

Our Verdict

The Mailbox recovery software from Stellar is one of the most feature-rich software to recover corrupt EDB files and restore all contents including emails, attachments, contacts, calendars, tasks, journals and more. Additionally, this software recovers all deleted mailboxes, as deleted accidentally or intentionally.

Ideally demonstrated by usage, this software also issues an all-inclusive Log Report to highlight the number of Exchange Database files repaired during the repair process.

The hassle-free and quick resolution to Exchange server issues like Dirty Shutdown error, as experienced by the Exchange server at our premises, showcases the efficiency of Stellar Phoenix Mailbox Exchange Recovery software. The interactive GUI made us work on the software without prior training. The competitive software lived up to our expectations by repairing the Exchange database and ensuring NO data loss during the repair process. Also, the time taken by the software to restore the EDB file was by the size of Exchange database. It was for this Stellar software that our Exchange is up and running in such a short span.

free website like wordpress

10 Popular Alternatives to WordPress

WordPress is popular, and we love it, but it is not the only publishing platform. There are WordPress alternatives that you can use to build your website. Recently one of our readers asked us to write about WordPress competitors. In this article, we will show you 10 popular alternatives to WordPress.

1- Blogger


Last but not the least, Blogger is still alive. It is a free blog service by Google. It has most of the features you would need for blogging. A commenting system, built-in social capabilities, easy to use, templates, and the option to use your own domain name.

We have written a full comparison between Blogger vs WordPress (Pros and Cons). If you are using Blogger and want to switch to WordPress, then follow this guide.

We hope this article provided you a chance to look at some popular WordPress alternatives. While looking at these alternatives, you may want to take a look at our guide on why you should use WordPress.

2- Google Sites

Google Sites

Google Sites is an easier and simpler way to build small websites. It is extremely easy to use, free to host, and you can even use your own custom domain for your site.

It cannot be compared with CMS software in our list, but it can be compared with services like Wix, Weebly, and Squarespace.

3- Tumblr


Tumblr is a popular free blogging platform. Tumblr combines blogging with social, and makes blogging quite fun. It has a strong user base despite the fact that it was acquired by Yahoo in 2013.

Tumblr allows users to choose from free or premium themes. Users can also use custom domain names for their Tumblr blogs. Apart from your blog, you can also create pages. It is a completely hosted solution, so you don’t have to worry about installing or maintaining any software.

4- Joomla


This year Joomla will be celebrating its 10th birthday. It is a strong, multi-purpose, and open source CMS. It has a large community of users and developers.

Joomla comes with all the things that WordPress can do, and then some more. It has extensions and templates. It is already used by millions of users, small businesses, corporations, government and non-profits all over the world.

Just like WordPress, Joomla has a community support system, extensive documentation, and it runs on most web hosting platforms.

5- Ghost


Some WordPress users who want to focus on blogging felt that WordPress is going in a totally different direction. This gave birth to Ghost, which is a NodeJS based blogging software.

The difference is that Ghost is entirely focused on blogging and keeping the clutter away. It provides a clean writing and browsing experience for bloggers and readers.

6- Wix


Wix is a completely hosted web site builder. It is free to use for personal or a small business website. It comes with pre-designed templates that users can modify using the drag and drop page builder.

Wix also has eCommerce support with its paid plans, which allows site owners to accept online payments using PayPal or See our article on Wix vs WordPress for a side by side comparison of the two platforms.

If you are already using Wix and want to transfer it to WordPress, then see our article on how to properly switch from Wix to WordPress.

7- Shopify


If you want to build an online store, then Shopify is a great alternative to WordPress. It provides easy to use tools to create your own online shop. You can sell your products and accept payments.

Shopify comes with easy to use tools to get you started with your website. It has ready-made templates, apps, and lots of integration options.

Wondering how it compares to WooCommerce (the best WordPress eCommerce plugin)? See our article on Shopify vs WooCommerce for a detailed comparison of the two platforms.

8- Drupal


Drupal is another very popular open source CMS. Just like WordPress and Joomla, Drupal has a strong user base and developer community. It powers nearly 2.1% of all websites on the internet including The White House, The Economist, State of Georgia, and many more.

Drupal has modules and themes just like WordPress. It shares the same software requirements as WordPress and Joomla, so it can run on pretty much any web host that supports WordPress.

9- Jekyll


Jekyll is a static site generator. It is written in Ruby and requires NodeJS. It is a lot different than WordPress. For starters it is a static site generator which means it takes your text and generates static HTML pages for your site (no database).

