Problem adding Windows DNS resource records into a Zone Scope on Server 2016 RRS feed

  • Question

  • I apologize in advance for the long post.  I wanted to make sure I added all the information needed to help me troubleshoot this issue.

    We are building a POC at AWS.  We have a direct VPN tunnel from our on premise network to our VPC.

    We are looking to create an instance of our SSO and LDAP in AWS.  Reason being so that authentication for any hosted web application will no longer rely on our on premise network.  We also need our on premise clients to communicate with the on premise SSO and LDAP instances while the on premise network is available.

    Our supporting Servers and Workspaces in AWS need to speak directly to the SSO and LDAP instance in the cloud (not the on premise instances of SSO and LDAP). 

    That being said, we built a Standalone Windows Server 2016 running DNS in AWS (DNS01-AWS).  This DNS server has all of our forward and reverse zones loaded as Secondary zones (The Primary zones are located on our on premise DDI Device). The plan is to use Windows DNS Policies (on our DNS Server at AWS) to resolve queries based on Geo-Location.  So lets say our AWS subnet is and our on prem subnet is  The dns zone is mycompany.com. 

    On premise DNS should resolve like this:
    sso.mycompany.com -
    ldap.mycompany.com -

    At AWS DNS should resolve like this:
    sso.mycompany.com -
    ldap.mycompany.com -

    ***Every other existing DNS record within our forward or reverse zones should resolve normally.

    FYI...Externally DNS is hosted and has been adjusted so that sso.mycompany.com resolves to

    To get this working I issued the following powershell commands on the DNS server at AWS (DNS01-AWS):

    Add-DnsServerClientSubnet -Name "AWSSubnets" -IPv4Subnet "" - (Command was successful)
    Add-DnsServerClientSubnet -Name "OnPremSubnets" -IPv4Subnet "" - (Command was successful)
    Add-DnsServerZoneScope -ZoneName "mycompany.com" -Name "MyCompanyAWS" - (Command was successful)

    Add-DnsServerZoneScope -ZoneName "mycompany.com" -Name "MyCompanyOnPrem" - (Command was successful)
    Add-DnsServerResourceRecord -ZoneName "mycompany.com" -A -Name "ldap" -IPv4Address "" -ZoneScope "MyCompanyAWS" - (Command failed with the [INDENTED] message below)

    Add-DnsServerResourceRecord : Failed to create resource record ldap in scope MyCompanyAWS of zone mycompany.com on
    server DNS01-AWS.
    At line:1 char:1
    + Add-DnsServerResourceRecord -A -ZoneName mycompany.com -Name ldap -I ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (ldap:root/Microsoft/...rResourceRecord) [Add-DnsServerResourceRecord]
       , CimException
        + FullyQualifiedErrorId : WIN32 9611,Add-DnsServerResourceRecord

    I tried adding the "-Computername" paramter to the command, but that didn't help.  I tried removing all the double quotes (I saw someone issue this command without double quotes), but that didn't help.  The "-Verbose" option doesn't give me any more information.

    Any help is appreciated.

    Thursday, May 7, 2020 6:18 PM