This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)
Table Of Contents
Chapter 1
DNS Server Overview
Administering DNS Operations
Introduction to Administering DNS Operations
Managing DNS
DNS Operations Guide
Chapter 1
Feature
Description
DNAME
resource
record
support
The DNAME resource record provides nonterminal domain name redirection. That is, unlike the CNAME record, which creates an alias for a single node
only, a single DNAME resource record causes the renaming of a root and all descendents in a domain namespace subtree. This makes it possible for
organizations to rename a portion of their domain namespacefor example, to merge two namespaces as a result of a business acquisition.
Support
for IPv6
addresses
Internet Protocol version 6 (IPv6) specifies addresses that are 128 bits in length, compared to IP version 4 (IPv4) addresses, which are 32 bits long. This
greater length allows for a much greater number of globally unique addresses, which are required to accommodate the explosive growth of the Internet
around the world. IPv6 also provides for better routing and network autoconfiguration. The DNS server in Windows Server 2008 now supports IPv6
addresses as fully as it supports IPv4 addresses.
Read-only
domain
controller
support
Windows Server 2008 introduces a new type of domain controller, the read-only domain controller (RODC). An RODC provides, in effect, a shadow copy of
a domain controller. You can install it in locations where physical security cannot be guaranteed, such as branch offices.
To support RODCs, the DNS server in Windows Server 2008 supports a new type of zone, the primary read-only zone (also sometimes referred to as a
branch office zone). The primary read-only zone is created automatically when a computer running the DNS server role is promoted to be an RODC. The
zone contains a read-only copy of the DNS data that is stored in the read-only AD DS database on the RODC.
The writeable version of the data is stored on a centrally located domain controller, such as a hub site domain controller. The DNS zone data on the RODC
is updated when the DNS data is replicated from the centrally located domain controllers to the RODC according to the configured replication schedule.
The administrator of the RODC can view the contents of the read-only primary zone, but only a domain administrator with permissions on the centrally
located domain controller can change the zone data.
Singlelabel
name
resolution
The DNS Server service now supports a special zone called the GlobalNames zone to hold single-label host names. This zone can be replicated across an
entire forest, so that single-label host names (for example, webserver1) can be resolved throughout the forest without the use of the Windows Internet
Naming System (WINS) protocol. Although the GlobalNames zone is not intended to provide peer-to-peer single-label name resolution, you can use it to
simplify the location of servers and intranet Web sites, for example.
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.
Typical DNS server hardware recommendations include the following:
Using faster CPUs, more RAM, and larger hard drives improve the scalability and performance of your DNS servers. DNS servers use approximately 100 bytes of RAM for
each resource record. Using this figure, which you can obtain by looking at each zone in the DNS snap-in, you can calculate how much memory you need.
This DNS Administering guide provides detailed procedures for managing DNS servers, clients, and resource records. It also provides procedures for monitoring,
optimizing, and securing your DNS infrastructure. For most procedures, this guide provides both a user interface (UI) and a command-line method of performing each
procedure. In addition, this guide provides sample scripts for the most frequently used, repetitive tasks.
2014 Microsoft. All rights reserved.
This guide assumes a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a thorough
understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to configure and
manage DNS settings.
This guide can be used by organizations that have deployed Windows Server 2003 Service Pack 1 (SP1). It includes information that is relevant to different roles within an IT
organization, including IT operations management and administrators. This guide contains high-level information that is required to plan a DNS operations environment,
along with management-level knowledge of the DNS and IT processes that are required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures
provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with DNS, it might be necessary for IT planners or managers to review the relevant
operations in this guide and provide the operators with parameters or data that must be entered when the operations are performed.
Objectives are high-level goals for managing, monitoring, optimizing, and securing DNS. Each objective consists of one or more high-level tasks that describe how
the objective is accomplished. In this guide, Managing Domain Name System Servers is an example of an objective.
Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. In this guide, Modifying an Existing DNS Server is
an example of a task.
Procedures provide step-by-step instructions for completing tasks. In this guide, Change the name-checking method of a DNS server is an example of a procedure.
If you are an IT manager who will be delegating tasks to operators in your organization, you will want to:
Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures
for each task.
Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them.
When necessary, create tear sheets for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on the preference of your organization.
Managing DNS
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This guide describes processes and procedures for improving the management of Windows Server 2003 Domain Name System (DNS) in your network infrastructure.
Ensuring that DNS is functioning properly helps increase system availability for your users.
The following tasks for managing DNS are described in this objective:
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the Windows Components Wizard, click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To configure a DNS server using the command line
At a command prompt,type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} Property {1|0}
Value
Description
dnscmd
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/Config
{ZoneName|..AllZones}
Specifies the name of the zone to be configured. To apply the configuration for all zones that are hosted by the specified DNS server,
type ..AllZones.
Property
Specifies the server property or zone property to be configured. There are different properties available for servers and zones. For a
list of the available properties, at a command prompt type: dnscmd/Config /help.
{1|0}
Sets configuration options to either 1 (on) or 0 (off). Note that some server and zone properties must be reset as part of a more
complex operation.
Note
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
ZoneName
Specifies the fully qualified domain name (FQDN) of the secondary zone that you are adding. The zone name must be the same as the name of
the primary zone from which the secondary zone is created.
MasterIPaddress
Specifies one or more IP addresses for the secondary zone master servers, from which it copies zone data.
FileName
Specifies the name of the file to use for creating the secondary zone.
