TechShizz | All posts by rich

DNS Policy by Client Source Address

If we have various subnets we can create a DNS policy so that our DNS server responds differently to clients on different subnets. Here's how:

#Add a new Demo DNS Zone
Add-DNSServerPrimaryZone -Name demo.com -Replication Domain

#Add two Client Subnets
Add-DNSServerClientSubnet -Name SubnetA -IPv4Subnet "192.168.1.0/26"
Add-DNSServerClientSubnet -Name SubnetB -IPv4Subnet "192.168.1.64/26"

#Add Zone Scopes for Subnets
Add-DNSServerZoneScope -ZoneName demo.com -Name "0_Scope"
Add-DNSServerZoneScope -ZoneName demo.com -Name "64_Scope"

#Add some A records
Add-DNSServerResourceRecord -ZoneName demo.com -A -Name App1 -IPv4Address "192.168.0.100" -ZoneScope "0_Scope"
Add-DNSServerResourceRecord -ZoneName demo.com -A -Name App1 -IPv4Address "192.168.0.101" -ZoneScope "64_Scope"

#Create the DNS Client Based Policy
Add-DNSServerQueryResolutionPolicy -Name "0_Policy" -Action ALLOW -ClientSubnet "eq,SubnetA" -ZoneScope "0_Scope,1" -ZoneName demo.com
Add-DNSServerQueryResolutionPolicy -Name "64_Policy" -Action ALLOW -ClientSubnet "eq,SubnetB" -ZoneScope "64_Scope,1" -ZoneName demo.com

 

DNS Policy Load Balancing | Server 2016

By default if we have multiple A records with the same name, the DNS server will round robin i.e alternate through each record returning the value of each DNS record. This is great but if we want more control over balancing the responses to different records we can use DNS Load Balancing Policy to distribute responses in the desired way.

#Add a DNS Zone
Add-DNSServerPrimaryZone -Name "loadbalance.com" -ReplicationScope Domain

#Add a Zone Scope called "Scope-Heavy"
Add-DNSServerZoneScope -ZoneName "loadbalance.com" -Name "Scope-Heavy"

#Add a  Zone Scope called "Scope-Light"
Add-DNSServerZoneScope -ZoneName "loadbalance.com" -Name "Scope-Light"

#Add some A records to each zone, with different IP addresses to which the load will be balanced accordingly
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address "192.168.1.11"
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address "192.168.1.12" -ZoneScope "Scope-Light"
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address "192.168.1.13" -ZoneScope "Scope-Heavy"

#Set a Policy, so that server 192.168.1.13 gets around 9 out of every 11 requests.
Add-DNSServerQueryResolutionPolicy -Name "LB-Policy" -Action ALLOW -Fqdn "EQ,*" -ZoneScope "loadbalance.com,1;Scope-Light,1;Scope-Heavy,9" -ZoneName "loadbalance.com"

#Check it applied
Get-DNSServerQueryResolutionPolicy -ZoneName "loadbalance.com"

Configure DNS Response Rate Limiting

We configure DNS reponse rate limiting from powershell.

##GetDNS Reponse Rate Limiting Settings
Get-DNSServerResponseRateLimiting

##Enable DNS Reponse Rate Limiting Logging only
Set-DNSServerResponseRateLimiting -ResponsePerSec 2 -ErrorsPerSec 2 -IPv4PrefixLength 26 -Leakrate 3 -Mode LogOnly -Force

##Enable DNS Reponse Rate Limiting
Set-DNSServerResponseRateLimiting -ResponsePerSec 2 -ErrorsPerSec 2 -IPv4PrefixLength 26 -Leakrate 3 -Mode Enable -Force

#Disable DNS Reponse Rate Limiting
Set-DNSServerResponseRateLimiting -Mode Enable -Force

Configuring DNSSEC in Active Directory DNS

Aim: To enable DNSSEC on an Active Directory Intergrated zone

1.Go to DNS Manager > Right click on Zone > DNSSEC > Sign the Zone 

2. Select the default settings option > click next.

3.Go back to DNS Manager > Right click zone > DNSSEC > Properties

4. Trust Anchor Tab > Click the checkbox "Enable the destination of trust anchors for this zone" > Click Apply/OK.

5. Click yes on this prompt

6. And OK on this prompt 

7. Go to Group Policy Manager > Create / Amend a Policy and configure the following:

Computer Configuration > Policies > Windows Settings > Name Resolution Policy.

Enter you domain and check "Enable DNCSEC in this rule" and "Require DNS clients to check that name and address data has been validated by the DNS server". Remember to APPLY the policy

 

8. To test, GPUpdate /force and reboot.

Run netsh namespace show policy

This will verify that DNSSEC is enabled.

Error: "Cannot find the Windows PowerShell data file 'ImportExportIscsiTargetConfiguration.psd1'"

Problem

While installing an iSCSI target server manager displays the error: "Cannot find the Windows PowerShell data file 'ImportExportIscsiTargetConfiguration.psd1'"

Solution

On the computer where server manager is running, go to:

'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\IscsiTarget\en-US\'

COPY the en-US folder and then rename it to "en-GB".

Run the wizard again and this time there should be no error.