Configuring Secondary DNS Zones with PowerShell

I recently had the task of having to setup multiple secondary DNS servers that had multiple zones, conditional forwarders and forwarders. Creating these components manually and having to do it several times was not something that was a particularly attractive task – PowerShell to the rescue!

This install is based on Server 2016 which should also be the same for Windows Server 2019

The best place to start with PowerShell is to use the Help files to look for the DNS modules

Open PowerShell, this could be VSCode, PowerShell ISE or just PowerShell, I prefer to use VSCode or ISE so I have an editor for typing cmdlets

Ensure you have the DNS Module loaded. If you are accessing PowerShell from the DNS Server directly, have the RSAT tools installed or using pssession you can confirm if the module is loaded and available using the following cmdlet

Get-Module -ListAvailable | where {$_.Name -like “DNS“}

Once you can confirm the module is loaded you can then start to use the built in Help files in PowerShell to look for the cmdlets you require to carry out the tasks for DNS. It is a good idea to run the following cmdlet to update the help files for PowerShell

Update-Help

In summary here are the tasks that are required to be carried out

  1. Install the DNS Server Role and management tools
  2. Configure the secondary zones
  3. Configure zone transfers from primary DNS Servers
  4. Confirm zone transfers are working
  5. Configure DNS Forwarders
  6. Configure Conditional Forwarders
  7. Update DHCP Scope Options
Install DNS Server Role

Open PowerShell (As an Administrator) on the server you want to install DNS on and run the following cmdlet:

Install-WindowsFeature -Name DNS -IncludeManagementTools

You may get prompted for restart, carry out a restart to complete process

Configure the Secondary Zones

Use the help system in PowerShell to identify the cmdlet you wish to use. If you do not know the specific cmdlet you can use a wildcard to query

Get-Help *SecondaryZone*

This returns a list of cmdlets to use. We can see from the list of returned results that Add-DnsServerSecondaryZone is the cmdlet I want to use

Next run the following PowerShell cmdlet to find examples of this cmdlet

Get-Help Add-DnsServerSecondaryZone -Examples

Example 2 from the results will do exactly what I need.

Get-DnsServerZone -ComputerName win-olpn33s5q3m.mytest.contoso.com | where {(“Primary” -eq $_.ZoneType) -and ($False -eq $_.IsAutoCreated) -and (“TrustAnchors” -ne
$_.ZoneName)} | %{ $_ | Add-DnsServerSecondaryZone -MasterServers 172.23.90.136 -ZoneFile “$($_.ZoneName).dns”}

What does this do?
  1. This will query the example server win-olpn33s5q3m.mytest.contoso.com for all zones that are primary and ignore any auto created zones and TrustAnchors which are not required for transfer.
  2. The second step is that PowerShell uses a foreach loop (%) for each zone and adds it to the secondary DNS server and creates a zone file
  3. The final step is to add Master Servers (Primary DNS) where the secondary DNS server can pull the zones from. In the example that is 172.23.90.136. Ideally you should have more than one for redundancy

Now you have this you can create a small script from the example.

<#
Author: <Author Name>
Created: <Add Date>
Purpose: This script creates Secondary DNS zones from existing Primary Zones
#>


# Primary DNS Server to be used to create secondary zones
$DNSServer = “DNS1”
$MasterServers = @(“10.0.0.1″,” 10.0.0.2″,” 10.0.0.3″)

Write-Host -ForegroundColor DarkYellow “Querying ‘$DNSServer’ for Primary Zones and Creating Secondary Zones on ‘$env:ComputerName'”


Get-DnsServerZone -ComputerName $DNSServer | where {(“Primary” -eq $_.ZoneType) -and ($False -eq $_.IsAutoCreated) -and (“TrustAnchors” -ne $_.ZoneName)} | foreach { $_ | Add-DnsServerSecondaryZone -MasterServers $MasterServers -ZoneFile “$($_.ZoneName).dns”}


Write-Host -ForegroundColor DarkYellow “Completed creating secondary zones on ‘$env:ComputerName’ please check the event logs”

Adjust the following values for your own environment

  1. $DNSServer
  2. $MasterServers

Run the script on your secondary DNS server to start the creation of the zones. At this point the zone files will be created but the zones will not populate with records until you set the Primary DNS Servers to push the updates.

