DNS is the foundation of everything on a Windows Server network — Active Directory, name resolution, internet access, and application connectivity all depend on it working correctly. When something stops working on a server, DNS is often the cause. Here is how to check DNS health and diagnose resolution problems.
Check What DNS Server the Server Is Using
# PowerShell — show DNS servers for all adapters
Get-DnsClientServerAddress | Where-Object {$_.AddressFamily -eq 2} | Select-Object InterfaceAlias, ServerAddresses
# Command Prompt
ipconfig /all | findstr "DNS Servers"For a domain-joined server, the primary DNS should be the IP address of a domain controller — not 8.8.8.8 or your ISP’s DNS. Using external DNS on a domain-joined server breaks Active Directory lookups.
Test DNS Resolution with nslookup
# Resolve a hostname using the server's configured DNS
nslookup google.com
# Resolve using a specific DNS server
nslookup google.com 8.8.8.8
# Reverse lookup (IP to hostname)
nslookup 192.168.1.10
# Query for a specific record type
nslookup -type=MX contoso.com
nslookup -type=SRV _ldap._tcp.contoso.localIf nslookup google.com returns an IP but nslookup internalserver fails, the server can reach external DNS but internal DNS is broken — pointing to a wrong or unreachable DNS server for internal resolution.
Test DNS with Resolve-DnsName (PowerShell)
# Resolve a hostname
Resolve-DnsName google.com
# Resolve using a specific DNS server
Resolve-DnsName google.com -Server 8.8.8.8
# Resolve internal AD service records
Resolve-DnsName _ldap._tcp.contoso.local -Type SRV
# Test reverse lookup
Resolve-DnsName 192.168.1.10 -Type PTRResolve-DnsName is more flexible than nslookup and returns structured objects you can pipe and filter.
Check the Local DNS Cache
Windows caches DNS responses — a stale cache entry can cause connectivity problems even after DNS records are updated:
# View the DNS client cache
Get-DnsClientCache | Select-Object Entry, RecordType, TimeToLive, Data
# Clear the DNS cache
Clear-DnsClientCache
# Command Prompt equivalent
ipconfig /displaydns
ipconfig /flushdnsFlushing the cache forces the next lookup to query the DNS server fresh — useful after changing DNS records or fixing a DNS problem.
Check the DNS Server Service (on a DNS Server)
If the server runs the DNS Server role:
# Check if the DNS service is running
Get-Service DNS
# Restart DNS service
Restart-Service DNS
# View DNS server statistics
Get-DnsServerStatistics
# Check DNS server zones
Get-DnsServerZoneIn DNS Manager (dnsmgmt.msc), right-click the server and select Test to run a simple connectivity and resolution test.
Verify Active Directory DNS Records
Active Directory depends on specific SRV records existing in DNS. Run dcdiag /test:dns on a domain controller to run a comprehensive DNS health check specifically for AD:
dcdiag /test:dns /vThis checks that all required AD DNS records (_ldap, _kerberos, _gc) exist and resolve correctly. Any FAILED tests point to missing or incorrect DNS records that need to be registered or fixed.
To force a domain controller to re-register its DNS records:
ipconfig /registerdns
net stop netlogon && net start netlogonCheck DNS Forwarders
A DNS server that cannot resolve external names may have broken forwarders:
# Check configured forwarders
Get-DnsServerForwarder
# Test forwarding manually
nslookup google.com [your-DNS-server-IP]In DNS Manager: right-click the server → Properties → Forwarders tab. The forwarders should point to your ISP’s DNS or a reliable external resolver (e.g. 8.8.8.8, 1.1.1.1).
Common DNS Problems on Windows Server
- Server using wrong DNS: set primary DNS to domain controller IP, not router or external DNS
- Stale cache entries: run
ipconfig /flushdnsafter any DNS changes - Missing SRV records: run
dcdiag /test:dnsandipconfig /registerdnson DCs - DNS Server service stopped:
Get-Service DNS— restart if stopped - Zone not replicating: check AD-integrated zone replication scope matches AD replication topology