In the following example, zone transfers are first allowed from the primary DNS server primarydns.contoso.com at 10.0.0.2 to the secondary server
secondarydns.contoso.com at 11.0.0.2. Next, the secondary DNS server is added to the zone secondtest.contoso.com.
Dnscmd primarydns.contoso.com /zoneresetsecondaries secondtest.contoso.com /securelist 11.0.0.2
Dnscmd secondarydns.contoso.com /zoneadd secondtest.contoso.com /secondary 10.0.0.2
For more information about using dnscmd, see Dnscmd Syntax.
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS management console, click Start, point to Administrative Tools, and then click DNS.
Note
If you want to resume the service after you pause or stop it, on the Action menu, point to All Tasks, and then click Resume to immediately resume the service.
To manually update DNS server data files using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
3. On the Action menu, click Update Server Data Files.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To manually update DNS server data files using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneUpdateFromDs ZoneName
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
ZoneName
Specifies the name of the zone to which you want to set aging and scavenging.
To clear the DNS server names cache using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable Domain Name System (DNS) server.
3. On the Action menu, click Clear Cache.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To clear the DNS server names cache using the command line
At a command prompt, type the following, and then press ENTER:
dnscmd ServerName /clearcache
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Strict RFC ANSI: This method strictly enforces Request for Comments RFCcompliant naming rules for all Domain Name System DNS names that the server
processes. Names that are not RFC compliant are treated as erred data by the DNS server.
Non RFC (ANSI): This method allows names that are not RFC compliant, such as names that use American Standard Code for Information Interchange (ASCII)
characters but are not compliant with RFC host naming requirements, to be used with the DNS server.
Multibyte (UTF8): This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server.
By default, the DNS server uses the Multibyte (UTF8) method to check names.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To change the name-checking method of a DNS server
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable DNS server, and then click Properties.
3. Click the Advanced tab.
4. In the Name checking list, click Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.
All names enables all three name-checking methods.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Property
Settings
Disable recursion
Off
BIND secondaries
On
Off
On
On
On
Name checking
Multibyte (UTF8)
Off
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To restore DNS server default preferences
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable DNS server, then click Properties.
3. Click the Advanced tab.
4. Click Reset to Default, and then click OK.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Keep forwarder configuration uncomplicated. For every DNS server that is configured with a forwarder, queries can be sent to a number of different places. Each
forwarder and each conditional forwarder must be administered for the benefit of DNS client queries, and this process can be time consuming. Use forwarders
strategically where they are needed the most for example, for resolving offsite queries or for sharing information between namespaces.
Avoid chaining your forwarders. If you have configured a DNS server named server1 to forward queries for wingtiptoys.corp.com to DNS server server2, do not
configure server2 to forward queries for wingtiptoys.corp.com to DNS server server3. This is an inefficient resolution process, and it can result in errors if server3 is
accidentally configured to forward queries for wingtiptoys.corp.com to server1.
Do not concentrate too great a load on forwarders. The recursive queries that forwarders send to the Internet can require a significant amount of time to answer
because of the nature of the Internet. When large numbers of internal DNS servers use these forwarders for Internet queries, the server can experience a substantial
concentration of network traffic. If network load is an issue, use more than one forwarder and distribute the load between them.
Do not create inefficient resolution by using forwarders. The DNS server attempts to forward domain names according to the order in which the domain names
are configured in the DNS console. For example, a DNS server in Seattle may be incorrectly configured to forward a query to a server in London, instead of another
server in Seattle, because the server in London is higher up in the forwarders list. This decreases the efficiency of name resolution on the network. Evaluate your
network's forwarding configurations periodically to see if there are similar, inefficient configurations.
To configure forwarders for a DNS server using the Windows graphical user interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
3. On the Action menu, click Properties.
4. On the Forwarders tab, under DNS domain, click a domain name.
Note
To create a new domain name, click New, and then, under DNS domain, type the domain name.
5. Under Selected domain's forwarder IP address list, type the Internet Protocol (IP) address of a forwarder, and then click Add.
Note
When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.
6. By default, the DNS server waits five seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds
before forward queries time out, you can change the number of seconds that the DNS server waits. If the overall recursion timeout (by default, 15 seconds) is
exceeded before all forwarders are exhausted, the DNS server fails the query. If the overall recursion timeout has not been exceeded and the server exhausts all
forwarders, it attempts standard recursion.
7. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain
check box.
Note
You can disable recursion for the DNS server so that it does not perform recursion on any query. If you disable recursion on the DNS server, you will not be able
to use forwarders on the same server.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To configure forwarders for a DNS server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneAdd ZoneName /Forwarder MasterIPaddress [/TimeOut Time][/Slave]
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local
computer, you can also type a period (.).
ZoneName
MasterIPaddress
Specifies a space-separated list of one or more IP addresses of the DNS servers where queries for ZoneName are forwarded. You can specify
Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is five seconds.
1. Use the Delete a resource record procedure to remove the address (A) resource record for the server.
2. Use the Modify an existing resource record procedure to update the name server (NS) records, in zones where the server is configured as authoritative, to no
longer include the server by name (as it appeared in the A record that was deleted in procedure 1).
3. If the server is the primary server for a standard zone, use the Modify the SOA record for a zone procedure to revise the owner field of the start of authority (SOA)
resource record for the zone to point to the new primary DNS server for the zone. (If the zone is a directory-integrated zone, this procedure is not necessary.)
4. Use the Verify a zone delegation procedure to check the parent zone to ensure that any records (NS or A resource records) that are used for delegation to the
zone are revised and that they no longer point to the removed server.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordDelete ZoneName NodeName RRType RRData [/f]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordDelete
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies
the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
/f
Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion
of the resource record.
