This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 34%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
I'm using Powershell to develop some custom DNS management tools for Server 2016 / 2019 for multiple domains.
Implementing split brain DNS as outlined on Microsoft recommendations (https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment) requires an additional zone scope to contain public IP addresses for the zone, while the default zone scope contains private / internal addresses.
All works well when configuring the primary, non-AD server. Names resolve as expected, and the primary DNS server is well behaved.
The problem arises when configuring the secondary server for the zone. Creating any records in the additional zone scope of the secondary server fails:
Add-DnsServerResourceRecord -Name . -NameServer secondary.contosso.com -NS -ZoneName contosso.com --ComputerNamesecondary.contosso.com -ZoneScope external
and Powershell complains vehemently with a Win32 9703 error, which simple means that a node can't be created in DNS.
The conclusions of my efforts and research say that a zone scope on a secondary server is pretty much useless - you can create one, you just can't populate it with any records in an automated fashion. Perhaps it can be created by copying and hacking zone files, but it seems this defeats the purpose of DNS management and would quickly become impractical in a large scale DNS implementation.
If the secondary server is changed to be primary then all DNS commands work as expected, which tells me that it's not a problem with command syntax or execution (the same commands function properly on all primary DNS servers). Of course making both servers primary defeats the purpose of zone replication, so that's not an answer either - you're back to the same problem of maintaining multiple servers for the same zone.
In summary, it seems that unless you're using zones that are Active Directory integrated, you're pretty much hosed in trying to implement a multi-server split-brain DNS policy. There are many implications of this fact in online forums, but no concise and definitive statement of the fact.
Thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Secondary DNS zones are managed by replication from the primary zone, not by direct modification.
How have you configured that primary zone for replication? Is it done on a schedule or do you use notification? In the primary DNS server for the zone have you added the secondary DNS servers?
This really isn't a PowerShell thing. It's the way DNS works.
So this is not an issue with replication of zones among servers - that works as expected. This topic is more directed to the issue of managing Zone Scopes, which do not replicate as zones do. I think this is a fundamental shortcoming of how Microsoft implemented Zone Scopes. Once you define a zone scope on a secondary server that is not AD integrated you're in a round room trying to sit in the corner. There's no way to manage that zone scope's content on a secondary server. At least not a logical and simple way.
Hi there,
The DNS zone information is actually stored as a partition in the active directory database. When Active Directory replicates, the zone data transfers. For standard DNS deployments, the data is stored in a file. You have to configure zone transfers manually in the DNS console.
You can try forcing the DNS to replicate and see if it is helpful.
--If the reply is helpful, please Upvote and Accept it as an answer--
Thanks for taking the time to reply, but your response is off topic. The issue is with management of DNS ZONE SCOPES, not DNS zones. Replication of DNS zones works as expected.