How to Configure Windows AD DNS Forwarding for External Domain Resolution in Split-Horizon Environments


2 views

When running an Active Directory with internal DNS while needing to access external resources, you'll often face resolution failures for public domains. Here's how I solved this exact issue in our production environment.

# Current problematic DNS architecture example:
Internal DNS Zone: ourcompany.local
Public DNS Zone: ourcompany.com
Missing record: www.ourcompany.com (exists only in public DNS)

For Windows Server 2016/2019/2022 DNS servers:

1. Open DNS Manager (dnsmgmt.msc)
2. Right-click the DNS server name → Properties
3. Select the "Forwarders" tab
4. Click "Edit..." to add forwarders
5. Enter public DNS servers (e.g., 8.8.8.8, 1.1.1.1)
6. Set forward timeout (default 5 seconds is usually fine)
7. Check "Use root hints if no forwarders are available"

For more granular control when you only need specific domains forwarded:

# PowerShell alternative for conditional forwarding
Add-DnsServerConditionalForwarderZone 
  -Name "ourcompany.com" 
  -MasterServers 8.8.8.8,1.1.1.1 
  -ForwarderTimeout 5 
  -ReplicationScope "Forest"

Verify with these commands:

nslookup www.ourcompany.com
# Should return public IP

nslookup internal-server.ourcompany.local
# Should return internal IP

For complex environments with multiple forwarding requirements:

Add-DnsServerQueryResolutionPolicy 
  -Name "ExternalForwardPolicy" 
  -Action ALLOW 
  -FQDN "eq,www.ourcompany.com" 
  -ServerInterface "any" 
  -Forwarder 8.8.8.8
  • Firewall blocking UDP/53 to forwarders
  • Forwarder timeout too short for high-latency networks
  • Split-brain DNS conflicts when internal/external records overlap

Remember to test changes in a non-production environment first and monitor DNS event logs for resolution errors.

When setting up Active Directory with internal DNS, a common scenario emerges where internal clients need to resolve both internal and external domains. The "split-horizon" approach (separate DNS zones for internal and external resources) creates resolution gaps for public resources when queried from within the network.

Here's how to configure conditional forwarding in Windows Server DNS:

# PowerShell script to configure DNS forwarding
Add-DnsServerConditionalForwarderZone 
    -Name "ourcompany.com" 
    -MasterServers 8.8.8.8,8.8.4.4 
    -PassThru

# Or for all external domains:
Set-DnsServerForwarder 
    -IPAddress 8.8.8.8,8.8.4.4 
    -PassThru

If you prefer not to use forwarders, you can enable root hints:

# Disable forwarding and enable root hints
Set-DnsServerForwarder -IPAddress $null
Set-DnsServerRootHint -Internet

Verify with these diagnostic commands:

nslookup www.ourcompany.com
Resolve-DnsName www.ourcompany.com -Server your_dns_server

For more control, implement DNS policies:

# Create a DNS query resolution policy
Add-DnsServerQueryResolutionPolicy 
    -Name "ExternalResolutionPolicy" 
    -Action ALLOW 
    -Fqdn "*.ourcompany.com" 
    -PassThru
  • Check DNS server logs: Get-WinEvent -LogName "DNS Server"
  • Verify forwarder connectivity: Test-NetConnection 8.8.8.8 -Port 53
  • Clear DNS cache: Clear-DnsServerCache -Force