Note
When advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify an existing resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRTypeRRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
Preference ServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
To modify the SOA record for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. Modify the properties for the SOA record as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify the SOA record for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [Ttl] SOAPrimSvrAdmin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in SOA resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com..
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Server aging and scavenging properties for determining the use of these features on a server-wide basis. These settings are used to determine the affect of
zone-level properties for any directory-integrated zones that are loaded at the server. For more information, see Set aging and scavenging properties for a DNS
server.
Zone aging and scavenging properties for determining the use of these features on a per zone basis. When zone-specific properties are set for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their
defaults from comparable settings that are maintained in server aging and scavenging properties. For more information, see Set aging and scavenging properties
for a zone.
Caution Enabling aging and scavenging for use with standard primary zones modifies the format of zone files. This change does not affect zone replication to
secondary servers, but the modified zone files cannot be loaded by other versions of DNS servers.
Service
Net
logon
24 hours
Clustering
24 hours
DHCP
client
24 hours
The DHCP Client service sends dynamic updates for the DNS records. This includes both computers that obtain a leased Internet Protocol (IP) address by
using Dynamic Host Configuration Protocol (DHCP) and computers that are configured statically for TCP/IP.
DHCP
server
Four days (half of the lease interval, which is eight days by default).
Refresh attempts are made only by DHCP servers that are configured to perform DNS dynamic updates on behalf of their clients, for example,
Windows 2000 Server DHCP servers and Windows Server 2003 DHCP servers. The period is based on the frequency in which DHCP clients renew their IP
address leases with the server. Typically, this occurs when 50 percent of the scope lease time has elapsed. If the DNS default scope lease duration of eight
days is used, the maximum refresh period for records that are updated by DHCP servers on behalf of clients is four days.
By default, the refresh interval is seven days. In most instances, this value is sufficient and does not need to be changed, unless any resource records in the zone are
refreshed less often than once every seven days.
Automatic scavenging. Automatic scavenging specifies that aging and scavenging of stale records is to be performed automatically by the server for any eligible
zones at a recurring interval that is specified as the scavenging period. When you use automatic scavenging, the default scavenging period is one day, and the
minimum allowed value that you can use for the scavenging period is one hour. For more information, see Configure automatic scavenging of stale resource
records.
Manual scavenging. Manual scavenging specifies that aging and scavenging of stale records is to be performed as a nonrecurring operation for any eligible zones
at the server. For more information, see Start scavenging of stale resource records.
To set aging and scavenging properties for a DNS server using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Set Aging/Scavenging for All Zones.
3. Select the Scavenge stale resource records check box.
4. Modify other aging and scavenging properties as needed
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To set aging and scavenging properties for a DNS server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
Value
For /ScavengingInterval, type a value in hours. The default is 168 hours (one week). For /DefaultAgingState, type 1 to enable aging for new
zones when they are created. Type 0 to disable aging for new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is
168 hours (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 hours (one week).
To set aging and scavenging properties for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To set aging and scavenging properties for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} {/Aging Value|/RefreshInterval Value|/NoRefreshInterval Value}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Specifies the name of the zone to which you want to set aging and scavenging. To apply the operation to all zones, use ..AllZones.
Value
For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in hours. The default setting is 168 hours
(one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 seconds (one hour).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start scavenging of stale resource records using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /StartScavenging
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
To reset aging and scavenging properties for a specific resource record using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable zone.
3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties.
4. Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent the record's aging or
potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always
reset this check box so that the dynamically updated record can be deleted.
If you added the record manually, select the Delete this record when it becomes stale check box to permit the record's aging or potential removal during
the scavenging process.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To reset aging and scavenging properties for a specific resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to
allow dynamic updates, type ..AllZones.
Value
The new value for the scavenging interval, specified in hours. The default is 168 hours (one week).
Setting a DNS computer name or host name for each computer. For example, in the fully qualified domain name (FQDN) wkstn1.sales.wingtiptoys.com., the DNS
computer name is wkstn1.
Setting a primary DNS suffix for the computer, which is placed after the computer name or host name to form the FQDN. Using the previous example, the primary
DNS suffix is sales.wingtiptoys.com.
Setting a list of DNS servers for clients to use when resolving DNS names, such as a preferred DNS server, and any alternate DNS servers to use if the preferred
server is not available.
Setting the DNS suffix search list or search method to be used by the client when it performs DNS query searches for short, unqualified domain names.
These tasks are discussed in more detail in each of the following sections.
If you are supporting both network basic input/output system (NetBIOS) and DNS namespaces on your network, you can use a different computer name in each
namespace. However, it is recommended that, wherever possible, you try to use computer names that are 15 characters or less and that you follow the RFC 1123 naming
requirements described in the previous paragraph.
By default, the leftmost label in the FQDN for clients equals the NetBIOS computer name, unless this label is 16 or more characters, which is the maximum for NetBIOS
names. When the computer name exceeds the maximum length for NetBIOS, the NetBIOS computer name is truncated based on the full label that is specified.
Before you configure computers with varying DNS and NetBIOS names, consider the following issues and their implications for your deployment:
If Windows Internet Name Service (WINS) lookup is enabled for zones that are hosted by your DNS servers, you must use the same name for both NetBIOS and DNS
computer naming. Otherwise, the results of clients attempting to query and resolve the names of these computers will be inconsistent.
