Windows Server DNS provides name resolution for Active Directory environments and general network infrastructure, supporting forward and reverse lookups, zone transfers, conditional forwarding, and DNSSEC.
Addresses below are RFC 5737 documentation ranges or placeholders - swap in your own.
Table of Contents#
- Overview
- Installation
- Zone Management
- DNS Records
- Conditional Forwarders
- Stub Zones
- Zone Transfers and Replication
- DNS Scavenging
- DNSSEC
- DNS Policies
- Logging and Diagnostics
- Troubleshooting
- See Also
- Sources
1. Overview#
In Windows Server, DNS is a server role that you can install using Server Manager or PowerShell. When deploying a new Active Directory forest and domain, DNS is automatically installed with Active Directory as the Global Catalog server for the forest and domain.
Windows DNS Server supports:
- Forward lookup zones - resolve hostnames to IP addresses
- Reverse lookup zones - resolve IP addresses to hostnames
- Active Directory-integrated zones - store zone data in AD with secure dynamic updates
- Conditional forwarders - route queries for specific domains to designated DNS servers
- Stub zones - maintain awareness of authoritative servers for a zone without hosting the full zone
- DNSSEC - cryptographic signing to validate DNS responses
- DNS policies - control how the server handles queries based on criteria like client subnet, time of day, or transport protocol
2. Installation#
Install via PowerShell#
Install-WindowsFeature -Name DNS -IncludeManagementToolsInstall via Server Manager (GUI)#
- Open Server Manager and select Add Roles and Features
- Select DNS Server from the server roles list
- Include the management tools when prompted
- Complete the wizard and restart if required
Verify Installation#
# Check that the DNS Server module is available
Get-Module DnsServer -ListAvailable
# Check DNS Server service status
Get-Service DNS
# List all available DNS Server cmdlets
Get-Command -Module DnsServer3. Zone Management#
Create a Forward Lookup Zone#
# Primary zone (file-backed)
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"
# Primary zone (Active Directory-integrated)
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Forest"Available replication scopes for AD-integrated zones:
| Scope | Description |
|---|---|
Forest | Replicate to all DNS servers in the AD forest |
Domain | Replicate to all DNS servers in the AD domain |
Legacy | Replicate to all domain controllers in the AD domain |
Custom | Replicate to a custom AD partition |
Create a Reverse Lookup Zone#
# Reverse zone for 192.0.2.0/24
Add-DnsServerPrimaryZone -NetworkID "192.0.2.0/24" -ReplicationScope "Domain"
# Reverse zone for an IPv6 subnet
Add-DnsServerPrimaryZone -NetworkID "fd00::/64" -ReplicationScope "Domain"Create a Secondary Zone#
Add-DnsServerSecondaryZone -Name "partner.com" -ZoneFile "partner.com.dns" `
-MasterServers 203.0.113.10, 203.0.113.11List and Remove Zones#
# List all zones
Get-DnsServerZone
# Get details for a specific zone
Get-DnsServerZone -Name "example.com"
# Remove a zone
Remove-DnsServerZone -Name "example.com" -ForceSet Zone Properties#
# Change zone type to AD-integrated
ConvertTo-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain" -Force
# Set dynamic update mode
Set-DnsServerPrimaryZone -Name "example.com" -DynamicUpdate "Secure"Dynamic update options: None, Secure (AD-integrated only), NonsecureAndSecure.
4. DNS Records#
View Records#
# Show all records in a zone
Get-DnsServerResourceRecord -ZoneName "example.com"
# Show a specific record
Get-DnsServerResourceRecord -ZoneName "example.com" -Name "webserver"
# Filter by record type
Get-DnsServerResourceRecord -ZoneName "example.com" -RRType ACreate Records#
# A record
Add-DnsServerResourceRecordA -Name "webserver" -ZoneName "example.com" `
-IPv4Address "192.0.2.50" -TimeToLive 01:00:00
# AAAA record
Add-DnsServerResourceRecordAAAA -Name "webserver" -ZoneName "example.com" `
-IPv6Address "fd00::50"
# CNAME record
Add-DnsServerResourceRecordCName -Name "www" -ZoneName "example.com" `
-HostNameAlias "webserver.example.com"
# MX record
Add-DnsServerResourceRecordMX -Name "." -ZoneName "example.com" `
-MailExchange "mail.example.com" -Preference 10
# TXT record
Add-DnsServerResourceRecord -ZoneName "example.com" -Name "." `
-Txt -DescriptiveText "v=spf1 mx -all"
# SRV record
Add-DnsServerResourceRecord -ZoneName "example.com" -Name "_sip._tcp" `
-Srv -DomainName "sipserver.example.com" -Priority 0 -Weight 0 -Port 5060
# PTR record (reverse lookup)
Add-DnsServerResourceRecordPtr -Name "50" -ZoneName "2.0.192.in-addr.arpa" `
-PtrDomainName "webserver.example.com"Modify Records#
# Modify an A record's IP address
$old = Get-DnsServerResourceRecord -ZoneName "example.com" -Name "webserver" -RRType A
$new = $old.Clone()
$new.RecordData.IPv4Address = [System.Net.IPAddress]::Parse("192.0.2.51")
Set-DnsServerResourceRecord -ZoneName "example.com" -OldInputObject $old -NewInputObject $newDelete Records#
# Delete a specific record by piping
Get-DnsServerResourceRecord -ZoneName "example.com" -Name "oldserver" -RRType A |
Remove-DnsServerResourceRecord -ZoneName "example.com" -Force
# Delete all records for a name
Get-DnsServerResourceRecord -ZoneName "example.com" -Name "oldserver" |
Remove-DnsServerResourceRecord -ZoneName "example.com" -Force5. Conditional Forwarders#
Conditional forwarders route DNS queries for specific domains to designated DNS servers. This is useful for resolving names in partner networks or specific internal domains.
