Server 2016 DNS Policies - Failing on second and third DNS server

Brian Kesler 1 Reputation point
2022-04-08T19:06:26.393+00:00

Hello Everyone -
I am testing out using Server 2016's DNS policy for Split-Brain DNS in Active Directory and I am running into a problem with functionality. What I am attempting to do is setup a specific client subnet that will return an IP for a host that is different than that default Resource Record for that zone. I have three DNS servers. On Server1, I ran this similar configuration:

  • Created DNS Zone: Add-DnsServerPrimaryZone -Name "dnscheck.local" -ReplicationScope "Forest" -PassThru
  • Created the client subnet: Add-DnsServerClientSubnet -Name "POC_1-CS" -IPv4Subnet "10.219.193.0/26"
  • Created the Zone Scope for the newly created zone: Add-DnsServerZoneScope -ZoneName "dnscheck.local" -Name "POC_1-ZS"
  • Add a Resource Record to the new Zone Scope: Add-DnsServerResourceRecordA -Name "test" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS" -IPv4Address "172.0.0.2"
  • Created a default Resource Record: Add-DnsServerResourceRecordA -Name "test" -ZoneName "dnscheck.local" -IPv4Address "172.0.0.1"
  • Created Query Policy: Add-DnsServerQueryResolutionPolicy -Name "Client Subnet POC test 1" -ClientSubnet "EQ,POC_1-CS" -FQDN "test.dnscheck.local" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS,1" -Action ALLOW

I copied the DNS client subnet config to Server2 and Server 3.
I copied the DNS Query Policies to Server2 and Server3

During a test from a client in that subnet, it works when the client queries Server1, but does not return the correct Resource Record from Server2 and Server3 (it returns the "default" record.) I have verified that the client subnet and DNS Query policies are on Server2 and Server3. I also verified that the Zone Scope has replicated to Server2 and Server3.

What am I missing?

if I create a similar Query Policy for the DNS Zone "mydomain.com", the DNS query policies work from all three servers. Thinking this is how I created the new zone, I compared the new zone with "mydomain.com" and they match - AD Integrated Forest; replication to all DNS servers in the forest.

I feel it has to do with the test zone that I created, but I am missing what it could be.

Thanks for any responses.

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,391 Reputation points
    2022-04-11T11:17:02.15+00:00

    Hi @Brian Kesler

    With DNS Policies, the configuration is stored in both the AD partition, and the registry of the DNS server. The registry configuration is not replicated between the DCs and you need to run the DNS Polices commands on all the DNS servers to ensure that all the servers are consistent. You can simplify this by using the -computer option with the DNS Policy commands: 

    Add-DnsServerClientSubnet -Name "POC_1-CS" -IPv4Subnet "10.219.193.0/26" -computer DCxx  
Add-DnsServerQueryResolutionPolicy -Name "Client Subnet POC test 1" -ClientSubnet "EQ,POC_1-CS" -FQDN "test.dnscheck.local" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS,1" -Action ALLOW -computer DCxx

    In your Add-DnsServerQueryResolutionPolicy command you have a typo in the FQDN parameter, it should be -fqdn "EQ,test.dnscheck.local"

    Gary.

    1 person found this answer helpful.
  2. Brian Kesler 1 Reputation point
    2022-04-27T21:21:59.357+00:00

    Restarting the DNS Server Service "fixed" this issue.

    0 comments