If you have an investment in using NetBIOS names to support legacy Microsoft networking technology, it is recommended that you revise NetBIOS computer names that
are used on your network to prepare for migration to a standard DNS-only environment. This prepares your network well for long-term growth and interoperability with
future naming requirements. For example, if you use the same computer name for both NetBIOS and DNS resolution, consider converting any special characters such as
the underscore (_) in your current NetBIOS names that do not comply with DNS naming standards. While these characters are permitted in NetBIOS names, they are more
often incompatible with traditional DNS host naming requirements and most existing DNS resolver client software.
Note
Although the use of the underscore (_) in DNS host names or in host address (A) resource records has traditionally been prohibited by DNS standards, the use of
underscores in service-related names such as those used for service locator SRV resource records has been proposed to avoid naming collisions in the Internet
DNS namespace.
In addition to DNS standard naming conventions, Windows Server 2003 DNS supports the use of extended American Standard Code for Information Interchange (ASCII)
and Unicode characters. However, because most resolver software that is written for other platforms (such as UNIX) is based on Internet DNS standards, this enhanced
character support can be used only in private networks with computers running Windows 2000 or Windows Server 2003 DNS.
The initial setup of DNS and TCP/IP displays a warning to suggest a standard DNS name if a nonstandard DNS name is entered.
By default, computers and servers use DNS to resolve any name that is greater than 15 characters in length. If the name is less than or equal to 15 characters, both
NetBIOS and DNS name resolution can be attempted and used to resolve the name.
The Net Logon service is an example of a service that shows the need for both NetBIOS and DNS names. In Windows Server 2003 DNS, the Net Logon service on a domain
controller registers its SRV resource records on a DNS server. For Windows NT Server 4.0 and earlier operating systems, domain controllers register a DomainName entry
in WINS to perform the same registration and to advertise their availability for providing authentication service to the network.
When a client computer is started on the network, it uses the DNS resolver to query a DNS server for SRV records for its configured domain name. This query is used to
locate domain controllers and provide logon authentication for accessing network resources. A client or a domain controller on the network optionally uses the NetBIOS
resolver service to query WINS servers, attempting to locate DomainName [1C] entries to complete the logon process.
Your DNS domain names should follow the same standards and recommended practices that apply to DNS computer naming described in the previous section. In general,
acceptable naming conventions for domain names include the use of letters A through Z, numerals 0 through 9, and the hyphen (-). The period (.) in a domain name is
always used to separate the discrete parts of a domain name, commonly known as labels. Each label corresponds to an additional level that is defined in the DNS
namespace tree.
For most computers, the primary DNS suffix that is configured for the computer can be the same as its Active Directory domain name, although the two values can also be
different.
Important
By default, the primary DNS suffix portion of a computer's FQDN must be the same as the name of the Active Directory domain where the computer is located. To allow
different primary DNS suffixes, a domain administrator may establish a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
A primary DNS domain name, which applies as the default, fully qualified, DNS name for the computer and all its configured network connections.
A connection-specific, DNS domain name, which can be configured as an alternate DNS domain name that applies only for a single network adapter that is installed
and configured on the computer.
Although most computers do not need to support or use more than one name in DNS, support for configuring multiple, connection-specific DNS names is sometimes
useful. For example, by using multiple names, a user can specify which network connection to use when connecting to a multihomed computer.
To complete these tasks, perform the following procedure:
Configure DNS settings in Network Connections
2014 Microsoft. All rights reserved.
Note
To open Network Connections, click Start, point to Control Panel, and then click Network Connections.
10.0.0.1
host-a
host-a.example.microsoft.com
host-b.example2.microsoft.com
Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you can add
lines for the following multihomed or multiaddressable DNS host computer:
10.0.0.1
10.0.0.2
10.0.0.3
host-a.example.microsoft.com
host-a.example.microsoft.com
host-a.example.microsoft.com
When multiple names or IP addresses are used in the Hosts file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the
DNS Client service is not running, only the first entry in the file is used to resolve the query.
To preload the DNS client resolver cache
1. At a command prompt, type the following command, and then press ENTER:
notepad %systemroot%\system32\drivers\etc\hosts
2. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-to-address mappings on separate
lines to be preloaded into the resolver cache of the client. For example, you might add:
10.0.0.1 host-a host-a.example.microsoft.com
3. On the File menu, click Save, and then Exit.
4. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents.
You can use this task after you determine that you need to add or remove a DNS zone from your environment. For more information about planning DNS zones, see
Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirement:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Caution
Deleting an Active Directoryintegrated zone effectively deletes the zone and eliminates its use at all other DNS servers that use the same directory store of zone data.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a DNS zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneDelete ZoneName [/DsDel] [/f]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
/ZoneDelete
Required. Specifies the command to delete the zone that is specified by ZoneName.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are deleting.
/DsDel
/f
Performs the command without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource
record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a new zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address
of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone, for example, 20.1.168.192.inaddr.arpa.
/Primary|/DsPrimary
Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.
/load
Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter
does not apply to /DsPrimary.
/a
AdminEmail
/DP
Adds the zone to an application directory partition. You may also use one of the following:
/DP /domain for a domain directory partition (replicates to all DNS servers in the domain).
/DP /forest for a forest directory partition (replicates to all DNS server in the forest).
/DP /legacy for a legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains
using legacy Windows 2000 Server domain controllers.
FQDN
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start or pause a zone using the command line
1. Open a command prompt. To start a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResume ZoneName
2. To pause a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZonePause ZoneName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneResume
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start a zone transfer at a secondary server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneRefresh ZoneName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
/ZoneRefresh
ZoneName
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To change the zone type using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also
type a period (.)
