How to Set the DNS Server Search Order on Windows with PowerShell

To follow along, you can find a copy of the code used in the SnipSnips GitHub repo.

Setting your DNS server search order with PowerShell is actually really easy. We’ll start with the Get-DNSClientServerAddress to get a look at our existing settings as you can see below.

So there you can see, we have our existing settings on ethernet interface index seven, and our addresses are 192.168.2.52 and the secondary server is at .51.

So we’ll do a quick nslookup to file01.corp.ad, to verify that our primary is in fact responding.

So there we go, you can see above that a responding DNS server is our primary at .52, and successfully returned .55 is our file server.

Now, let’s change the order of our DNS servers. To do that, we’ll use the Set-DNSClientServerAddress cmdlet. We’ll point it to interface index seven as listed above, and I’ll change our order, so 192, 168.2.51 is our primary, and .52 is now our secondary.

We’ll do a quick verification. I’ll check interface index seven.

There, now you can see above, .51 is now our primary as it’s listed first, and .52 is our secondary.

Do another quick nslookup, and you can see that that now returns from .51, which is our primary DNS server.

Adam Bertram is a 20-year veteran of IT and experienced online business professional. He’s an entrepreneur, IT influencer, Microsoft MVP, blogger, trainer and content marketing writer for multiple technology companies. Adam is also the founder of the popular IT career development platform TechSnips.

How to Manage DNS Records with PowerShell

Most of the time, DNS records are managed dynamically by your DNS server. However, at times you may find that you need to manually create, edit, or remove various types of DNS records. It is at times like this that PowerShell is quite useful for managing these records.

Viewing DNS Records

You can view all of the resource records for a given DNS zone by simply using the Get-DnsServerResourceRecord cmdlet and specifying the zone name parameter:

As you can see, this generates quite a lengthy list of records. This nicely highlights one of the advantages of this particular cmdlet over the graphical DNS console. This view gives you all of the records for this zone, regardless of which folder they are in. In the graphical console, it would take quite some time to piece this information together.

Now, let’s thin out this list a bit. Using the same cmdlet, but adding the RRType parameter to search for A records (IPv4 hosts) and filtering for records where the Time To Live (TTL) is greater than 15 minutes gives us a bit more of a manageable list:

Taking this one step further, we can also search for records in a different DNS zone, on a different DNS server. In this example, we will search for A records in the “canada.corp.ad” zone on DNS server DC03:

Adding and Removing Host Records (A and AAAA)

To add a host record, we will need to use the Add-DnsServerResourceRecordA cmdlet. In this example, we need to add a host record for a new printer that we are adding to the network. It will be added to the corp.ad zone with the name “reddeerprint01”, and it’s IP address is 192.168.2.56.

If it turns out that we need to remove a record, for example, if the printer has been decommissioned, we can use the following code to remove the host record that we just created:

It is also just as easy to add an IPv6 host record. Of course, these records differ slightly, as they are listed as AAAA records. You may notice that we are now using the Add-DnsServerResourceRecordAAAA cmdlet. It’s a subtle change, but an important one. Let’s add a record to the “corp.ad” zone for the new IT Intranet server at “fc00:0128” and then quickly verify that it has been created:

Adding Reverse Lookup Records (PTR)

A reverse lookup record allows the client to query a DNS server to request the hostname for a supplied IP address. Creating a PTR record is a relatively easy process, but there is one important bit of information you will need to know before you start adding PTR records. Reverse lookup zones are not created by default. You will need to set up your reverse lookup zone prior to adding records.

Fortunately, it is relatively easy to do. You just need to use the Add-DnsServerPrimaryZone cmdlet and provide it with the Network ID. In this example, I have also chosen to set the replication scope to the entire AD forest, and I have specifically targeted “DC03” as the preferred DNS server:

Now that our reverse lookup zone is in place, we can add our PTR record for a new printer called “CYQF-Printer-01.canada.corp.ad” that has an IP address of 192.168.2.56. As this record is for the “canada.corp.ad” zone, we will be targeting the DNS server “DC03”.

When using the Add-DnsServerResourceRecordPtr cmdlet, it is important to note a couple of things. First, that you need to specify the zone name using the network ID in reverse order, then add “.in-addr.arpa”. So for our “192.168.2.0/24” network ID, the zone name is “2.168.192.in-addr.arpa”. Second, the “Name” parameter is simply the host portion of the IP address. For our printer at 192.168.2.56, the “Name” is simply “56”.

Once you have those pieces of information, the code required to create the PTR record is relatively simple, if a bit long:

Adding Alias Records (CNAME)

To finish off, we will create a host alias record or CNAME record using the Add-DnsServerResourceRecordCName cmdlet. These records allow you to specify an alias for an existing host record in the zone. This becomes especially useful, for example, if you want to provide your finance users with an address for their web-enabled finance app. You could create an alias called “finance”, and point it to the web server “webapp25.corp.ad”. Then when you need to migrate the app to a new web server with a new hostname, you simply change the CMANE record to point “finance” to the new host. This way, the users don’t have to update their bookmarks. They can continue to access their application using the address “finance.corp.ad”.

