Configuring zones in DNS_Windows Server 2012 Automation with PowerShell Cookbook-QQ阅读女生古言网

上QQ阅读APP看书，第一时间看更新

Configuring zones in DNS

Windows domains rely heavily on DNS for name resolution and for finding appropriate resources. DNS is composed primarily of zones, each of which contains records. These zones and records provide name to address and address to name resolution for clients.

Here we will install and configure the DNS service and configure zones for servicing clients.

Getting ready

This recipe assumes a server and networking configuration similar to what is created inthe first recipe. For DNS services to operate, the server does not need to be a member of an Active Directory domain, and in some scenarios, such as internet facing systems, Active Directory membership is discouraged.

We will be configuring our DNS servers with the following zones:

How to do it...

Carry out the following steps to configure zones in DNS:

Identify features to install:

Get-WindowsFeature | Where-Object Name -like *dns*

Install DNS feature and tools (if not already installed):

Install-WindowsFeature DNS -IncludeManagementTools –IncludeAllSubFeature

Create a reverse lookup zone:

Add-DnsServerPrimaryZone –Name 10.10.10.in-addr.arpa –ReplicationScope Forest
Add-DnsServerPrimaryZone –Name 20.168.192.in-addr.arpa –ReplicationScope Forest

Create a primary zone and add static records:

Add-DnsServerPrimaryZone –Name contoso.com –ZoneFile contoso.com.dns
Add-DnsServerResourceRecordA –ZoneName contoso.com –Name www –IPv4Address 192.168.20.54 –CreatePtr

Create a conditional forwarder:

Add-DnsServerConditionalForwarderZone -Name fabrikam.com -MasterServers 192.168.99.1

Create a secondary zone:

Add-DnsServerSecondaryZone -Name corp.adatum.com -ZoneFile corp.adatum.com.dns -MasterServers 192.168.1.1

How it works...

The first two steps may have already been completed if your DNS server coexists on the domain controller. When viewing the output of Get-WindowsFeature in the first step, if Install State for the DNS features equals Installed, the roles are already installed. If the roles are already installed, you can still attempt to reinstall them without causing issues.

The third step creates two AD-integrated reverse lookup zones named 10.10.10.in-addr.arpa and 20.168.192.in-addr.arpa. These zones are used for IP-to-Name resolution for servers in the 10.10.10.0/24 (internal) and 192.168.20.0/24 (DMZ or untrusted) subnets. These reverse lookup zones are not automatically created when installing DNS or Active Directory and it is the administrator's responsibility to create it.

Tip

It is considered a best practice to have a reverse lookup zone for all networks in your organization. This eases many operational tasks and some network tools fail to work properly if the reverse lookup zones don't exist.

The fourth step creates a standard primary zone named contoso.com. This zone is different from the corp.contoso.com zone that was automatically created during creation of the domain. This new zone will be used to host records used in an untrusted or DMZ environment. In this example we created a static record www.contoso.com, configured it with a target IP address, and configured the reverse lookup record as well.

Note

The steps shown here are an example of creating a primary zone. Additional steps may be needed to fully secure a DNS server that is accessible by the outside world.

Additionally, standard primary zones cannot be AD-integrated and do not automatically replicate to other DNS servers. To replicate a standard primary zone, a secondary zone must be created on the target DNS server and authorized to replicate.

The fifth step creates a conditional forwarder named fabrikam.com. A conditional forwarder simply identifies the domain request and forwards it to the appropriate master servers.

The sixth step creates a secondary zone named corp.adatum.com. Unlike primary zones, secondary zones are read-only, and they only hold a copy of the zone data as pulled from the master server. To add or update records in this zone, the changes must be made at the master server, and then replicated to the secondary.

Tip

Unlike primary zones and conditional forwarders, secondary zones cannot be AD-integrated and do not automatically replicate to other DNS servers in the domain. This means that the secondary zones must be configured on each DNS server that will host the zone.

There's more...

The following lists the additional features of zones in DNS:

Listing all zones: A full list of DNS zones on a server can be returned by executing the Get-DnsServerZone function:

Updating DNS records: When updating static records there are two options: delete and recreate, and update. The following is a simple function that gets a current resource record from DNS, updates it, and commits it back to DNS:

Function Update-DNSServerResourceRecord{
    param(
    [string]$zoneName = $(throw "DNS zone name required")
    ,[string]$recordName = $(throw "DNS record name required")
    ,[string]$newIPv4Address = $(throw "New IPv4Address required")
    )
    # Get the current record from DNS
    $oldRecord = Get-DnsServerResourceRecord -ZoneName $zoneName -Name $recordName
    Write-Host "Original Value: " $oldRecord.RecordData.IPv4Address

    # Clone the record and update the new IP address
    $newRecord=$oldRecord.Clone()
    $newRecord.RecordData.IPv4Address = [ipaddress]$newIPv4Address

    # Commit the changed record
    Set-DnsServerResourceRecord -ZoneName $zoneName -OldInputObject $oldRecord -NewInputObject $newRecord
    Write-Host "New Value: " (Get-DnsServerResourceRecord -ZoneName $zoneName -Name $recordName).RecordData.IPv4Address  
}