How to Set Up Windows Server 2016 Internal DNS Service
The Internal DNS Service in Windows Server 2016 SDN provides name resolution capabilities for tenant virtual machines within their isolated virtual networks. In an SDN environment, tenant VMs cannot use the physical DNS servers directly without policy allowing that traffic, and they may have conflicting namespace requirements with other tenants. The Internal DNS Service, managed through the Network Controller, provides per-tenant DNS zones that resolve names within the tenant’s virtual network using DNS records distributed by the SDN control plane.
This tutorial covers how to deploy and configure the Internal DNS Service for tenant networks, set up DNS zones, register VM records, and verify name resolution within an SDN virtual network.
Overview of SDN Internal DNS
The SDN Internal DNS Service operates as a lightweight DNS server running inside the tenant’s virtual network. The Network Controller manages the DNS records for VMs attached to the virtual network, automatically registering and deregistering records as VMs are added or removed. This eliminates the need for tenants to manage their own DNS servers and ensures that DNS records are always in sync with the actual network state. The service supports both forward and reverse lookup zones for tenant networks.
Prerequisites
You need a functional Windows Server 2016 SDN deployment with the Network Controller running and tenant virtual networks already configured. The DNS service capability is part of the Network Controller service layer and does not require a separate server installation. Confirm your Network Controller supports DNS iDNS:
$uri = "https://nc.contoso.com"
Invoke-RestMethod `
-Uri "$uri/networking/v1/iDnsServer/configuration" `
-Method Get `
-UseDefaultCredentialsStep 1 — Configure the iDNS Service on the Network Controller
Enable and configure the Internal DNS (iDNS) service by setting the iDNS server configuration. Specify the DNS server IP that the iDNS proxy will forward external queries to and the zone suffix for tenant zones:
$headers = @{ "Content-Type" = "application/json" }
$idnsConfig = @{
properties = @{
connections = @(@{
managementAddress = "10.10.55.5"
credential = @{ resourceRef = "/credentials/DnsServerCred" }
credentialType = "UsernamePassword"
})
zone = "internal.contoso.com"
ipAddress = "10.100.0.2"
}
} | ConvertTo-Json -Depth 5
Invoke-RestMethod `
-Uri "$uri/networking/v1/iDnsServer/configuration" `
-Method Put `
-Body $idnsConfig `
-Headers $headers `
-UseDefaultCredentialsStep 2 — Enable iDNS on a Virtual Network
Enable the iDNS service for a specific tenant virtual network by updating the virtual network’s DNS options to reference the iDNS service:
$vnetUpdate = @{
properties = @{
addressSpace = @{ addressPrefixes = @("10.100.0.0/16") }
encapType = "VXLAN"
dhcpOptions = @{
dnsServers = @("10.100.0.2")
}
logicalNetwork = @{ resourceRef = "/logicalNetworks/HNVProvider" }
iDnsSettings = @{
zone = "tenanta.internal.contoso.com"
networkControllerUri = "https://nc.contoso.com"
}
}
} | ConvertTo-Json -Depth 6
Invoke-RestMethod `
-Uri "$uri/networking/v1/virtualNetworks/TenantAVNet" `
-Method Put `
-Body $vnetUpdate `
-Headers $headers `
-UseDefaultCredentialsStep 3 — Verify DNS Record Registration for VMs
When a VM’s network interface is attached to the virtual network with iDNS enabled, the Network Controller automatically registers an A record for the VM. Verify that records have been created by querying the DNS service. On a VM within the virtual network:
Resolve-DnsName -Name "webvm1.tenanta.internal.contoso.com" -Server 10.100.0.2The query should return the VM’s CA-space IP address.
Step 4 — Configure a Windows DNS Server for External Delegation
To allow VMs inside the tenant virtual network to resolve both internal names and external internet names, configure delegation on an external DNS server to forward queries for the tenant zone to the iDNS service IP:
Add-DnsServerZoneDelegation `
-Name "internal.contoso.com" `
-ChildZoneName "tenanta" `
-NameServer "idns.contoso.com" `
-IPAddress "10.100.0.2" `
-ComputerName "dns01.contoso.com"Step 5 — Add Custom DNS Records Manually
For services that are not automatically registered (such as load balancer VIPs), add DNS records manually through the Network Controller API:
$dnsRecordBody = @{
properties = @{
dnsRecordType = "A"
resourceRecords = @(@{
ipv4Address = "192.0.2.10"
timeToLive = 300
})
}
} | ConvertTo-Json -Depth 5
Invoke-RestMethod `
-Uri "$uri/networking/v1/iDnsServer/zones/tenanta.internal.contoso.com/records/webvip" `
-Method Put `
-Body $dnsRecordBody `
-Headers $headers `
-UseDefaultCredentialsStep 6 — Test Internal Name Resolution from a Tenant VM
From a VM inside the tenant virtual network, test that both internal and external names resolve correctly:
Resolve-DnsName -Name "webvip.tenanta.internal.contoso.com"Resolve-DnsName -Name "www.microsoft.com"The internal name should resolve to the manually registered VIP address. The external name should resolve via the forwarded DNS query to the external DNS server specified in the iDNS configuration.
Step 7 — Monitor DNS Query Logs
Enable DNS debug logging to monitor query traffic and diagnose resolution issues. On the DNS server hosting the iDNS zone:
Set-DnsServerDiagnostics -All $trueGet-DnsServerQueryResolutionPolicyConclusion
The Internal DNS Service in Windows Server 2016 SDN provides automated, per-tenant name resolution that eliminates the operational burden of managing DNS servers for each tenant. By integrating with the Network Controller and the virtual network lifecycle, iDNS ensures that DNS records accurately reflect the current state of the virtual network at all times. Tenants benefit from seamless name resolution within their isolated environment while retaining access to external DNS through intelligent query forwarding.