You can use free hosting provided by GitHub Pages with Jekyll. This means that if you are familiar with Markdown, SVN, Git, and command line, then you will be up and running in no-time. In other words, this is made for developers!

10- Squarespace


Squarespace is a paid site builder that can be used as a WordPress alternative. It is extremely easy to use and a completely hosted solution.

Just like Wix and Weebly, Squarespace also offers ready-to-use templates that you can customize. There are no plugins or additional modules to install. You can only use the features provided by Squarespace. See our comparison of Squarespace vs WordPress.

Azure Active Directory Single Sign-On Using Azure Ad Connect

Azure Active Directory Seamless Single Sign-On: Quick start

Deploy Seamless Single Sign-On

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

To deploy Seamless SSO, follow these steps.

Step 1: Check the prerequisites

Ensure that the following prerequisites are in place:

  • Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
    • You use version 1.1.644.0 or later of Azure AD Connect.
    • If your firewall or proxy allows DNS whitelisting, whitelist the connections to the * URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.


Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don’t intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes to learn more.

  • Use a supported Azure AD Connect topology: Ensure that you are using one of Azure AD Connect’s supported topologies described here.


Seamless SSO supports multiple AD forests, whether there are AD trusts between them or not.

  • Set up domain administrator credentials: You need to have domain administrator credentials for each Active Directory forest that:
    • You synchronize to Azure AD through Azure AD Connect.
    • Contains users you want to enable for Seamless SSO.
  • Enable modern authentication: You need to enable modern authentication on your tenant for this feature to work.
  • Use the latest versions of Office 365 clients: To get a silent sign-on experience with Office 365 clients (Outlook, Word, Excel, and others), your users need to use versions 16.0.8730.xxxx or above.

Step 2: Enable the feature

Enable Seamless SSO through Azure AD Connect.

If you’re doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in page, select the Enable single sign on option.


The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-through Authentication.


If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD Connect, and then select Next. If you are using Azure AD Connect versions 1.1.880.0 or above, the Enable single sign on option will be selected by default. If you are using older versions of Azure AD Connect, select the Enable single sign on option.


Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator credentials for each Active Directory forest that:

  • You synchronize to Azure AD through Azure AD Connect.
  • Contains users you want to enable for Seamless SSO.

After completion of the wizard, Seamless SSO is enabled on your tenant.


The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They’re used only to enable the feature.

Follow these instructions to verify that you have enabled Seamless SSO correctly:

  1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
  2. Select Azure Active Directory in the left pane.
  3. Select Azure AD Connect.
  4. Verify that the Seamless single sign-on feature appears as Enabled.



Seamless SSO creates a computer account named AZUREADSSOACC (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the AZUREADSSOACC computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.

Step 3: Roll out the feature

You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users’ Intranet zone settings by using Group Policy in Active Directory:


In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.


The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on macOS.

Why do you need to modify users’ Intranet zone settings?

By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, “http://contoso/” maps to the Intranet zone, whereas “” maps to the Internet zone (because the URL contains a period). Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser’s Intranet zone.

There are two ways to modify users’ Intranet zone settings:


Admin consideration

User experience

Group policy

Admin locks down editing of Intranet zone settings

Users cannot modify their own settings

Group policy preference

Admin allows editing on Intranet zone settings

Users can modify their own settings

“Group policy” option – Detailed steps

  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that’s applied to some or all your users. This example uses Default Domain Policy.
  3. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.


  1. Enable the policy, and then enter the following values in the dialog box:
    • Value name: The Azure AD URL where the Kerberos tickets are forwarded.
    • Value (Data): 1 indicates the Intranet zone.The result looks like this:Value: https://autologon.microsoftazuread-sso.comData: 1


If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all the time.

  1. Select OK, and then select OK again.


  1. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.


  1. Enable the policy setting, and then select OK.


“Group policy preference” option – Detailed steps

  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that’s applied to some or all your users. This example uses Default Domain Policy.
  3. Browse to User Configuration > Preferences > Windows Settings > Registry > New > Registry item.


  1. Enter the following values in appropriate fields and click OK.
    • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\autologon
    • Value name: https.
    • Value type: REG_DWORD.
    • Value data: 00000001.



  1. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.


  1. Enable the policy setting, and then select OK.


Browser considerations

Mozilla Firefox (all platforms)

Mozilla Firefox doesn’t automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:

  1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
  2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox’s trusted sites for Kerberos authentication.
  3. Right-click and select Modify.
  4. Enter in the field.
  5. Select OK and then reopen the browser.