ZoneName
Property
MasterIPaddress...
Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses for the master
servers of the secondary or stub zone, from which it copies zone data.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the
/DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the
/DsPrimary zone type.
/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartitionFQDN
/OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory.
/OverWrite_Ds overwrites Active Directory data with data in DNS.
/DirectoryPartition stores the new zone in the application directory partition that is specified by
FQDN, such as DomainDnsZones.corp.sales.wingtiptoys.com.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Caution
If the zone file name is changed, be sure to update the zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and
updates might fail. This can occur in the following situations:
The zone type is primary on this server.
The zone type is secondary on this server, and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of
this zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To change zone replication scope using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneChangeDirectoryPartition ZoneName NewPartitionName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneChangeDirectoryPartition
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NewPartitionName
Required. The FQDN of the DNS application directory partition where the zone will be stored.
To modify the SOA record for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. Modify the properties for the SOA record as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify the SOA record for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [Ttl] SOAPrimSvrAdmin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in SOA resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com..
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify DNS zone transfer settings using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetSecondaries ZoneName {/NoXfr|/NonSecure|/SecureNs|/SecureList[SecondaryIPAddress...]}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
ZoneName
/NoXfr
/NonSecure
/SecureNs
Permits zone transfers only to DNS servers that are listed in the zone using NS resource records.
/SecureList
Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.
SecondaryIPAddress
Required if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.
To specify DNS servers as authoritative for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Name Servers tab.
4. Click Add.
5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When you enter a name, click
Resolve to resolve the name to its IP address before adding it to the list.
To specify DNS servers as authoritative for a zone using the command line
1. At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node
name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record
remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the start-of-authority (SOA) resource
record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|DomainName
Required. Specifies the host name or FQDN of the new authoritative server.
To change the master server for a secondary zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable secondary zone, and then click Properties.
3. On the General tab, in IP address, specify the Internet Protocol (IP) address for a new master server, and then click Add to update the list.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To change the master server for a secondary zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] MasterIPaddress...
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
/ZoneResetMasters
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are updating.
/Local
MasterIPaddress...
Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If
you do not specify ServerIPs, you are requesting the DNS server to reset the value to an empty list. The request may be denied because a
zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
Refresh interval. Used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Retry interval. Used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time that the refresh
interval occurs.
Expire interval. Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed.
You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To adjust the refresh, retry, or expire interval for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is either Primary or Active Directory-Integrated.
4. Click the Start of Authority (SOA) tab.
5. In Refresh interval, Retry interval, or Expires after, click a time period in minutes, hours, or days, and type a number in the text box.
6. Click OK to save the adjusted interval.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To adjust the refresh, retry, or expire interval for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the
local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com.
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA resource record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable dynamic updates using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of
the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
1|0
Configures dynamic update. To allow dynamic updates, type a value of 1. To not allow dynamic updates, type a value of 0.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable secure dynamic updates using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate 2
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
Required. Configures the server to allow secure dynamic updates. If you exclude the 2, the zone is set to perform standard dynamic
updates only.
Delegating a Zone
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS
servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improving DNS name resolution performance, or creating
a more fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.
If, for any of these reasons, your network can benefit from delegating zones, it may make sense to restructure your namespace by adding additional zones. When choosing
how to structure zones, use a plan that reflects the structure of your organization.
When you delegate zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the
authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers
that are being made authoritative for the new zone.
When a standard primary zone is first created, it is stored as a text file that contains all resource record information on a single DNS server. This server acts as the primary
master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.
When you structure your zones, there are several good reasons to use additional DNS servers for zone replication:
Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network
(WAN) link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
Install Nslookup.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To create a new zone delegation using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the start-of-authority (SOA) record is added. You can also type
the node name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in
the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the SOA resource record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|FQDN
Required. Specifies the host name or FQDN of the new authoritative server.
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the Domain Name System (DNS) server that hosts both the
parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion by using the stub zone's list of name servers, without needing to query the
Internet or the internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without
using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not a valid alternative to secondary zones with
regard to redundancy and load sharing.
When a DNS server loads a stub zone, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for
the zone. The list of master servers may contain a single server or multiple servers, and the list can be changed anytime.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To reload or transfer stub zones using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address
of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneReload
/ZoneUpdateFromDs
/ZoneRefresh
Refreshes the stub zone. The DNS server determines if the serial number in the stub zone's SOA resource record has expired. If the
serial number has expired, the DNS server performs a zone transfer from the stub zone's master server.
ZoneName
Required. Specifies the name of the stub zone that you want to reload or refresh.
Note
There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows
interface procedure.
To configure a stub zone to use local master servers using the Windows interface
1. Open DNS.
2. In the console tree, right-click the stub zone, and then click Properties.
3. On the General tab, under IP address, modify the list to display the Internet Protocol (IP) addresses of the local master servers that you want the DNS server to use
when loading and updating the stub zone.
Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone
on this server.
4. Select the Use the list above as a local list of masters check box, and then click OK.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To configure a stub zone to use local master servers using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] [MasterIPaddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on
the local computer, you can also type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
/Local
MasterIPaddress...
List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers
hosting other secondary copies for the zone. To clear the local list of masters, type the command without entering any IP addresses. Ensure
that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of
the stub zone on this server.
How the caching Time to Live (TTL) and lookup time-out values are configured for use with the WINS and WINS-R records
The format of the WINS and WINS-R resource records as they are used in zone files that are created by the DNS Server service
The Cache timeout value, which indicates to a DNS server how long it should cache any of the information that is returned in a WINS lookup. By default, this value is
set to 15 minutes.