Additional Resources

Companion video: “How To Manage DNS Records With PowerShell

David Lamb is a Systems Administrator managing Windows servers and clients since 1995, spending a large portion of his career in the aviation industry. His first certification was the MCSE on Windows NT 4.0, earned in 2001. David lives in Alberta, Canada, and is currently spending his free time learning PowerShell, blogging, and pursuing the MCSE certification on Windows Server.

Using Set-DnsServerForwarder and Others to Manage DNS Forwarders

Using Set-DnsServerForwarder

Windows DNS Forwarders and Conditional Forwarders are an important part of your DNS infrastructure. You will find that on occasion you need to add or manage these forwarder addresses and that some of these changes need to be made across multiple DNS servers in your enterprise. Thankfully, using commands like PowerShell’s Set-DnsServerForwarder cmdlet and others allow you to easily manage both of these DNS services with ease.

Using Set-DnsServerForwarder to Replace Forwarders

DNS Forwarders are used by the DNS server to lookup queries for addresses that aren’t contained in any zones that the server is authoritative for. This provides your DNS servers with an efficient means for resolving names. Without the forwarders in place, your DNS server would have to query the root hint servers in order to start resolving unknown addresses. While these forwarder addresses are configured separately on each DNS server, using PowerShell makes managing them a lot easier by allowing us to use the Set-DnsServerForward command among others.

So, let’s begin by viewing the currently configured forwarders for the local DNS server by using the Get-DnsServerForwarder cmdlet. We’ll use the Set-DnsServerForwarder in a minute to add one.

As seen below, there are two forwarders configured, as listed beside “IPAddress”

Using Get-DnsServerForwader

Next, we want to add an additional forwarder, possibly a new DNS server that we have configured in our DMZ, or perhaps using a forwarding address provided by our ISP. In this case, we’ll use the Set-DnsServerForwarder cmdlet to set the new address and then use Get-DnsServerForwarder to confirm that the address was set correctly.

The results of using Set-DnsServerForwarder

Unfortunately, this did not have the desired outcome. As you can see here, using the Set-DnsServerForwarder cmdlet actually replaces the list of forwarders rather than adding to it. In order to add the address to the list, rather than replacing the entire list, you need to use Add-DnsServerForwarder. To correct this, what we’ll do is replace the list with the original two forwarders, add the new address, then check to see if we are successful.

Get-DnsServerForwarder

There, that looks much better. We now have all three forwarders added.

Now, if you want to remove a forwarder address, you would simply use the Remove-DnsServerForwarder cmdlet as shown, then check to see if the address has been removed. If Set-DnsServerForwarder replaces the DNS forwarder, Remove-DnsServerForwarder removes it completely.

The results of Remove-DnsServerForwarder

Sometimes, you will need to be able to add or remove a forwarder address on multiple DNS servers. In this instance, Set-DnsServerForwarder will not work. Thankfully PowerShell makes scaling this task to multiple DNS servers relatively easy. If we use Invoke-Command, include a list of all of our DNS servers, then put Add-DnsServerForwarder into the ScriptBlock, we can modify all of the DNS servers with a single command. Then using a similar command, view the results of our changes.

Running Get-DnsServerForwarder on multiple servers

That brings us to the end of the section on DNS Forwarders.

Conditional Forwarders

A special type of forwarder, called a conditional forwarder, cannot be modified with theSet-DnsServerForwarder cmdlet but can be used when you have been provided with the IP address(es) of the DNS server(s) for a known DNS domain name. Conditional forwarders are used by the DNS server before using the server forwarders listed earlier in this article. For example, if you have a conditional forwarder configured for tailspintoys.com, your DNS server will, after checking that it isn’t a domain it is authoritative for,  check the conditional forwarders and find that an entry exists. At this point, your DNS server queries the DNS server listed for the desired address in the tailspintoys.com domain.

One nice feature of conditional forwarders is that they can be replicated to other DNS servers in the same way that any Active Directory Integrated DNS Zone can be.

Let’s start by checking to see if we have a conditional forwarder configured by using the Get-DnsServerZones cmdlet.

Get-DnsServerZone PowerShell

Conditional forwarders show up in this list as ZoneType: Forwarder. In this case, we don’t seem to have one configured. So, we will use Add-DnsServerConditionalForwarderZone to create the conditional forwarder, set it to replicate to the entire Active Directory forest, and then confirm it has been created.

The results of Add-DnsServerConditionalForwarderZone

The output shows that we have our conditional forwarder configured, and it is ready to go. PowerShell really does make managing DNS forwarders a snap.

Additional Resources

Companion video: “How To Manage DNS Forwarders With PowerShell

David Lamb is a Systems Administrator managing Windows servers and clients since 1995, spending a large portion of his career in the aviation industry. His first certification was the MCSE on Windows NT 4.0, earned in 2001. David lives in Alberta, Canada, and is currently spending his free time learning PowerShell, blogging, and pursuing the MCSE certification on Windows Server.