Safari (macOS)

Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.

Google Chrome (all platforms)

If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD’s URL ( to them as well.

Google Chrome (macOS only)

For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.

The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.

Known browser limitations

Seamless SSO doesn’t work in private browsing mode on Firefox and Edge browsers. It also doesn’t work on Internet Explorer if the browser is running in Enhanced Protected mode.

Step 4: Test the feature

To test the feature for a specific user, ensure that all the following conditions are in place:

  • The user signs in on a corporate device.
  • The device is joined to your Active Directory domain. The device doesn’t need to be Azure AD Joined.
  • The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
  • You have rolled out the feature to this user through Group Policy.

To test the scenario where the user enters only the username, but not the password:

  • Sign in to in a new private browser session.

To test the scenario where the user doesn’t have to enter the username or the password, use one of these steps:

  • Sign in to in a new private browser session. Replace contoso with your tenant’s name.
  • Sign in to in a new private browser session. Replace with a verified domain (not a federated domain) on your tenant.

Step 5: Roll over keys

In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in all the Active Directory forests on which you have enabled Seamless SSO. To learn more, see Azure Active Directory Seamless Single Sign-On: Technical deep dive.


The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked questions. We are working on a capability to introduce automated roll over of keys.


You don’t need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.

How to connect to Exchange Online using Powershell

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Cred -Authentication Basic -AllowRedirection

Set-ExecutionPolicy -ExecutionPolicy unrestricted

Import-PSSession $Session

Import and export a Azure DNS zone file using CLI

Import a DNS zone file into Azure DNS

Importing a zone file creates a new zone in Azure DNS if one does not already exist. If the zone already exists, the record sets in the zone file must be merged with the existing record sets.

Merge behavior

  • By default, existing and new record sets are merged. Identical records within a merged record set are de-duplicated.
  • When record sets are merged, the time to live (TTL) of preexisting record sets is used.
  • Start of Authority (SOA) parameters (except host) are always taken from the imported zone file. Similarly, for the name server record set at the zone apex, the TTL is always taken from the imported zone file.
  • An imported CNAME record does not replace an existing CNAME record with the same name.
  • When a conflict arises between a CNAME record and another record of the same name but different type (regardless of which is existing or new), the existing record is retained.

Additional information about importing

The following notes provide additional technical details about the zone import process.

  • The $TTL directive is optional, and it is supported. When no $TTL directive is given, records without an explicit TTL are imported set to a default TTL of 3600 seconds. When two records in the same record set specify different TTLs, the lower value is used.
  • The $ORIGIN directive is optional, and it is supported. When no $ORIGIN is set, the default value used is the zone name as specified on the command line (plus the terminating “.”).
  • The $INCLUDE and $GENERATE directives are not supported.
  • These record types are supported: A, AAAA, CNAME, MX, NS, SOA, SRV, and TXT.
  • The SOA record is created automatically by Azure DNS when a zone is created. When you import a zone file, all SOA parameters are taken from the zone file except the host parameter. This parameter uses the value provided by Azure DNS. This is because this parameter must refer to the primary name server provided by Azure DNS.
  • The name server record set at the zone apex is also created automatically by Azure DNS when the zone is created. Only the TTL of this record set is imported. These records contain the name server names provided by Azure DNS. The record data is not overwritten by the values contained in the imported zone file.
  • During Public Preview, Azure DNS supports only single-string TXT records. Multistring TXT records are be concatenated and truncated to 255 characters.

CLI format and values

The format of the Azure CLI command to import a DNS zone is:

az network dns zone import -g <resource group> -n <zone name> -f <zone file name>



  • <resource group> is the name of the resource group for the zone in Azure DNS.
  • <zone name> is the name of the zone.
  • <zone file name> is the path/name of the zone file to be imported.

If a zone with this name does not exist in the resource group, it is created for you. If the zone already exists, the imported record sets are merged with existing record sets.

