0%

0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Configuring Split Brain DNS in an Active Directory Environment

Instructions

Q&A (0)

Notes (0)

Resources (0)

Saving Progress...

Resources

There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

First, we will take a look at the differences between the Traffic Management Policy scenario and this, Split-Brain policy scenario. 

  • This policy can be used with Active Directory – A-Records and Zone-Scopes will replicate to all replica servers in the Domain. 
  • It uses the Default Zone Scope for the internal network. 
  • Instead of using client subnets to separate the networks, this policy uses a DNS server with two network cards to differentiate between the internal and external networks. 
  • There are only three steps needed instead of four 

Network Diagram 

Scenario: 

The HR department from your company Server Academy would like to post job listings on the internal web site for positions in the company that they would prefer to offer current employees.  

While posting regular corporate-related job listings on the external web site so that those positions would be available for those that apply from the internet.  

How would you implement this request?

In our diagram, an internal client sends a query to the DNS server for the host www.sa.com.  

Because the request came in on the internal network, the response would point the client to the internal host for www.sa.com. 

And if the external client sends a query to the DNS server for the 

host www.sa.com . And because the request came in on the external network, the response would point the client to the external host for www.sa.com. 

  • The DNS server has two network interface cards installed. One is designated for the External network (internet) IP Address 195.138.5.10  

and the other interface is for the internal network, and it has an IP address of 192.168.17.10 

  • The server’s interfaces will be used to separate the internal from the external clients. 

So, what is an Active Directory Integrated Zone?  

  • It’s a zone that is stores zone data in active directory • Can be replicated to other Domain Controllers in the domain 
  • DNS policies are not Active Directory Integrated.

That means that they are not replicated to the other DNS server that are in the Domain. • Policies must be manually copied between Domain Controllers 

How do you create an ADIZ using DNS Manager? 

  • Open Server manager, tools, DNS manager 
  • Click the server, click the forward lookup zone, there’s our primary zone sa.com 
  • Right-click on sa.com and click properties 
  • Then click the General tab then click Change 
  • Check the box that says Store the Zone in Active Directory. 
  • Click, ok, then ok again. And you’ve just created an ADIZ.   

You can use this PowerShell command to create your Active Directory Integrated Zone that will replicate to other domain controllers across the domain. 

  • Add-DnsServerPrimaryZone -Name “sa.com” -ReplicationScope “Domain” -Passthru 

Copying Policies from server to server. 

  • In Windows, server 2016 Policies are not replicated to other servers.  

You can use the following commands to copy these policies from one server to another. 

  • $policies = Get-DnsServerQueryResolutionPolicy -ZoneName "yourzone.com"                   

-ComputerName Server01 

The dollar sign is a variable. So, what this is saying is to get all the server level policies on the Server01. Then store the properties in the $Policies variable 

  • $policies | Add-DnsServerQueryResolutionPolicy -ZoneName "Yourzone.com"                  

-ComputerName Server02 

This command adds the policies stored in the $Policies variable to a different DNS server named Server02  

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Subscribe
Notify of
profile avatar
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

profile avatar
dewitsc(@dewitsc)
Member
1 year ago

I do not have access ton the pdf for this lesson “Configuring Split Brain DNS in an Active Directory Environment” How can I have access to it?

profile avatar
mf(@mf)
Member
2 months ago

Here is the Powershell script for anyone that couldn’t get it like me.

### Step 1 This command will create an external zone scope
Add-DnsServerZoneScope -zonename “sa.com” -Name “external”
Remove-DnsServerZoneScope -ZoneName “sa.com” -Name “external”

### Step 2 This command will add a record to the external zone scope
Add-DnsServerResourceRecord -ZoneName “sa.com” -A -Name “www” -IPv4Address “201.138.5.25” -ZoneScope “external”
Remove-DnsServerResourceRecord -ZoneName “sa.com” -RRType “A” -Name “www”

### This command will add a record to the internal (default) zone scope
Add-DnsServerResourceRecord -ZoneName “sa.com” -A -Name “www” -IPv4Address “192.168.17.25”

### Step 3 This command will create the policy for the external side
Add-DnsServerQueryResolutionPolicy -Name “SplitBrainDNSPolicy” -Action ALLOW -ServerInterfaceIP “eq,195.138.5.10” -ZoneScope “external,1” -ZoneName “sa.com”
Remove-DnsServerQueryResolutionPolicy -Name “SplitBrainDNSPolicy” -ZoneName sa.com

### No policy is required for mapping the default internal zone scope

### This policy will allow you to view the policies for sa.com
Get-DnsServerQueryResolutionPolicy -ZoneName sa.com

### This command will display the records located in the default zonescope
Get-DnsServerResourceRecord -ZoneName sa.com | Format-List

###This command will display the records in the external zonescope
Get-DnsServerResourceRecord -ZoneName sa.com -ZoneScope external | Format-List