PowerShell offers a powerful way to automate DNS configurations and management, making it easier to set up, secure, and maintain DNS servers. In this article, I’ll explore how you can use PowerShell to manage DNS in your Active Directory environment.
For this scenario, we will set up DC1 (IP: 10.10.10.10) and DC2 (IP: 10.10.10.11) as domain controllers and DNS servers as in the following digram
We will start by installing the DNS server role on DC2. Since DC1 already has DNS installed (from a prior Active Directory setup)
Import-Module -Name ServerManager -WarningAction SilentlyContinue
Install-WindowsFeature -Name DNS -IncludeManagementTools
Next, we can configure DNS server settings on both DC1 and DC2 to enable recursion, set a cache size, enable Extended DNS (EDNS), and activate the Global Name Zone. We can use this script block ($SB1) to apply these settings consistently across both servers.
$SB1 = {
Set-DnsServerRecursion -Enable $true
Set-DnsServerCache -MaxKBSize 20480 # 20 MB cache
$EDNSHT = @{
EnableProbes = $true
EnableReception = $true
}
Set-DnsServerEDns @EDNSHT
Set-DnsServerGlobalNameZone -Enable $true
}
Invoke-Command -ScriptBlock $SB1 -ComputerName DC1
Invoke-Command -ScriptBlock $SB1 -ComputerName DC2Now, each domain controller should use itself as the primary DNS server (127.0.0.1) and the other as the server as a secondary DNS server for redundancy. We can use $SB2 for DC1 and $SB3 for DC2 to set the DNS client settings.
Configuring DC1
$SB2 = {
$NIC = Get-NetIPInterface -InterfaceAlias "Ethernet" -AddressFamily IPv4
$DNSSERVERS = ("127.0.0.1", "10.10.10.11")
$DNSHT = @{
InterfaceIndex = $NIC.InterfaceIndex
ServerAddresses = $DNSSERVERS
}
Set-DnsClientServerAddress @DNSHT
Start-Service -Name DNS
}
Invoke-Command -ScriptBlock $SB2 -ComputerName DC1Configuring DC2
$SB3 = {
$NIC = Get-NetIPInterface -InterfaceAlias "Ethernet" -AddressFamily IPv4
$DNSSERVERS = ("127.0.0.1", "10.10.10.10")
$DNSHT = @{
InterfaceIndex = $NIC.InterfaceIndex
ServerAddresses = $DNSSERVERS
}
Set-DnsClientServerAddress @DNSHT
Start-Service -Name DNS
}
Invoke-Command -ScriptBlock $SB3 -ComputerName DC2Integrating DNS with DHCP
To ensure clients (e.g., workstations) use both DNS servers, we update the DHCP scope on DHCP Server to distribute the DNS server IPs.
$DNSOPTIONHT = @{
DnsServer = "10.10.10.11", "10.10.10.10" # Client DNS Servers
DnsDomain = "YH.local"
Force = $true
}
Set-DhcpServerv4OptionValue @DNSOPTIONHT -ComputerName DHCP01Securing the DNS Zone
To prevent unauthorized updates, we configure the YH.local zone to allow only secure dynamic updates:
$DNSSSB = {
$SBHT = @{
Name = "YH.local"
DynamicUpdate = "Secure"
}
Set-DnsServerPrimaryZone @SBHT
}
Invoke-Command -ComputerName DC1 -ScriptBlock $DNSSSB
Invoke-Command -ComputerName DC2 -ScriptBlock $DNSSSBVerifying DNS Settings
$DNSRV = Get-DnsServer -ComputerName DC2.yh.local
$DNSRV | Select-Object -ExpandProperty ServerRecursion
$DNSRV | Select-Object -ExpandProperty ServerCache
$DNSRV | Select-Object -ExpandProperty ServerEDns
Create a New Primary Forward DNS Zone
We can create a forward lookup zone for SkyNet.Local on DC1.YH.Local. We’ll configure it as an AD-integrated zone with a replication scope of Domain, meaning it will replicate to all DCs within the YH.Local domain.
$ZoneParams = @{
Name = 'SkyNet.Local'
ResponsiblePerson = 'hostmaster.skynet.local.'
ReplicationScope = 'Domain'
ComputerName = 'DC1.YH.Local'
}
Add-DnsServerPrimaryZone @ZoneParams -VerboseCreate a Reverse Lookup Zone
We can also create a reverse lookup zone for the 10.10.10.0/24 network. This zone allows us to resolve IP addresses back to hostnames, which is handy for troubleshooting.
$ReverseZoneParams = @{
NetworkID = '10.10.10.0/24'
ResponsiblePerson = 'dnsadmin.yh.local.'
ReplicationScope = 'Forest'
ComputerName = 'DC1.YH.Local'
}
Add-DnsServerPrimaryZone @ReverseZoneParamsRegister DNS for Both Domain Controllers
To ensure both DC1 and DC2 have their DNS records updated, we’ll register their DNS clients. This step ensures that both DCs are aware of the new zones.