Step 1. Import a zone file

To import a zone file for the zone

  1. If you don’t have one already, you need to create a Resource Manager resource group.

az group create –group myresourcegroup -l westeurope

2. To import the zone from the file into a new DNS zone in the resource group myresourcegroup, you will run the command az network dns zone import.
This command loads the zone file and parses it. The command executes a series of commands on the Azure DNS service to create the zone and all the record sets in the zone. The command reports progress in the console window, along with any errors or warnings. Because record sets are created in series, it may take a few minutes to import a large zone file.

az network dns zone import -g myresourcegroup -n -f

Step 2. Verify the zone

To verify the DNS zone after you import the file, you can use any one of the following methods:

  • You can list the records by using the following Azure CLI command:

az network dns record-set list -g myresourcegroup -z


  • You can list the records by using the PowerShell cmdlet Get-AzureRmDnsRecordSet.
  • You can use nslookup to verify name resolution for the records. Because the zone isn’t delegated yet, you need to specify the correct Azure DNS name servers explicitly. The following sample shows how to retrieve the name server names assigned to the zone. This also shows how to query the “www” record by using nslookup.

az network dns record-set ns list -g myresourcegroup -z –output json





Step 3. Update DNS delegation

After you have verified that the zone has been imported correctly, you need to update the DNS delegation to point to the Azure DNS name servers. For more information, see the article Update the DNS delegation.

Export a DNS zone file from Azure DNS

The format of the Azure CLI command to import a DNS zone is:

az network dns zone export -g <resource group> -n <zone name> -f <zone file name>


  • <resource group> is the name of the resource group for the zone in Azure DNS.
  • <zone name> is the name of the zone.
  • <zone file name> is the path/name of the zone file to be exported.

As with the zone import, you first need to sign in, choose your subscription, and configure the Azure CLI to use Resource Manager mode.

To export a zone file

To export the existing Azure DNS zone in resource group myresourcegroup to the file (in the current folder), run azure network dns zone export. This command calls the Azure DNS service to enumerate record sets in the zone and export the results to a BIND-compatible zone file.

az network dns zone export -g myresourcegroup -n -f

How to manage DNS Zones using PowerShell

Set up Azure PowerShell for Azure DNS

Before you begin

Verify that you have the following items before beginning your configuration.

  • An Azure subscription. If you don’t already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.
  • You need to install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information, see How to install and configure Azure PowerShell.

In addition, to use Private Zones (Public Preview), you need to ensure you have the below PowerShell modules and versions.

  • AzureRM.Dns – version 4.1.0 or above
  • AzureRM.Network – version 5.4.0 or above

Find-Module -Name AzureRM.Dns

Find-Module -Name AzureRM.Network

The output of the above commands need to show that the version of AzureRM.Dns is 4.1.0 or higher version, and for AzureRM.Network is 5.4.0 or higher version.

In case your system has earlier versions, you can either install the latest version of Azure PowerShell, or download and install the above modules from the PowerShell Gallery, using the links above next to the Module versions. You can then install them using the below commands. Both the modules are required and are fully backwards compatible.

Install-Module -Name AzureRM.Dns -Force

Install-Module -Name AzureRM.Network -Force

Sign in to your Azure account

Open your PowerShell console and connect to your account. For more information, see Using PowerShell with Resource Manager.



Select the subscription

Check the subscriptions for the account.


Choose which of your Azure subscriptions to use.

Select-AzureRmSubscription -SubscriptionName “your_subscription_name”

Create a resource group

Azure Resource Manager requires that all resource groups specify a location. This location is used as the default location for resources in that resource group. However, because all DNS resources are global, not regional, the choice of resource group location has no impact on Azure DNS.

You can skip this step if you are using an existing resource group.

New-AzureRmResourceGroup -Name MyAzureResourceGroup -location “East US”

Register resource provider

The Azure DNS service is managed by the Microsoft.Network resource provider. Your Azure subscription must be registered to use this resource provider before you can use Azure DNS. This is a one-time operation for each subscription.

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

Create a DNS zone

A DNS zone is created by using the New-AzureRmDnsZone cmdlet.

The following example creates a DNS zone called in the resource group called MyResourceGroup:

New-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup

The following example shows how to create a DNS zone with two Azure Resource Manager tagsproject = demo and env = test:

New-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup -Tag @{ project=”demo”; env=”test” }

Azure DNS now also supports private DNS zones (currently in public preview). To learn more about private DNS zones, see Using Azure DNS for private domains. For an example of how to create a private DNS zone, see Get started with Azure DNS private zones using PowerShell.

Get a DNS zone

To retrieve a DNS zone, use the Get-AzureRmDnsZone cmdlet. This operation returns a DNS zone object corresponding to an existing zone in Azure DNS. The object contains data about the zone (such as the number of record sets), but does not contain the record sets themselves (see Get-AzureRmDnsRecordSet).

Get-AzureRmDnsZone -Name –ResourceGroupName MyAzureResourceGroup

Name :
ResourceGroupName : myresourcegroup
Etag : 00000003-0000-0000-8ec2-f4879750d201
Tags : {project, env}
NameServers : {,,,}
NumberOfRecordSets : 2
MaxNumberOfRecordSets : 5000


List DNS zones

By omitting the zone name from Get-AzureRmDnsZone, you can enumerate all zones in a resource group. This operation returns an array of zone objects.

