March 14, 2013

Managing DNS servers using PowerShell

Much of my new book is focused on using PowerShell to manage Windows Server 2012, so this article and the previous one include some short excerpts from my book to both whet your appetite (to entice you into buying my book) and to show you some of the things you can do as an admin using PowerShell. Note that the target audience of the book is Windows intermediate-level admins who have several years of work experience but who might still be beginners when it comes to using PowerShell, so I'm hoping that readers will find my book useful to learn how they can start using PowerShell to simplify and automate the administration of Windows servers in their environment.

This second excerpt is from Chapter 6 Network Administration and shows how you can manage Windows Server 2012 DNS servers using PowerShell. I've also included one of the chapter's exercises, which shows how you can configure a caching-only DNS server using PowerShell. Note that these book excerpts haven't finished going through the editorial review process yet, so they may change a bit in the published version.
Examples of network administration tasks

The best way to learn how to use Windows PowerShell to administer network settings and services on Windows Server 2012 is to experiment with performing different tasks in a test environment. The following sections provide some examples of what you can do in this area, and the practice and suggested practice exercises included in this chapter present you with further challenges for learning these skills.

Creating DNS resource records

You can manage Windows Server 2012 DNS servers using Windows PowerShell. Common DNS server management tasks adding resource records to zones, configuring forewarders, configuring root hints, and so on.

For example, let's view a list of zones on a DNS server that is also a domain controller for the corp.contoso.com domain:

PS C:\> Get-DnsServerZone

ZoneName              ZoneType    IsAutoCreated  IsDsIntegrated IsReverseLookupZone IsSigned
--------              --------    -------------  -------------- ------------------- --------
_msdcs.corp.contoso.com       Primary     False      True      False        True
0.in-addr.arpa           Primary     True      False      True         False
127.in-addr.arpa          Primary     True      False      True         False
255.in-addr.arpa          Primary     True      False      True         False
corp.contoso.com          Primary     False      True      False        False
TrustAnchors            Primary     False      True      False        False

To view a list of resource records of type A (address) in the corp.contoso.com zone, we can pipe the output of the Get-DnsServerResourceRecord cmdlet into the Where-Object cmdlet like this:

PS C:\> Get-DnsServerResourceRecord -ZoneName corp.contoso.com | Where-Object {$_.RecordType -eq "A"}

HostName         RecordType Timestamp      TimeToLive   RecordData
--------         ---------- ---------      ----------   ----------
@             A     7/8/2012 12:00:00 PM 00:10:00    172.16.11.36
@             A     7/8/2012 1:00:00 PM 00:10:00    172.16.11.232
DomainDnsZones      A     7/8/2012 12:00:00 PM 00:10:00    172.16.11.36
DomainDnsZones      A     7/8/2012 12:00:00 PM 00:10:00    172.16.11.232
ForestDnsZones      A     7/8/2012 12:00:00 PM 00:10:00    172.16.11.36
ForestDnsZones      A     7/8/2012 12:00:00 PM 00:10:00    172.16.11.232
sea-srv-1         A     0          01:00:00    172.16.11.232
SEA-SRV-5         A     0          01:00:00    172.16.11.36

To add a new A resource record for a test server, you can use the Add-DnsServerResourceRecordA cmdlet like this:

PS C:\> Add-DnsServerResourceRecordA -IPv4Address 172.16.11.239 -Name SEA-TEST -ZoneName corp.contoso.com

You can also add other types of resource records such as PTR, CN or MX records using the above cmdlet. And you can use the Remove-DnsServerResourceRecord cmdlet to remove resource records from a zone.

There are over one hundred different cmdlets in the DnsServer module for Windows PowerShell in Windows Server 2012. Table 1 shows the cmdlets you can use to perform some common DNS administration tasks. You'll get some hands-on experience with using some of these cmdlets in the practice exercises for this chapter.

