One of the requirements to join an Identity Management Server (IdM) to an Active Directory (AD), a DNS delegation needs to be created on AD. With the Red Hat training for RH362, we were taught to use a command-line interface program called dnscmd on AD server. I personally found this command very cumbersome, and I think a better way is to do this DNS delegation using PowerShell cmdlet.

I’ll demonstrate how to do DNS delegation both using dnscmd and PowerShell cmdlet. You can decide yourself which one you find easier to use.

Let’s assume that we have the following information:

  1. IdM server: idm.lab.example.net - 172.25.250.8
  2. The domain for the IdM server is: lab.example.net
  3. The AD’s domain: example.net

In order to delate this domain on the AD server, we need to create 2 DNS records on the AD server.

  1. An A record - idm.lab.example.net
  2. A NS record - lab.example.net
dnscmd 127.0.0.1 /AddRecord example.net idm.lab.example.net. A 172.25.250.8
dnscmd 127.0.0.1 /AddRecord example.net lab.example.net. NS idm.lab.example.net.

How is it cumbersome, you may ask? Well, suppose you don’t use this command often, how do you know all the options? My personal experience was that I even forgot the command name is called dnscmd. Oh, and I don’t know how to do tab-completion. I know there is a help flag for this command (dnscmd /?), but even that help page is very overwhelming for a Linux user like myself who relies so much on man pages of most commands on Linux system.

I find the PowerShell cmdlet more friendly. Here are 2 ways to do DNS delegation using PowerShell. For the first one, we’ll follow the same steps: creating A record followed by an NS record.

PS C:\> Add-DnsServerResourceRecord -ZoneName "example.net" -A -Name "idm.lab" -IPv4Address "172.25.250.8"
PS C:\> Add-DnsServerResourceRecord -ZoneName "example.net" -NS -Name "lab" -NameServer "idm.lab.example.net."

Here is the 2nd PowerShell to create a DNS delegation one go.

PS C:\ Add-DnsServerZoneDelegation -Name "example.net" -ChildZoneName "lab.example.net." -NameServer "idm.lab.example.net." -IPAddress 172.25.250.8 -PassThru -Verbose

I know the cmdlet on PowerShell is kinda verbose, but they come with tab-completions for the commands as well as the commands’ options. You can run Get-Help Add-DnsServerResourceRecord if you want to know how to use it. In fact, you can just run man Add-DnsServerResourceRecord. (man is an alias for Get-Help.)

Well, this is just my personal opinion. Use whatever command you that suits you better. :)

References: