Configuring Split Brain DNS in an Active Directory Environment

Sign up to access this lesson

Click here to sign up and get access to this lesson!

Saving Progress...

First, we will take a look at the differences between the Traffic Management Policy scenario and this, Split-Brain policy scenario. 

  • This policy can be used with Active Directory – A-Records and Zone-Scopes will replicate to all replica servers in the Domain. 
  • It uses the Default Zone Scope for the internal network. 
  • Instead of using client subnets to separate the networks, this policy uses a DNS server with two network cards to differentiate between the internal and external networks. 
  • There are only three steps needed instead of four 

Network Diagram 

Scenario: 

The HR department from your company Server Academy would like to post job listings on the internal web site for positions in the company that they would prefer to offer current employees.  

While posting regular corporate-related job listings on the external web site so that those positions would be available for those that apply from the internet.  

How would you implement this request?

In our diagram, an internal client sends a query to the DNS server for the host www.sa.com.  

Because the request came in on the internal network, the response would point the client to the internal host for www.sa.com. 

And if the external client sends a query to the DNS server for the 

host www.sa.com . And because the request came in on the external network, the response would point the client to the external host for www.sa.com. 

  • The DNS server has two network interface cards installed. One is designated for the External network (internet) IP Address 195.138.5.10  

and the other interface is for the internal network, and it has an IP address of 192.168.17.10 

  • The server’s interfaces will be used to separate the internal from the external clients. 

So, what is an Active Directory Integrated Zone?  

  • It’s a zone that is stores zone data in active directory • Can be replicated to other Domain Controllers in the domain 
  • DNS policies are not Active Directory Integrated.

That means that they are not replicated to the other DNS server that are in the Domain. • Policies must be manually copied between Domain Controllers 

How do you create an ADIZ using DNS Manager? 

  • Open Server manager, tools, DNS manager 
  • Click the server, click the forward lookup zone, there’s our primary zone sa.com 
  • Right-click on sa.com and click properties 
  • Then click the General tab then click Change 
  • Check the box that says Store the Zone in Active Directory. 
  • Click, ok, then ok again. And you’ve just created an ADIZ.   

You can use this PowerShell command to create your Active Directory Integrated Zone that will replicate to other domain controllers across the domain. 

  • Add-DnsServerPrimaryZone -Name “sa.com” -ReplicationScope “Domain” -Passthru 

Copying Policies from server to server. 

  • In Windows, server 2016 Policies are not replicated to other servers.  

You can use the following commands to copy these policies from one server to another. We won’t demonstrate these commands, but if you need them, they are in the lesson PDF document. 

  • $policies = Get-DnsServerQueryResolutionPolicy -ZoneName "yourzone.com"                   

-ComputerName Server01 

The dollar sign is a variable. So, what this is saying is to get all the server level policies on the Server01. Then store the properties in the $Policies variable 

  • $policies | Add-DnsServerQueryResolutionPolicy -ZoneName "Yourzone.com"                  

Sign up to access the rest of this lesson

You must either log in or sign up to access this lesson.

Saving Progress...

0 0 votes
Lesson Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

Installing and Configuring Domain Name System (DNS)

0%

0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 4hr 11min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 55min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete