How to Configure DNS on Windows Server

Configuring DNS on Windows Server goes beyond simply checking that name resolution works. As the DNS Server role administrator, you manage zones, create and maintain records, set up forwarders, and ensure that Active Directory’s service records are healthy. This guide covers how to configure and manage DNS on Windows Server from the ground up.

Install the DNS Server Role

Install-WindowsFeature -Name DNS -IncludeManagementTools

Or via Server Manager → Add Roles and Features → DNS Server. The DNS Manager console opens via Server Manager → Tools → DNS, or by running dnsmgmt.msc.

Understanding DNS Zone Types

Before creating zones, understand the options:

• Primary zone: the authoritative read/write copy of a zone. Changes are made here and replicated to secondary servers.
• Secondary zone: a read-only copy of a primary zone, replicated from the primary. Used for load distribution and redundancy.
• Stub zone: contains only the NS records of another zone — used to help resolve names in a partner domain without hosting a full copy.
• Active Directory-integrated zone: the zone data is stored in AD rather than a file. Replicated automatically with AD replication, supports secure dynamic updates, and provides multi-master redundancy. This is the recommended type for internal zones in AD environments.

Create a New Forward Lookup Zone

1. In DNS Manager, right-click Forward Lookup Zones → New Zone
2. Choose Primary zone (tick “Store the zone in Active Directory” if on a DC)
3. Choose the AD replication scope — To all DNS servers running on domain controllers in this domain is the standard choice
4. Enter the zone name (e.g. contoso.local)
5. Allow only secure dynamic updates (recommended for AD-integrated zones)
6. Click Finish

# Via PowerShell
Add-DnsServerPrimaryZone -Name "contoso.local" -ReplicationScope Domain -DynamicUpdate Secure

Create a Reverse Lookup Zone

Reverse lookup zones resolve IP addresses back to hostnames (PTR records). Needed for some applications and for complete DNS health checks:

1. Right-click Reverse Lookup Zones → New Zone
2. Choose Primary, AD-integrated
3. Enter the network ID (e.g. 192.168.1 for a 192.168.1.0/24 network)
4. Allow secure dynamic updates

Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope Domain -DynamicUpdate Secure

Add DNS Records Manually

Most records in an AD environment are created automatically via dynamic DNS. For servers, printers, and services with static IPs, add records manually:

# Add an A record (hostname to IP)
Add-DnsServerResourceRecordA -ZoneName "contoso.local" -Name "webserver" -IPv4Address "192.168.1.20"

# Add a CNAME record (alias)
Add-DnsServerResourceRecordCName -ZoneName "contoso.local" -Name "www" -HostNameAlias "webserver.contoso.local."

# Add an MX record (mail)
Add-DnsServerResourceRecordMX -ZoneName "contoso.local" -Name "@" -MailExchange "mail.contoso.local" -Preference 10

# Add a PTR record (reverse lookup)
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "20" -PtrDomainName "webserver.contoso.local."

# Add a TXT record (SPF, DMARC, domain verification)
Add-DnsServerResourceRecord -ZoneName "contoso.local" -Name "@" -Txt -DescriptiveText "v=spf1 ip4:203.0.113.10 -all"

Modify and Delete Records

# List all records in a zone
Get-DnsServerResourceRecord -ZoneName "contoso.local" | Select-Object HostName, RecordType, RecordData

# Find a specific record
Get-DnsServerResourceRecord -ZoneName "contoso.local" -Name "webserver" -RRType A

# Remove a record
Remove-DnsServerResourceRecord -ZoneName "contoso.local" -Name "oldserver" -RRType A -Force

Configure DNS Forwarders

Forwarders tell your DNS server where to send queries for names it cannot resolve locally — typically external DNS servers for internet names:

1. In DNS Manager, right-click the server name → Properties → Forwarders tab
2. Click Edit and add forwarder IP addresses (e.g. 8.8.8.8, 1.1.1.1, or your ISP’s DNS)

# Set forwarders via PowerShell
Set-DnsServerForwarder -IPAddress "8.8.8.8","1.1.1.1"

# Add a conditional forwarder (forward specific domain to a specific DNS server)
Add-DnsServerConditionalForwarderZone -Name "partner.com" -MasterServers "10.10.10.10" -ReplicationScope Domain

Conditional forwarders are essential for trusts and partner domains — they ensure that queries for partner.com go directly to the partner’s DNS rather than going to external resolvers.

Configure DNS Scavenging

Stale DNS records accumulate over time — computers that were decommissioned or renamed leave orphaned A records. DNS scavenging automatically removes records that have not been refreshed within a set period:

1. In DNS Manager, right-click the server → Set Aging/Scavenging for All Zones
2. Tick Scavenge stale resource records
3. Set No-refresh interval (7 days) and Refresh interval (7 days) — standard settings

# Enable scavenging on all zones
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00
Set-DnsServerZoneAging -ZoneName "contoso.local" -Aging $true -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00

With scavenging enabled, records registered by dynamic DNS refresh themselves every 24 hours. Records that go 14 days without refreshing become eligible for cleanup.

DNS Debug Logging

For diagnosing DNS problems, enable debug logging temporarily:

1. Right-click the DNS server → Properties → Debug Logging tab
2. Tick Log packets for debugging
3. Set the log file path and maximum size

DNS debug logging is verbose — enable it only during troubleshooting and disable it afterwards to avoid filling the disk.

Related Guides

• How to Check DNS on Windows Server
• How to Check Active Directory Replication Health
• How to Set Up DHCP on Windows Server