# Add a conditional forwarder
Add-DnsServerConditionalForwarderZone -Name "partner.com" `
-MasterServers 203.0.113.1, 203.0.113.2 `
-ReplicationScope "Forest"
# List conditional forwarders
Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Forwarder" }
# Remove a conditional forwarder
Remove-DnsServerZone -Name "partner.com" -ForceStandard Forwarders#
# Set standard forwarders (used for all non-authoritative queries)
Set-DnsServerForwarder -IPAddress 8.8.8.8, 8.8.4.4
# View current forwarders
Get-DnsServerForwarder
# Remove all forwarders
Set-DnsServerForwarder -IPAddress @()6. Stub Zones#
Stub zones contain only the SOA, NS, and glue A records for a zone. They keep the DNS server aware of which name servers are authoritative for a zone without hosting the full zone data.
# Create a stub zone
Add-DnsServerStubZone -Name "subsidiary.com" `
-MasterServers 198.51.100.1 `
-ReplicationScope "Domain"
# View stub zone details
Get-DnsServerZone -Name "subsidiary.com"7. Zone Transfers and Replication#
Configure Zone Transfers#
# Allow zone transfers to specific servers only
Set-DnsServerPrimaryZone -Name "example.com" `
-SecureSecondaries "TransferToSecureServers" `
-SecondaryServers 198.51.100.10, 198.51.100.11
# Allow transfers to any server (not recommended for production)
Set-DnsServerPrimaryZone -Name "example.com" -SecureSecondaries "TransferAnyServer"
# Disable zone transfers
Set-DnsServerPrimaryZone -Name "example.com" -SecureSecondaries "NoTransfer"
# Enable BIND secondaries support (for interop with non-Windows DNS)
Set-DnsServerPrimaryZone -Name "example.com" -AllowedDcForNsRecordsAutoCreation @()Configure Notify#
# Notify specific servers when the zone changes
Set-DnsServerPrimaryZone -Name "example.com" `
-Notify "NotifyServers" `
-NotifyServers 198.51.100.10, 198.51.100.11AD Replication Scope#
# Change replication scope of an AD-integrated zone
Set-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Forest"8. DNS Scavenging#
Scavenging automatically removes stale (outdated) DNS records. This is critical in environments with dynamic DNS registration (e.g., DHCP clients).
Enable Scavenging on the Server#
# Enable scavenging with default intervals
Set-DnsServerScavenging -ScavengingState $true `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00 `
-ScavengingInterval 7.00:00:00
# View current scavenging settings
Get-DnsServerScavengingEnable Aging on a Zone#
Scavenging only works on zones that have aging enabled:
# Enable aging on a zone
Set-DnsServerZoneAging -Name "example.com" -Aging $true `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00
# View aging settings
Get-DnsServerZoneAging -Name "example.com"Manually Trigger Scavenging#
Start-DnsServerScavenging -Force| Parameter | Description |
|---|---|
| NoRefreshInterval | Time after a record is refreshed during which it cannot be refreshed again (default: 7 days) |
| RefreshInterval | Time after the no-refresh interval during which the record must be refreshed or it becomes stale (default: 7 days) |
| ScavengingInterval | How often the server runs the scavenging process (default: 7 days) |
9. DNSSEC#
DNS Security Extensions provide authentication and integrity verification for DNS responses.
Sign a Zone#
# Sign a zone using default settings
Invoke-DnsServerZoneSign -ZoneName "example.com" -SignWithDefault -Force
# View DNSSEC settings for a signed zone
Get-DnsServerDnsSecZoneSetting -ZoneName "example.com"Configure Trust Anchors#
# Add a trust anchor
Add-DnsServerTrustAnchor -Name "example.com" `
-CryptoAlgorithm RsaSha256 `
-KeyProtocol DnsSec `
-Base64Data "<public-key-data>"
# View trust anchors
Get-DnsServerTrustAnchor -Name "example.com"
# Import trust anchors from a signed zone
Import-DnsServerTrustAnchor -ZoneName "example.com" -ComputerName "dc01"Unsign a Zone#
Invoke-DnsServerZoneUnsign -ZoneName "example.com" -Force10. DNS Policies#
DNS policies (Windows Server 2016+) let you control query resolution based on various criteria.
