DNS Policies in Windows Server 2016 Tech Preview 2

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hello – Gary Green and Mike Kline here to bring you Ask PFE Plat’s very first post regarding Windows Server 2016 (well, Technical Preview #2, to be specific)!

Over the years, Microsoft Windows Server DNS has provided excellent functionality and a frequently-expanding feature-set for our customers.  Our friends in the DNS Product Group are hard at work on some GREAT new features for the next version of Windows Server.

One such feature is DNS Policies.

DNS Policies allow you to control how a DNS Server handles queries/responses based on various parameters such as client IP subnet, the IP address of the network interface which received the DNS request, or even the time of day.

One use-case for a DNS Policy is the ability to provide clients geographically-appropriate resources for a given name, based on the client’s IP address.

Another common configuration for many customers is some sort of “split-brain” DNS where the same DNS domain name (i.e. CONTOSO.COM) is used both on the Internet and on the internal corporate network but the name may resolve to different internal/external IP addresses. With DNS Policies, this configuration can be more easily set up.

One of the advantages of an elastic infrastructure is the ability to scale resources up or down as needed. One way DNS Policies can help with this is via the “time of day” parameter – it can shift load to certain IP addresses during certain times, such as off-hours.

Some clarifying details/notes:

  • As mentioned, this information applies to Technical Preview #2 – and is subject to change
  • Currently, DNS Policies can only be configured via PowerShell
  • DNS Policies will work only on Windows Server vNext/2016 DNS servers
    • Also, all DNS servers hosting a policy-controlled zone must be WS 2016 to take advantage of this functionality.
    • Clients can be any version
  • At present, DNS Policies are configured and stored locally on each DNS server, but they can be easily deployed across DNS servers using PowerShell
  • Zones and their scopes (note: not referring to DHCP scopes here) must be in file-backed zones. We’re working on AD-integrated zone support
  • You cannot add scopes on Conditional forwarders

 

The DNS Product Group published several great blog posts for DNS Policy implementation:

 

Also, take a look at Microsoft PowerShell MVP Jan Egil Ring‘s post about DNS Policies:

 

We’ll certainly be blogging more about Windows Server 2016 (and Windows 10, of course) but while we’ve got your ear about DNS, we’re planning a DNS Q & A with one of the PMs for the DNS Product Group at Microsoft.

Use the comments below to post your burning DNS questions (about these new Policies or anything else Windows DNS related) and look for a future post where we’ll discuss some of those questions.

Gary Green and Mike Kline signing off for now…