$zoneList = Get-AzureRmDnsZone -ResourceGroupName MyAzureResourceGroup

By omitting both the zone name and the resource group name from Get-AzureRmDnsZone, you can enumerate all zones in the Azure subscription.

$zoneList = Get-AzureRmDnsZone

Update a DNS zone

Changes to a DNS zone resource can be made by using Set-AzureRmDnsZone. This cmdlet does not update any of the DNS record sets within the zone (see How to Manage DNS records). It’s only used to update properties of the zone resource itself. The writable zone properties are currently limited to the Azure Resource Manager ‘tags’ for the zone resource.

Use one of the following two ways to update a DNS zone:

Specify the zone using the zone name and resource group

This approach replaces the existing zone tags with the values specified.

Set-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup -Tag @{ project=”demo”; env=”test” }

Specify the zone using a $zone object

This approach retrieves the existing zone object, modifies the tags, and then commits the changes. In this way, existing tags can be preserved.

# Get the zone object
$zone = Get-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup

# Remove an existing tag

# Add a new tag

# Commit changes
Set-AzureRmDnsZone -Zone $zone

When using Set-AzureRmDnsZone with a $zone object, Etag checks are used to ensure concurrent changes are not overwritten. You can use the optional -Overwrite switch to suppress these checks.

Delete a DNS Zone

DNS zones can be deleted using the Remove-AzureRmDnsZone cmdlet.

Use one of the following two ways to delete a DNS zone:

Specify the zone using the zone name and resource group name

Remove-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup

Specify the zone using a $zone object

You can specify the zone to be deleted using a $zone object returned by Get-AzureRmDnsZone.

$zone = Get-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup
Remove-AzureRmDnsZone -Zone $zone

The zone object can also be piped instead of being passed as a parameter:

Get-AzureRmDnsZone -Name -ResourceGroupName MyAzureResourceGroup | Remove-AzureRmDnsZone

As with Set-AzureRmDnsZone, specifying the zone using a $zone object enables Etag checks to ensure concurrent changes are not deleted. Use the -Overwrite switch to suppress these checks.

Confirmation prompts

The New-AzureRmDnsZoneSet-AzureRmDnsZone, and Remove-AzureRmDnsZone cmdlets all support confirmation prompts.

Both New-AzureRmDnsZone and Set-AzureRmDnsZone prompt for confirmation if the $ConfirmPreference PowerShell preference variable has a value of Medium or lower. Due to the potentially high impact of deleting a DNS zone, the Remove-AzureRmDnsZonecmdlet prompts for confirmation if the $ConfirmPreference PowerShell variable has any value other than None.

Since the default value for $ConfirmPreference is High, only Remove-AzureRmDnsZone prompts for confirmation by default.

You can override the current $ConfirmPreference setting using the -Confirm parameter. If you specify -Confirm or -Confirm:$True, the cmdlet prompts you for confirmation before it runs. If you specify -Confirm:$False , the cmdlet does not prompt you for confirmation.

For more information about -Confirm and $ConfirmPreference, see About Preference Variables.

How to manage DNS Zones in the Azure portal

Create a DNS zone

  1. Sign in to the Azure portal
  2. On the Hub menu, click and click Create a resource > Networking > and then click DNS zone to open the Create DNS zone blade.DNS zone
  3. On the Create DNS zone blade enter the following values, then click Create:
Setting Value Details
Name The name of the DNS zone
Subscription [Your subscription] Select a subscription to create the DNS zone in.
Resource group Create new: RChirkutDNS Create a resource group. The resource group name must be unique within the subscription you selected. To learn more about resource groups, read the Resource Manager overview article.
Location West US


The resource group refers to the location of the resource group, and has no impact on the DNS zone. The DNS zone location is always “global”, and is not shown.

List DNS zones

In the Azure portal, navigate to More services > Networking > DNS zones. Each DNS zone is it’s own resource, information such as number of record-sets and name servers are viewable from this view. The column NAME SERVERS is not in the default view, to add it click Columns, select Name servers and click Done.

listing DNS zones

Delete a DNS zone

Navigate to a DNS zone in the portal. On the DNS zone blade, click Delete zone. You are prompted to confirm you are wanting to delete the DNS zone. Deleting a DNS zone also deletes all the records that are contained in the zone.