Register-DnsClient
Invoke-Command -ComputerName DC2 -ScriptBlock {Register-DnsClient}This step produces no console output but ensures the DNS clients on both DCs are synchronized with the DNS server.
Verify DNS Zones on DC1
Let’s check the DNS zones on DC1 to confirm that our new zones are present and correctly configured.
Get-DnsServerZone -ComputerName DC1 | Format-Table -AutoSizeThis command lists all zones on DC1, including our new SkyNet.Local forward lookup zone and the 192.168.1.0/24 reverse lookup zone.
Adding Resource Records to the SkyNet.Local Zone
Now, let’s add some resource records to the SkyNet.Local zone. We’ll add:
- An A record to map Main to an IP address.
- A CNAME record to alias Email to Main.SkyNet.Local.
- An MX record to specify the mail server for the domain.
Add an A Record
$ARecordParams = @{
ZoneName = 'SkyNet.Local'
A = $true
Name = 'Main'
AllowUpdateAny = $true
IPv4Address = '192.168.1.100'
}
Add-DnsServerResourceRecord @ARecordParamsThis maps Main.SkyNet.Local to the IP address 192.168.1.100.
Add a CNAME Record
$CNameParams = @{
ZoneName = 'SkyNet.Local'
Name = 'Email'
HostNameAlias = 'Main.SkyNet.Local'
}
Add-DnsServerResourceRecordCName @CNameParamsThis creates an alias, Email.SkyNet.Local, pointing to Main.SkyNet.Local.
Add an MX Record
$MXParams = @{
Preference = 20
Name = '.'
TimeToLive = '2:00:00'
MailExchange = 'Email.SkyNet.Local'
ZoneName = 'SkyNet.Local'
}
Add-DnsServerResourceRecordMX @MXParamsThis specifies that Email.SkyNet.Local is the mail server for the SkyNet.Local domain, with a preference of 20 and a TTL of 2 hours.
To ensure that the new records replicate from DC1 to DC2, we’ll restart the DNS service on both domain controllers.
Restart-Service -Name DNS
$ScriptBlock = {Restart-Service -Name DNS}
Invoke-Command -ComputerName DC2 -ScriptBlock $ScriptBlockThis step ensures that AD replication propagates the DNS zone data between the two DCs.
Check Resource Records in the SkyNet.Local Zone
Let’s verify that our new resource records are present in the SkyNet.Local zone.
Get-DnsServerResourceRecord -ZoneName 'SkyNet.Local' | Format-Table -AutoSizeThis command displays all RRs in the SkyNet.Local zone, including the A, CNAME, and MX records we added.
Testing DNS Resolution from DC1 and DC2
Now, let’s test DNS name resolution to ensure everything is working as expected. We’ll resolve the CNAME record from DC1 and the MX record from DC2.
Test the CNAME Record from DC1
Resolve-DnsName -Server DC1.YH.Local -Name 'Email.SkyNet.Local'
Test the MX Record from DC2
Resolve-DnsName -Server DC1.YH.Local -Name 'SkyNet.Local' -Type MX
Test the Reverse Lookup Zone
Finally, let’s test the reverse lookup zone by resolving an IP address back to a hostname.
Resolve-DnsName -Name '10.10.10.10'
Configuring DNS Forwarding
When the DNS server receives a query it holds no record of, it can use a recursive process to find a DNS server that will resolve the request.
For internal domains or merged networks, however, conditional forwarding is the better option. This allows the DNS server to forward queries to certain servers, skipping recursion entirely. Here is an example how you can set this:
1. Obtaining the IP Addresses of DNS Servers for Yh.do
$NameServers = Resolve-DnsName -Name YH.do -Type NS | Where-Object Name -eq 'YH.do'
$NameServers
2. Obtaining the IPv4 Addresses for These Name Servers
$NameServerIPs = foreach ($Server in $NameServers) {
(Resolve-DnsName -Name $Server.NameHost -Type A).IPAddress
}
$NameServerIPs$NameServerIPs
Adding a Conditional Forwarder on DC1
$CFHT = @{
Name = 'yh.do'
MasterServers = $NameServerIPs
ComputerName = 'DC1.yh.Local'
}
Add-DnsServerConditionalForwarderZone @CFHTChecking the Zone on DC1
Get-DnsServerZone -Name yh.do -ComputerName 'DC1.yh.Local'
This verifies that the conditional forwarder zone for YH.do has been successfully created on DC1.YH.Local.
Production Tips
- Redundancy: In a production environment, ensure you have at least two DNS servers per domain for redundancy. Update DHCP leases to include both DNS server IP addresses.
- Replication Scope: By default, AD-integrated zones replicate to all DCs in the forest. You can adjust the replication scope (e.g., to a specific domain) to optimize performance. See Microsoft’s documentation on AD-integrated zones for more details.
- Reverse Lookup Zones: While not always necessary, reverse lookup zones are useful for tools like nslookup or for security purposes (e.g., verifying the identity of a connecting client).
