question

BrianKesler-7970 avatar image
0 Votes"
BrianKesler-7970 asked BrianKesler-7970 edited

Server 2016 DNS Policies - Failing on second and third DNS server

Hello Everyone -
I am testing out using Server 2016's DNS policy for Split-Brain DNS in Active Directory and I am running into a problem with functionality. What I am attempting to do is setup a specific client subnet that will return an IP for a host that is different than that default Resource Record for that zone. I have three DNS servers. On Server1, I ran this similar configuration:


  • Created DNS Zone: Add-DnsServerPrimaryZone -Name "dnscheck.local" -ReplicationScope "Forest" -PassThru

  • Created the client subnet: Add-DnsServerClientSubnet -Name "POC_1-CS" -IPv4Subnet "10.219.193.0/26"

  • Created the Zone Scope for the newly created zone: Add-DnsServerZoneScope -ZoneName "dnscheck.local" -Name "POC_1-ZS"

  • Add a Resource Record to the new Zone Scope: Add-DnsServerResourceRecordA -Name "test" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS" -IPv4Address "172.0.0.2"

  • Created a default Resource Record: Add-DnsServerResourceRecordA -Name "test" -ZoneName "dnscheck.local" -IPv4Address "172.0.0.1"

  • Created Query Policy: Add-DnsServerQueryResolutionPolicy -Name "Client Subnet POC test 1" -ClientSubnet "EQ,POC_1-CS" -FQDN "test.dnscheck.local" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS,1" -Action ALLOW

I copied the DNS client subnet config to Server2 and Server 3.
I copied the DNS Query Policies to Server2 and Server3

During a test from a client in that subnet, it works when the client queries Server1, but does not return the correct Resource Record from Server2 and Server3 (it returns the "default" record.) I have verified that the client subnet and DNS Query policies are on Server2 and Server3. I also verified that the Zone Scope has replicated to Server2 and Server3.

What am I missing?

if I create a similar Query Policy for the DNS Zone "mydomain.com", the DNS query policies work from all three servers. Thinking this is how I created the new zone, I compared the new zone with "mydomain.com" and they match - AD Integrated Forest; replication to all DNS servers in the forest.

I feel it has to do with the test zone that I created, but I am missing what it could be.

Thanks for any responses.

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
1 Vote"
GaryReynolds answered BrianKesler-7970 commented

Hi @BrianKesler-7970

With DNS Policies, the configuration is stored in both the AD partition, and the registry of the DNS server. The registry configuration is not replicated between the DCs and you need to run the DNS Polices commands on all the DNS servers to ensure that all the servers are consistent. You can simplify this by using the -computer option with the DNS Policy commands:

 Add-DnsServerClientSubnet -Name "POC_1-CS" -IPv4Subnet "10.219.193.0/26" -computer DCxx
 Add-DnsServerQueryResolutionPolicy -Name "Client Subnet POC test 1" -ClientSubnet "EQ,POC_1-CS" -FQDN "test.dnscheck.local" -ZoneName "dnscheck.local" -ZoneScope "POC_1-ZS,1" -Action ALLOW -computer DCxx

In your Add-DnsServerQueryResolutionPolicy command you have a typo in the FQDN parameter, it should be -fqdn "EQ,test.dnscheck.local"

Gary.




· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there any progress or update on this one?

0 Votes 0 ·

Thanks, Gary. Sorry for the slow response - I was on Spring Break last week.

I have confirmed that the Client Subnet and Query Policies are on all DCs, but I still can only get the query to work on one DNS server. I only have this problem on a new zone that I created. On an existing DNS zone, I can configure DNS policies to work across all DNS servers. I must be missing something when I created that new DNS zone, but I cannot figure out what that is.

0 Votes 0 ·

I would compare the follow registry path on all servers to make sure that they are consistent.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server

When testing your configuration again on my servers, I had a similar problem, however, once I restarted the DNS service on the server not responding correctly, it started working. May be doing the remote implementation doesn't register the command correctly with the server, or it has to wait until the configuration information is refreshed to pick up the changes, which I think is about an hour.

Gary.

0 Votes 0 ·
Show more comments
BrianKesler-7970 avatar image
0 Votes"
BrianKesler-7970 answered BrianKesler-7970 edited

Restarting the DNS Server Service "fixed" this issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.