# Только на одном контроллере AD/DNS:
# Создаём зоны видимости (Scope)
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope149"
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope33"
# Создаём DNS-записи для каждой зоны
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.149.0.200 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.33.0.200 -ZoneScope "Scope33"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.149.0.209 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.33.0.201 -ZoneScope "Scope33"
# На каждом контроллере:
# Создаём подсети
Add-DnsServerClientSubnet -Name "Subnet149" -IPv4Subnet 10.149.0.0/16
Add-DnsServerClientSubnet -Name "Subnet33" -IPv4Subnet 10.33.0.0/16
Add-DnsServerClientSubnet -Name "SubnetTotal" -IPv4Subnet 10.0.0.0/8
# Создаём политики применения зон видимости для подсетей
Add-DnsServerQueryResolutionPolicy -Name "Policy149" -Action ALLOW -ClientSubnet "eq,Subnet149" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope149" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "Policy33" -Action ALLOW -ClientSubnet "eq,Subnet33" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope33" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "PolicyTotal" -Action ALLOW -ClientSubnet "eq,SubnetTotal" -ZoneScope "my.local" -ZoneName "my.local"
# Включаем политики
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy149"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy33"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "PolicyTotal"
# Разрешаем Split-Brain DNS
dnscmd /config /globalqueryblocklist isatap
# dig +trace SERVER-BUSINESS.RU
...
SERVER-BUSINESS.ru. 345600 IN NS oxygen.ns.hetzner.com.
SERVER-BUSINESS.ru. 345600 IN NS hydrogen.ns.hetzner.com.
SERVER-BUSINESS.ru. 345600 IN NS helium.ns.hetzner.de.
;; Received 644 bytes from 194.190.124.17#53(d.dns.ripn.net) in 72 ms
...
SERVER-BUSINESS.RU. 3600 IN A 135.181.20.85
SERVER-BUSINESS.RU. 3600 IN NS robotns3.second-ns.com.
SERVER-BUSINESS.RU. 3600 IN NS robotns2.second-ns.de.
SERVER-BUSINESS.RU. 3600 IN NS oxygen.ns.hetzner.com.
SERVER-BUSINESS.RU. 3600 IN NS ns2.SERVER-BUSINESS.RU.
SERVER-BUSINESS.RU. 3600 IN NS helium.ns.hetzner.de.
SERVER-BUSINESS.RU. 3600 IN NS hydrogen.ns.hetzner.com.
SERVER-BUSINESS.RU. 3600 IN NS ns1.first-ns.de.
SERVER-BUSINESS.RU. 3600 IN NS ns1.SERVER-BUSINESS.RU.
;; Received 316 bytes from 193.47.99.5#53(helium.ns.hetzner.de) in 77 ms
# Только на одном контроллере AD/DNS:
# Создаём зоны видимости (Scope)
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope149"
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope33"
# Создаём DNS-записи для каждой зоны
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.149.0.200 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.33.0.200 -ZoneScope "Scope33"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.149.0.209 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.33.0.201 -ZoneScope "Scope33"
# На каждом контроллере:
# Создаём подсети
Add-DnsServerClientSubnet -Name "Subnet149" -IPv4Subnet 10.149.0.0/16
Add-DnsServerClientSubnet -Name "Subnet33" -IPv4Subnet 10.33.0.0/16
Add-DnsServerClientSubnet -Name "SubnetTotal" -IPv4Subnet 10.0.0.0/8
# Создаём политики применения зон видимости для подсетей
Add-DnsServerQueryResolutionPolicy -Name "Policy149" -Action ALLOW -ClientSubnet "eq,Subnet149" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope149" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "Policy33" -Action ALLOW -ClientSubnet "eq,Subnet33" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope33" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "PolicyTotal" -Action ALLOW -ClientSubnet "eq,SubnetTotal" -ZoneScope "my.local" -ZoneName "my.local"
# Включаем политики
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy149"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy33"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "PolicyTotal"
# Разрешаем Split-Brain DNS
dnscmd /config /globalqueryblocklist isatap
# dig +trace +noadditional otdyh.ocdod74.ru
...
OCDOD74.ru. 345600 IN NS ocdod74.ru.
OCDOD74.ru. 345600 IN NS dns1.yandex.net.
OCDOD74.ru. 345600 IN NS otdyh.ocdod74.ru.
OCDOD74.ru. 345600 IN NS dns2.netbreeze.net.
couldn't get address for 'otdyh.ocdod74.ru': not found
На серверах имён нет записи для otdyh.ocdod74.ru# dig @ocdod74.ru otdyh.ocdod74.ru
connection timed out; no servers could be reached
DNS-сервер ocdod74.ru на запросы не отвечает# dig @dns2.netbreeze.net otdyh.ocdod74.ru
otdyh.ocdod74.ru. IN A
# dig @dns1.yandex.net otdyh.ocdod74.ru
otdyh.ocdod74.ru. IN A
На серверах dns1.yandex.net и dns2.netbreeze.net нет нужной записи # dig NS mail.ru
;; ANSWER SECTION:
mail.ru. 370 IN NS ns1.mail.ru.
mail.ru. 370 IN NS ns2.mail.ru.
mail.ru. 370 IN NS ns3.mail.ru.
;; ADDITIONAL SECTION:
ns1.mail.ru. 596 IN A 217.69.139.112
ns2.mail.ru. 596 IN A 94.100.180.138
ns3.mail.ru. 54 IN A 185.30.176.202