TASK

CMDLET

Configure forwarders

Add-DnsServerForwarder

Create a stub zone

Add-DnsServerStubZone

Display the contents of the DNS server cache

Show-DnsServerCache

Clear the DNS server cache

Clear-DnsServerCache

Display full configuration details of the DNS server

Get-DnsServer

Display statistics for the DNS server

Get-DnsServerStatistics

Import root hints

Import-DnsServerRootHint

Configure the DNS server cache settings

Set-DnsServerCache

Configure DNS server scavenging

Set-DnsServerScavenging

Initiate scavenging

Start-DnsServerScavenging

Table 1: Some common DNS server administration tasks and the Windows PowerShell cmdlets you can use to perform them.

Exercise 2: Configuring a caching-only DNS server using Windows PowerShell

In this exercise you will configure a caching-only DNS server using Windows PowerShell. You will then configure a forwarder on your caching-only DNS server to improve its name resolution performance. 

  1. Log on to SERVER1, open Server Manager, select the All Servers page and make sure that both servers are displayed in the Servers tile. If SERVER2 is not displayed, add it to the server pool.
  2. Open a Windows PowerShell prompt and run the following command to install the DNS Server role on SERVER2:

    Install-WindowsFeature -Name DHCP ComputerName SERVER2 -IncludeManagementTools -Restart

    Note that although you specified the -Restart parameter, the servers did not restart after role installation because a restart was determined as being unnecessary.
  3. SERVER5 is now configured as a caching-only DNS server is not authoritative for any domains and can only perform, queries, cache the answers, and return the results. Caching-only DNS servers can be useful at locations such as branch office sites and use root hints to identify the authoritative DNS servers for the root zone of your organization's DNS namespace.
  4. SERVER5 is currently using root hints for recursively performing name resolution. To view the root hints configured on SERVER2, run the following command:

    Get-DnsServerRootHint -ComputerName SERVER2
  5. Display the contents of the DNS server cache on SERVER2 by running the following command:

    Show-DnsServerCache -ComputerName SERVER2
  6. Use the nslookup command-line utility to attempt to use SERVER2 for resolving the IP address for the fully-qualified domain name (FQDN) www.bing.com as follows:

    nslookup www.bing.com SERVER2
  7. Note that one or more DNS server time outs may occur when you perform this name query. This is because name resolution is being performed recursively, beginning with the root name servers on the Internet, which can take several seconds to complete. If no response is received to your query, repeat running the above command until a non-authoritative response is received.
  8. Use the command Show-DnsServerCache -ComputerName SERVER2 and note that the DNS server cache now contains numerous entries relating to the name query you performed using nslookup.
  9. Clear the DNS server cache on SERVER2 by running the following command:

    Clear-DnsServerCache -ComputerName SERVER2
  10. Display the contents of the DNS server cache on SERVER2 again by running this command:

    Show-DnsServerCache -ComputerName SERVER2
  11. Note that the cache entries relating to the name query you performed using nslookup have now been deleted. The only entries that remain in the cache are those for the root hints configured on the server.
  12. To speed up name resolution on your caching-only name server, you will configure SERVER1 as a forwarder on SERVER2. Once you have done this, any name query sent to SERVER2 will be forwarded to SERVER1 which will then use its external forwarders at your Internet Service Provider (ISP) for resolving the query.
  13. Configure SERVER1 as a forwarder on SERVER2 by running the following command:

    Add-DnsServerForwarder -IPAddress 10.10.0.1 -ComputerName SERVER2
  14. Verify the result by displaying the forwarders configured on SERVER2 as follows:

    Get-DnsServerForwarder -ComputerName SERVER2
  15. Use nslookup to perform another name query against SERVER2 for the FQDN www.bing.com. The response should be received almost immediately with no DNS server time outs occurring. This is because the query was forwarded to SERVER1 which then forwarded it to your ISP's DNS servers for resolution. This approach is generally much faster than using the Internet root name servers to reclusively resolve the requested FQDN.
  16. Display the contents of the DNS server cache on SERVER2 again. Note the cache entries relating to your name query, and note also that there are considerably fewer cache entries than when root hints alone were used for performing recursive name resolution.

No comments:

Post a Comment