The Lookup timeout value, which specifies how long to wait before timing out and expiring a WINS lookup that is performed by the DNS Server service. By default,
this value is set to two seconds.
You can configure these parameters by using the Advanced button in the zone properties dialog box when you configure the zone. This button appears on either the
WINS or WINS-R tab, depending on whether the zone that you are configuring is being used for forward lookup or reverse lookup.
If you are using either the WINS or WINS-R resource record, be aware that the minimum TTL that is set in the start-of-authority (SOA) record for the zone is not the default
TTL that is used with these records. Instead, when either an IP address or a host name is resolved with WINS lookup, the information is cached on the DNS server for the
amount of time that is configured for the WINS cache time-out value. If this address is then ever forwarded to another DNS server, the WINS cache time-out value TTL is
what is sent. If your WINS data rarely changes, you can increase the default TTL of 15 minutes.
Notes
If you have a zone that is configured for WINS lookup, all DNS servers that are authoritative for that zone need to be capable of WINS lookup or you will have
intermittent behavior.
Because you can specify that the WINS and WINS-R resource records not be replicated to other DNS servers, you can selectively enable and configure WINS lookup
at each of your secondary servers for zones where this feature is used. This is not a standard practice for other types of resource records, which are only to be
configured at the primary server for the zone.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Value
Description
set debug
Enables the nslookup command to operate in debug mode, providing extended information in the command output.
This mode is required to view query response information about whether the source for a query answer is:
Authoritative (from a DNS zone or a WINS server database)
Nonauthoritative (cached data from previous queries made by the DNS server or loaded from root hints)
set querytype
Changes the type of information query. More information about types can be found in Request for Comments (RFC) 1035.
Host address (A). Maps a Domain Name System (DNS) domain name to an Internet Protocol (IP) address that is used by a computer.
Alias canonical (CNAME). Maps an alias DNS domain name to another primary name or canonical name.
Mail Exchanger (MX). Maps a DNS domain name to the name of a computer that exchanges or forwards mail.
Pointer (PTR). Maps a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
Service (SRV). Maps a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
Other resource records, as needed.
You can create an A resource record for a static TCP/IP client computer manually by using the DNS snap-in.
Windows clients and servers use the DHCP Client service to dynamically register and update their own A resource records in DNS when an IP configuration change
occurs.
Dynamic Host Configuration Protocol DHCPenabled client computers running earlier versions of Microsoft operating systems can have their A resource records
registered and updated by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000 and Windows Server 2003 DHCP Server service
currently supports this feature.)
The host A resource record is not required for all computers, but it is required by computers that share resources on a network. Any computer that shares resources and
needs to be identified by its DNS domain name must use A resource records to provide DNS name resolution to the IP address for the computer.
Most A resource records that are required in a zone can include other workstations or servers that share resources, other DNS servers, mail servers, and Web servers.
These resource records make up the majority of resource records in a zone database.
When a host that is specified in an A resource record in the same zone needs to be renamed
When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide
the same service, for example, a group of redundant Web servers
When you rename a computer with an existing A resource record in the zone, you can use a CNAME resource record temporarily to allow a grace period for users and
programs to switch from specifying the old computer name to using the new one. To do this, you need the following:
For the new DNS domain name of the computer, a new A resource record is added to the zone.
For the old DNS domain name, a CNAME resource record is added that points to the new A resource record.
The original A resource record for the old DNS domain name (and its associated PTR resource record, if applicable) is removed from the zone.
When you use a CNAME resource record for aliasing or renaming a computer, set a temporary limit on how long the record is used in the zone before it is removed from
DNS. If you forget to delete the CNAME resource record and later its associated A resource record is deleted, the CNAME resource record can waste server resources by
trying to resolve queries for a name that is no longer used on the network.
The most common or popular use of a CNAME resource record is to provide a permanent, DNS-aliased domain name for generic name resolution of a service-based
name, such as www.sales.wingtiptoys.com, to more than one computer or one IP address that is used in a Web server. For example, the following shows the basic syntax of
how a CNAME resource record is used:
alias_name IN CNAME primary_canonical_name
In this example, a computer named host-a.sales.wingtiptoys.com must function as both a Web server named www.sales.wingtiptoys.com. and an FTP server named
ftp.sales.wingtiptoys.com. To achieve the intended use for naming this computer, you can add and use the following CNAME entries in the sales.wingtiptoys.com zone:
host-a
ftp
www
IN
IN
IN
A
CNAME
CNAME
10.0.0.20
host-a
host-a
If you later decide to move the FTP server to another computer, separate from the Web server on host-a, simply change the CNAME resource record in the zone for
ftp.sales.wingtiptoys.com and add an additional A resource record to the zone for the new computer hosting the FTP server.
Based on the earlier example, if the new computer is named hostb.sales.wingtiptoys.com, the new and revised A and CNAME resource records are as follows:
host-a
host-b
ftp
www
IN
IN
IN
IN
A
A
CNAME
CNAME
10.0.0.20
10.0.0.21
host-b
host-a
MX Resource Records
The MX resource record is used by e-mail applications to locate a mail server based on a DNS domain name that is used in the destination address for the e-mail
recipient of a message. For example, a DNS query for the name sales.wingtiptoys.com can be used to find an MX resource record, which enables an e-mail application to
forward or exchange mail to a user with the e-mail address user@wingtiptoys.com.
