Windows Zonescope mixed environment

[dawe78]

Hi,

in some cases, I need to get an certificate for both intranet and external url, e.g. intra.mydomain.com and mydomain.com. In this example, I want to use the certificate for rdp connection; I can only set one certificate for rdp usage, so I need to set both domains to the same certificate. No problem so far.

The internal url intra... has a zoneScope for external and internal scope, so I must add the zoneScope param for creating certificate. But for the external url theres no need to set zoneScopes, so here I do NOT need to add the zoneScope param. Unfortunally, I cant choose for which domains a zoneScope is needed and where not.

I found an easy solution adding three lines of code in the windows.ps1 file on line 39ff:

Old:

if ('ZoneScope' -notin (Get-Command Get-DnsServerResourceRecord).Parameters.Keys) {
    throw "ZoneScope is not supported in the version of the DnsServer module currently installed."
} else {
    $zoneScope.ZoneScope = $WinZoneScope
}

new:

# fix mixed zone scope environment
$scopes = Get-DnsServerZoneScope -ZoneName $zoneName
if ($scopes.ZoneScope -contains $WinZoneScope) {
    # (OLD part from here)
    if ('ZoneScope' -notin (Get-Command Get-DnsServerResourceRecord).Parameters.Keys) {
        throw "ZoneScope is not supported in the version of the DnsServer module currently installed."
    } else {
        $zoneScope.ZoneScope = $WinZoneScope
    }
}

Maybe you can add this to upcoming releases...

[rmbolger]

In order to get certs for an internal name with a DNS challenge, you still have to create the TXT record in the external zone so the Let's Encrypt validation servers can query it. So even though your intra.mydomain.com zone is scoped internally, both it and the external record need to be created in the external zone.

So if I understand correctly, your external zone is the default with no scope...so you should be able to just not specify a scope and have it work, right? I'm not super familiar with how Win DNS zone scopes work, so please correct me if I misunderstand how things work.

[dawe78]

I try to explain what I want to to...

Lets say I have an exchange server with dns addresses

exchange.intra.mydomain.com
exchange.mydomain.com

The exchange.intra.mydomain.com-Domain has two zone scopes, external and internal. exchange.mydomain.com (without intra) has only the main zone. But because of the intra domain I do have to call:

New-PACertificate $myDomainArray -DnsPlugin Windows -PluginArgs @{WinServer=$dc; WinZoneScope='external'}

This throws an error when adding the exchange.mydomain.com domain because it has no zoneScope with name "external" - and no other too. For this case I would like to add a check if the domain has the given zoneScope; if not, the domain will be added without zone Scope.

I hope its clear what I wanted to explain...

[rmbolger]

Thanks, I think I got it. I just pushed a fix to the master branch that should fix the issue. Like you said, it will now check that the scope exists on the zone before trying to use it.

Let me know if that works for you and I'll see if I can get a new release out with the fix included.

[rmbolger]

This fix is now live in 3.7.0