Configure zone transfers from primary DNS Servers

In the previous script we identified our Master Servers (Primary DNS Servers) where we want to pull our zones from. In the next step we need to configure these Master Servers to be allowed (push) to transfer to the secondary DNS server

Logon to each of your master servers or use New-PSsession to connect to each server and run the script below

<#
Author: <Author Name>
Created: <Date>
Purpose: This script sets up zone transfers from a Primary DNS Server to a Secondary DNS Server
#>


# Primary DNS Server to be used to allow DNS Transfers to Secondary DNS Servers
$PrimaryDNS = “$env:ComputerName”

# Secondary Servers DNS2
$SecondaryDNS = @(“10.0.0.4”)

Write-Host -ForegroundColor Yellow “Configuring Zone Transfers on ‘$SecondaryDNS’ from ‘$PrimaryDNS'”


Get-DnsServerZone -ComputerName $PrimaryDNS | where {(“Primary” -eq $_.ZoneType) -and ($False -eq $_.IsAutoCreated) -and (“TrustAnchors” -ne $_.ZoneName)} | foreach { $_ | Set-DnsServerPrimaryZone -SecondaryServers $SecondaryDNS –SecureSecondaries TransferToSecureServers }

Write-Host -ForegroundColor Yellow “Zone Transfers set to push to secondaries from ‘$PrimaryDNS'”

Real World Tip

If you plan to use PowerShell to push out zone transfers to multiple secondary DNS servers from the same Master Servers then be aware of the following point.

In our script above we are allowing zone transfers from 10.0.0.1, 10.0.0.2 & 10.0.0.3 to DNS2 (10.0.0.4). If you decide to push zone transfers to another DNS server, example DNS3 (10.0.0.5) then if you run the script you need to include the IP Addresses of each secondary server

Why?

When you run the PowerShell script above it will not append IP addresses but instead overwrite the values. So in this case if we set zone transfers to DNS2 and then want to transfer to DNS3 we need to add both values to the script so they do not get overwritten $SecondaryDNS = @(“10.0.0.4″,”10.0.0.5”)

If anyone knows a better way please feedback

Confirm zone transfers are working

To confirm zone transfers are working you can open the DNS console visually check or you can use PowerShell to collect the event logs. This collects logs with EventID 3150 that confirms the zones are being populated

<#
Author: <Author Name>
Created: <Date>
Purpose: This script is used to obtain event ID 3150 and the message to confirm secondary zones are being written to after the zone file has been created
#>


$logPath = ‘C:\temp\’


Write-Host -ForegroundColor Yellow “Exporting DNS Logs from $env:computername to confirm that secondary zones are being written.

Please check the log (dnsserverlog) at ‘$logpath'”
Get-WinEvent -LogName ‘dns server’ | where {$_.Message -like “*The DNS server wrote version*”} | Select-Object ID,Message | Export-Csv C:\temp\dnsserverlog.csv -NoTypeInformation


Write-Host -ForegroundColor Yellow “Export completed. Please check ‘$logpath’ for further details. Please check the log (dnsserverlog) at $logpath”

Configure DNS Forwarders

DNS Forwarders can be used for performing external name resolution queries. Run the script to add the forwarders. The Replace the IP’s with your specific addresses

# DNS Forwarders
$Forwarders = @(“1.1.1.1″,”2.2.2.2”)

# DNS Forwarders

Add-DnsServerForwarder -IPAddress $Forwarders -PassThru

Configure Conditional Forwarders

In the examples below 2 conditional forwarders are created called Domain1 and Domain2 with the IP’s to be configured. Replace the Domain name and IP with the actual details required.

<#
Author: <Author>
Created: <Date>
Purpose: This script has been created to add the conditional forwarders to each secondary DNS server
#>

# Create DNS Conditional Forwarder “Domain1.com”
# Conditional Forwarder IPs
$CF1 = @(“3.3.3.3″,”4.4.4.4”)


Add-DnsServerConditionalForwarderZone -Name “Domain1.com” -MasterServers $CF1 -PassThru

# Create DNS Conditional Forwarder “Domain2.com”
# MasterServers
$CF2 = @(“5.5.5.5″,”6.6.6.6”)


Add-DnsServerConditionalForwarderZone -Name “Domain2” -MasterServers $CF2 -PassThru

Update DHCP Scope Options

With the new DNS Servers in place you may wish to update your DHCP scope options so that clients and devices point to the new servers

You can use PowerShell to get a list of scopes that you wish to update

Get-DhcpServerv4Scope | Where {$_.ScopeID -like “192.168.0.*”}

This will output the scopes that are part of the 192.168.0.x range

To update all DHCP scopes that start 192.168.0.x with the DNS servers 10.0.0.4 & 10.0.0.5 run the following script

$Scopes = Get-DhcpServerv4Scope | where { $_.ScopeId -like “192.168.0.*” }
foreach($scope in $scopes.scopeid){
Set-DhcpServerv4OptionValue -ScopeId $scope -OptionId 6 -value “10.0.0.4”,”10.0.0.5″
}

That completes the process for configuring secondary DNS zones

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s