The MX resource record shows the DNS domain name for the computer or computers that process e-mail for a domain. If multiple MX resource records exist, the DNS
Client service attempts to contact e-mail servers in the order of preference from lowest value (highest priority) to highest value (lowest priority). The following shows the
basic syntax for use of an MX resource record:
mail_domain_name IN MX preference mailserver_host
By using the MX resource records shown below in the sales.wingtiptoys.com zone, e-mail that is addressed to user@sales.wingtiptoys.com is delivered to
user@mailserver0.sales.wingtiptoys.com first, if possible. If this server is unavailable, the resolver client can then use user@mailserver1.sales.wingtiptoys.com instead.
@
@
IN
IN
MX
MX
1
2
mailserver0
mailserver1
Note that the use of the "at" symbol (@) in the records indicates that the mailer DNS domain name is the same as the name of origin (sales.wingtiptoys.com) for the zone.
You can create a PTR resource record for a static TCP/IP client computer manually by using DNS, either as a separate procedure or as part of the procedure for
creating an A resource record.
Computers use the DHCP Client service to dynamically register and update their PTR resource record in DNS when an IP configuration change occurs.
All other DHCP-enabled client computers can have their PTR resource records registered and updated by the DHCP server if they obtain their IP lease from a
qualified server. The Windows 2000 and Windows Server 2003 DHCP Server service provides this capability.
The PTR resource record is used only in reverse lookup zones to support reverse lookup.
1. The computer that operates your DNS server is running on another platform, such as UNIX, and it cannot accept or recognize dynamic updates.
2. A DNS server at this computer that does not use the DNS Server service that is provided with Windows Server 2003 is authoritative for the primary zone that
corresponds to the DNS domain name for your Active Directory domain.
3. The DNS server supports the SRV resource record, as defined in the Internet draft "A DNS RR specifying the location of services (DNS SRV)," but the DNS server
does not support dynamic updates.
For example, the DNS Server service that is provided with Windows NT Server 4.0, when it is updated to Service Pack 4 or later, fits this description.
In the future, the SRV resource record might also be used to register and look up other well-known TCP/IP services on your network if applications implement and support
DNS name queries that specify this record type.
Install Dnscmd.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add an A resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the
local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource record.
Required. Specifies the resource record type of the record that you are adding.
IPAddress
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add an MX resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone in which you will add the new MX resource record.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and
scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
MX
Required. Specifies the MX resource record type for the record that you are adding.
Preference
Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect to the other mail
exchange servers. Lower numbers are given greater preference.
MXServerName
Required. Specifies the FQDN for a mail exchanger. The value entered here must resolve to a corresponding host A resource record in this
zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a CNAME resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the name of the zone where this CNAME resource record will be added.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @,
which specifies the zone's root node.
/Aging
Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource
record.
CNAME
Required. Specifies the resource record type of the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDNs, a trailing period (.) is used to fully
qualify the name.
To add a PTR resource record to a reverse zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable reverse lookup zone.
3. On the Action menu, click New Pointer (PTR).
4. In the Host IP number text box, type the host Internet Protocol (IP) address octet number.
5. In Host name, type the fully qualified domain name (FQDN) for the DNS host computer for which this pointer record is to be used to provide reverse lookup
(address-to-name resolution).
As an option, you can click Browse to search the Domain Name System (DNS) namespace for hosts in this domain that have host address (A) records already
defined.
6. Click OK to add the new record to the zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a PTR resource record to a reverse zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the FQDN of the zone where this new PTR resource record will be added.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @,
which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged
and scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed
manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
PTR
Required. Specifies the resource record type for the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of a resource record that is located in the DNS namespace. The host that you specify is used as the data
for answering reverse lookups based on the address information that is specified by this PTR resource record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and
scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
RRTypeRRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
PriorityWeightPortHostName
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
When advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify an existing resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRTypeRRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
Preference ServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordDelete ZoneName NodeName RRType RRData [/f]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordDelete
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies
the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
/f
Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion
of the resource record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
To disable NS resource record registration using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /DisableNSRecordsAutoCreation0x1
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/DisableNSRecordsAutoCreation
Determines the local DNS server configuration for registering NS resource records for authoritative zones.
0x1
Specifies that the DNS server that is specified in ServerName should not add NS resource records for authoritative zones.
To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
/AllowNSRecordsAutoCreation
Required. Specifies that domain controllers that are entered for Value add their names to NS resource records for the zone
that is specified in ZoneName. NS resource records that were previously registered for this zone are not affected. Therefore,
you must remove them manually if you do not want them.
IpAddresses...
Required. Specifies the IP addresses of the domain controllers that add their names in NS resource records for the zone that
is specified in ZoneName. Type a space-separated list of the IP addresses of the DNS servers, for example, 10.0.0.0 172.16.0.0
192.168.0.0.
If any domain controllers in the specified zone are not listed for IpAddresses..., their names are deleted from the NS resource records for the zone that is specified in
ZoneName.
To specify that all domain controllers are allowed to add their names to NS resource records for the zone or to clear the list of allowed DNS server IP addresses, type the
command and omit IpAddresses...:
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation
Regardless of the settings that are specified in this command, query responses that are sent to DNS clients from authoritative DNS servers and selected domain controllers
will indicate that the responses are from authoritative DNS servers.
2014 Microsoft. All rights reserved.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To restrict the DNS resource records that are updated by NetlLogon
1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service.
The following table contains the list of data.
