Windows DNS forwarders and conditional forwarders are an important part of your DNS infrastructure. In this tutorial, we're going to cover AD DNS forwarders and how you can manage them in your environment.

You will find that on occasion you need to add or manage these forwarder addresses. Some of these changes need to be made across multiple DNS servers in your enterprise. Thankfully, using commands like PowerShell's Set-DnsServerForwarder cmdlet and others allow you to easily manage both of these DNS services with ease.

This blog post has a companion video created by TechSnips contributor, David Lamb. Feel free to have a watch or, if you prefer text, read on!

Replacing DNS Forwarders

DNS forwarders are used by a DNS server to lookup queries for addresses that aren't contained in any zones that the server is authoritative for. This provides your DNS servers with an efficient means for resolving names. Without the forwarders in place, your DNS server would have to query the root hint servers to start resolving unknown addresses.

While these forwarder addresses are configured separately on each DNS server, using PowerShell makes managing them a lot easier by allowing us to use the Set-DnsServerForwarder cmdlet.

Begin by viewing the currently configured forwarders for the local DNS server. We'll do this by using the Get-DnsServerForwarder cmdlet. We're using the Get-* cmdlet first because you first need to find all existing forwarders.

As seen below, there are two forwarders configured with IP addresses of 8.8.8.8 and 8.8.4.4.

Get-DnsServerForwarder

Now add an additional forwarder. This forwarder could possibly a new DNS server that you have configured in our DMZ, or perhaps using a forwarding address provided by our ISP. In this case, you'll use the Set-DnsServerForwarder cmdlet to set the new address and then use Get-DnsServerForwarder to confirm that the address was set correctly.

Set-DnsServerForwarder -IPAddress 192.168.1.1
Get-DnsServerForwarder

Unfortunately, this did not have the desired outcome. As you can see above, using the Set-DnsServerForwarder cmdlet actually replaces the list of forwarders rather than adding to it. To add the address to the list, rather than replacing the entire list, you need to use Add-DnsServerForwarder.

To correct this, replace the list with the original two forwarders, add the new address, then check to see if you are successful.

Set-DnsServerForwarder -IPAddress 8.8.8.8, 8.8.4.4
Add-DnsServerForwarder -IPAddress 192.168.1.1
Get-DnsServerForwarder

You now have all three forwarders added.

Removing DNS Forwarders

Let's say you want to remove a forwarder address, you would use the Remove-DnsServerForwarder cmdlet as shown below. Then, you'd check to see if the address has been removed.

If Set-DnsServerForwarder replaces the DNS forwarder, Remove-DnsServerForwarder removes it completely.

Remove-DnsServerForwarder -IPAddress 192.168.1.1
Get-DnsServerForwarder

Scaling to Multiple DNS Servers

Sometimes, you will need to be able to add or remove a forwarder address on multiple DNS servers. In this instance, Set-DnsServerForwarder will not work. Thankfully PowerShell makes scaling this task to multiple DNS servers relatively easy. If you use Invoke-Command, include a list of all of our DNS servers, then put Add-DnsServerForwarder into the scriptblock parameter value, you can modify all of the DNS servers with a single command. Then using a similar command, view the results of our changes.

Invoke-Command -ComputerName DC01, DC02, DC03 -ScriptBlock {
    Add-DnsServerForwarder -IPAddress 192.168.1.1
}
Invoke-Command -ComputerName DC01, DC02, DC03 -ScriptBlock { Get-DnsServerForwarder }

Conditional forwarders

A special type of forwarder, called a conditional forwarder, cannot be modified with the Set-DnsServerForwarder cmdlet. This type of forwarder can be used when you have been provided with the IP address(es) of the DNS server(s) for a known DNS domain name.

Conditional forwarders are used by the DNS server before using the server forwarders listed earlier in this article.

For example, if you have a conditional forwarder configured for tailspintoys.com, your DNS server will, after checking that it isn't a domain it is authoritative for, check the conditional forwarders and find that an entry exists. At this point, your DNS server queries the DNS server listed for the desired address in the tailspintoys.com domain.

One nice feature of conditional forwarders is that they can be replicated to other DNS servers in the same way that any Active Directory Integrated DNS Zone can be.

Start by checking to see if you have a conditional forwarder configured by using the Get-DnsServerZone cmdlet.

Get-DnsServerZone

Conditional forwarders show up in this list with a ZoneType of forwarder. In this case, we don't have one configured. So, you will use Add-DnsServerConditionalForwarderZone to create the conditional forwarder, set it to replicate to the entire Active Directory forest, and then confirm it has been created.

Add-DnsServerConditionalForwarderZone `
    -Name tailspintoys.com `
    -MasterServers 10.10.14.240,10.10.14.241 `
    -ReplicationScope Forest

Get-DnsServerZone

The output shows that you have our conditional forwarder configured, and it is ready to go.

Summary

PowerShell really does make managing DNS forwarders a snap! You should now be able to use PowerShell to manage and automate AD DNS forwarders many different ways. We covered these forwarder at just about every angle.