Client Subnet-Based Resolution#
# Define client subnets
Add-DnsServerClientSubnet -Name "HQ" -IPv4Subnet "192.0.2.0/24"
Add-DnsServerClientSubnet -Name "Branch" -IPv4Subnet "198.51.100.0/24"
# Create zone scopes
Add-DnsServerZoneScope -ZoneName "example.com" -Name "HQScope"
Add-DnsServerZoneScope -ZoneName "example.com" -Name "BranchScope"
# Add records to each scope
Add-DnsServerResourceRecord -ZoneName "example.com" -A -Name "app" `
-IPv4Address "192.0.2.100" -ZoneScope "HQScope"
Add-DnsServerResourceRecord -ZoneName "example.com" -A -Name "app" `
-IPv4Address "198.51.100.100" -ZoneScope "BranchScope"
# Create resolution policies
Add-DnsServerQueryResolutionPolicy -Name "HQPolicy" -Action ALLOW `
-ClientSubnet "EQ,HQ" -ZoneScope "HQScope,1" -ZoneName "example.com"
Add-DnsServerQueryResolutionPolicy -Name "BranchPolicy" -Action ALLOW `
-ClientSubnet "EQ,Branch" -ZoneScope "BranchScope,1" -ZoneName "example.com"Block Queries#
# Block resolution for a specific domain
Add-DnsServerQueryResolutionPolicy -Name "BlockMalware" -Action DENY `
-FQDN "EQ,*.malware.example.com" -ZoneName "example.com"View and Remove Policies#
# List all policies
Get-DnsServerQueryResolutionPolicy -ZoneName "example.com"
# Remove a policy
Remove-DnsServerQueryResolutionPolicy -Name "HQPolicy" -ZoneName "example.com" -Force11. Logging and Diagnostics#
DNS Analytical and Audit Logging#
# Enable DNS analytical logging (Windows Server 2012 R2+)
Set-DnsServerDiagnostics -All $true
# Enable specific diagnostic categories
Set-DnsServerDiagnostics -Queries $true -Answers $true `
-Notifications $true -Update $true
# View current diagnostics configuration
Get-DnsServerDiagnosticsDNS Debug Logging#
# Enable debug logging to file
Set-DnsServerDiagnostics -EnableLogFileRollover $true `
-LogFilePath "C:\DnsLogs\dns.log" `
-MaxMBFileSize 500Query Resolution Testing#
# Test resolution through the DNS server
Resolve-DnsName -Name "webserver.example.com" -Server localhost
# Check for specific record types
Resolve-DnsName -Name "example.com" -Type MX -Server localhost
# Test reverse lookup
Resolve-DnsName -Name "192.0.2.50" -Type PTR -Server localhost
# Verbose DNS query with full details
Resolve-DnsName -Name "example.com" -Type A -DnsOnly -Server localhost | Format-List *DNS Statistics#
# View DNS server statistics
Get-DnsServerStatistics
# View zone-level statistics
Get-DnsServerStatistics | Select-Object -ExpandProperty ZoneQueryStatisticsEvent Log#
# View recent DNS Server events
Get-WinEvent -LogName "DNS Server" -MaxEvents 50
# Filter for errors
Get-WinEvent -LogName "DNS Server" -MaxEvents 50 |
Where-Object { $_.LevelDisplayName -eq "Error" }Troubleshooting#
| Issue | Cause | Solution |
|---|---|---|
| DNS server not responding | DNS service stopped | Run Start-Service DNS and check event log for errors |
| Zone transfer fails | Transfer not allowed or firewall blocking TCP 53 | Verify SecureSecondaries setting and ensure TCP 53 is open between servers |
| Dynamic updates rejected | Zone not configured for dynamic updates | Set DynamicUpdate to Secure (AD-integrated) or NonsecureAndSecure |
| Stale records accumulating | Scavenging not enabled | Enable scavenging on the server and aging on each zone |
| Conditional forwarder timeout | Target DNS server unreachable | Test connectivity to master servers; check firewall rules for UDP/TCP 53 |
| DNSSEC validation failures | Trust anchors missing or expired | Import or update trust anchors; verify key rollover schedule |
| Slow query resolution | Forwarders unresponsive | Check forwarder health; consider adding root hints as fallback |
| Records not replicating | AD replication issue or wrong scope | Verify AD replication health with repadmin /replsummary; check zone replication scope |
| Reverse lookup fails | Missing PTR records or reverse zone | Create reverse lookup zone and add PTR records |