Configuring Split Brain DNS in an Active Directory Environment
First, we will take a look at the differences between the Traffic Management Policy scenario and this, Split-Brain policy scenario.
- This policy can be used with Active Directory – A-Records and Zone-Scopes will replicate to all replica servers in the Domain.
- It uses the Default Zone Scope for the internal network.
- Instead of using client subnets to separate the networks, this policy uses a DNS server with two network cards to differentiate between the internal and external networks.
- There are only three steps needed instead of four
The HR department from your company Server Academy would like to post job listings on the internal web site for positions in the company that they would prefer to offer current employees.
While posting regular corporate-related job listings on the external web site so that those positions would be available for those that apply from the internet.
How would you implement this request?
In our diagram, an internal client sends a query to the DNS server for the host www.sa.com.
And if the external client sends a query to the DNS server for the
- The DNS server has two network interface cards installed. One is designated for the External network (internet) IP Address 126.96.36.199
and the other interface is for the internal network, and it has an IP address of 192.168.17.10
- The server’s interfaces will be used to separate the internal from the external clients.
So, what is an Active Directory Integrated Zone?
- It’s a zone that is stores zone data in active directory • Can be replicated to other Domain Controllers in the domain
- DNS policies are not Active Directory Integrated.
That means that they are not replicated to the other DNS server that are in the Domain. • Policies must be manually copied between Domain Controllers
How do you create an ADIZ using DNS Manager?
- Open Server manager, tools, DNS manager
- Click the server, click the forward lookup zone, there’s our primary zone sa.com
- Right-click on sa.com and click properties
- Then click the General tab then click Change
- Check the box that says Store the Zone in Active Directory.
- Click, ok, then ok again. And you’ve just created an ADIZ.
You can use this PowerShell command to create your Active Directory Integrated Zone that will replicate to other domain controllers across the domain.
- Add-DnsServerPrimaryZone -Name “sa.com” -ReplicationScope “Domain” -Passthru
Copying Policies from server to server.
- In Windows, server 2016 Policies are not replicated to other servers.
You can use the following commands to copy these policies from one server to another. We won’t demonstrate these commands, but if you need them, they are in the lesson PDF document.
- $policies = Get-DnsServerQueryResolutionPolicy -ZoneName "yourzone.com"
The dollar sign is a variable. So, what this is saying is to get all the server level policies on the Server01. Then store the properties in the $Policies variable
- $policies | Add-DnsServerQueryResolutionPolicy -ZoneName "Yourzone.com"
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.