This is something that coming back over and over again. For most windows admins is/was an issue till the Windows 2k16. I always preferred to handle split-dns in a linux environment than building a separate server just to provide the external, NAT, Geo-location IPs.
Though as the Active Directory loves DNS, it is hard to separate it. At last we do have a solution with the new policies and split-scope zones. Below I will provide a simple scenario where you are having two networks and the subnets are NATed. In my experience the best way to handle it is by scripting and building the server from the scratch. Outsource you can add the AD integrated zones, but there are things you maybe don’t want to inherit.
So at first is good to create a number of CSV files to hold the SRV, A, CNAME , Zones and the outsource don’t forget to add , where is needed, a column with the NATed IP.
While creating the Primary zones and their Scopes, remember that in the GUI you will not be able to see the Scoped Zone and you have to check the file created in %SystemRoot%\System32\DNS\”Zone name”\
Do not forget that we have to create the policies too, in our case we will assume that there is a specific interface that will reply to internal queries and we enable the policy for each of our zones.
$scope = “internal”
Import-CSV .\DNSzones.csv | ForEach-Object {
#Def variable
$zone = $_.domain#Create Primary DNS Zones
Add-DnsServerPrimaryZone -zonename $zone -zonefile “$($zone).dns”
#Create Zone Scopes
Add-DnsServerZoneScope -ZoneName $zone -zonefile “$($zone).dns” -Name $scope
#Create the DNS policy for the zone
Add-DnsServerQueryResolutionPolicy -Name “SplitBrainZonePolicy” -Action ALLOW -ServerInterface “eq,192.168.1.10” -ZoneScope “internal,1” -ZoneName $zone
}
The next step before populating all those zones is to create the reverse ones, in this case it would be great to have a list of all your current Subnet and the NATed equivalents.
Import-CSV .\subnetNAT.csv | ForEach-Object {
#Def variable
$nid = $_.nat
$addr = $_.nat -split “\.”
$zfile = “$($addr[1]).$($addr[0]).in-addr.arpa”#Create reverse Zone Scopes
Add-DnsServerPrimaryZone -NetworkID $nid -ZoneFile $zfile
}
And it is time to populate our new DNS server.
Import-Csv .\Records.CSV | ForEach-Object {
$addr = $_.Address
$nataddr = $_.NATAddress
$zonename = $_.zonename
$hostname = $_.hostname
$fqdn=$hostname+”.”+$zonename
#Primary A & PTR Dns entriesAdd-DnsServerResourceRecordA -ZoneName $zone -Name $fqdn -IPv4Address $NATaddr -CreatePtr
Add-DnsServerResourceRecordA -ZoneName $zone -Name $fqdn -IPv4Address $addr -ZoneScope $scope
}
And last we come to the CNAME and SRV records, for the CNAME we will do it a bit differently
Import-Csv .\CN.csv | ForEach-Object {
#Def variable
$fqdn = $_.FQDN
$srv = $fqdn.split(“.”)[0]
$domain= $fqdn -replace “$srv.”,””
$alias = $_.alias
# add CNAME Dns entriesAdd-DnsServerResourceRecord -ZoneName $domain -CNAME -Name $alias -HostNameAlias $fqdn
Add-DnsServerResourceRecord -ZoneName $domain” -CNAME -Name $alias -HostNameAlias $fqdn -ZoneScope $scope
}
#Add SRV records
$zone = “domain”
$records=Import-Csv c:\scripts\SRVtoipmport.csv
$name=$record.resource+”.”+$record.path
Add-DnsServerResourceRecord -srv -zonename $zone –name $name –domainname $record.name –weight 100 –priority 0 –port $record.port
Add-DnsServerResourceRecord -srv -zonename $zone -ZoneScope “internal” –name $name –domainname $record.name –weight 100 –priority 0 –port $record.port
}
I hope it was helpful and you can find more on the docs.microsoft. Thanks for reading.
Fintz Stack 