Data Value
LdapIpAddress
DnsDomainName
Ldap
SRV
_ldap._tcp.DnsDomainName
LdapAtSite
SRV
_ldap._tcp.SiteNam._sites.DnsDomainName
Pdc
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
Gc
SRV
_ldap._tcp.gc._msdcs.DnsForestName
GcAtSite
SRV
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
DcByGuid
SRV
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
GcIpAddress
_gc._msdcs.DnsForestName
DsaCname
CNAME
DsaGuid._msdcs.DnsForestName
Kdc
SRV
_kerberos._tcp.dc._msdcs.DnsDomainName
KdcAtSite
SRV
_kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName
Dc
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
DcAtSite
SRV
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
Rfc1510Kdc
SRV
_kerberos._tcp.DnsDomainName
Rfc1510KdcAtSite
SRV
_kerberos._tcp.SiteName._sites.DnsDomainName
GenericGc
SRV
_gc._tcp.DnsForestName
GenericGcAtSite
SRV
_gc._tcp.SiteName._sites.DnsForestName
Rfc1510UdpKdc
SRV
_kerberos._udp.DnsDomainName
Rfc1510Kpwd
SRV
_kpasswd._tcp.DnsDomainName
Rfc1510UdpKpwd
SRV
_kpasswd._udp.DnsDomainName
Notes
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified
while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the
delay is no later than 15 minutes after the Net Logon service starts.
This DNS Administering guide provides detailed procedures for managing DNS servers, clients, and resource records. It also provides procedures for monitoring,
optimizing, and securing your DNS infrastructure. For most procedures, this guide provides both a user interface (UI) and a command-line method of performing each
procedure. In addition, this guide provides sample scripts for the most frequently used, repetitive tasks.
2014 Microsoft. All rights reserved.
This guide assumes a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a thorough
understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to configure and
manage DNS settings.
This guide can be used by organizations that have deployed Windows Server 2003 Service Pack 1 (SP1). It includes information that is relevant to different roles within an IT
organization, including IT operations management and administrators. This guide contains high-level information that is required to plan a DNS operations environment,
along with management-level knowledge of the DNS and IT processes that are required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures
provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with DNS, it might be necessary for IT planners or managers to review the relevant
operations in this guide and provide the operators with parameters or data that must be entered when the operations are performed.
Objectives are high-level goals for managing, monitoring, optimizing, and securing DNS. Each objective consists of one or more high-level tasks that describe how
the objective is accomplished. In this guide, Managing Domain Name System Servers is an example of an objective.
Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. In this guide, Modifying an Existing DNS Server is
an example of a task.
Procedures provide step-by-step instructions for completing tasks. In this guide, Change the name-checking method of a DNS server is an example of a procedure.
If you are an IT manager who will be delegating tasks to operators in your organization, you will want to:
Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures
for each task.
Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them.
When necessary, create tear sheets for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on the preference of your organization.
Managing DNS
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This guide describes processes and procedures for improving the management of Windows Server 2003 Domain Name System (DNS) in your network infrastructure.
Ensuring that DNS is functioning properly helps increase system availability for your users.
The following tasks for managing DNS are described in this objective:
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the Windows Components Wizard, click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To configure a DNS server using the command line
At a command prompt,type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} Property {1|0}
Value
Description
dnscmd
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/Config
{ZoneName|..AllZones}
Specifies the name of the zone to be configured. To apply the configuration for all zones that are hosted by the specified DNS server,
type ..AllZones.
Property
Specifies the server property or zone property to be configured. There are different properties available for servers and zones. For a
list of the available properties, at a command prompt type: dnscmd/Config /help.
{1|0}
Sets configuration options to either 1 (on) or 0 (off). Note that some server and zone properties must be reset as part of a more
complex operation.
Note
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
ZoneName
Specifies the fully qualified domain name (FQDN) of the secondary zone that you are adding. The zone name must be the same as the name of
the primary zone from which the secondary zone is created.
MasterIPaddress
Specifies one or more IP addresses for the secondary zone master servers, from which it copies zone data.
FileName
Specifies the name of the file to use for creating the secondary zone.
In the following example, zone transfers are first allowed from the primary DNS server primarydns.contoso.com at 10.0.0.2 to the secondary server
secondarydns.contoso.com at 11.0.0.2. Next, the secondary DNS server is added to the zone secondtest.contoso.com.
Dnscmd primarydns.contoso.com /zoneresetsecondaries secondtest.contoso.com /securelist 11.0.0.2
Dnscmd secondarydns.contoso.com /zoneadd secondtest.contoso.com /secondary 10.0.0.2
For more information about using dnscmd, see Dnscmd Syntax.
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS management console, click Start, point to Administrative Tools, and then click DNS.
Note
If you want to resume the service after you pause or stop it, on the Action menu, point to All Tasks, and then click Resume to immediately resume the service.
To manually update DNS server data files using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
3. On the Action menu, click Update Server Data Files.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To manually update DNS server data files using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneUpdateFromDs ZoneName
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
ZoneName
Specifies the name of the zone to which you want to set aging and scavenging.
To clear the DNS server names cache using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable Domain Name System (DNS) server.
3. On the Action menu, click Clear Cache.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To clear the DNS server names cache using the command line
At a command prompt, type the following, and then press ENTER:
dnscmd ServerName /clearcache
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Strict RFC ANSI: This method strictly enforces Request for Comments RFCcompliant naming rules for all Domain Name System DNS names that the server
processes. Names that are not RFC compliant are treated as erred data by the DNS server.
Non RFC (ANSI): This method allows names that are not RFC compliant, such as names that use American Standard Code for Information Interchange (ASCII)
characters but are not compliant with RFC host naming requirements, to be used with the DNS server.
Multibyte (UTF8): This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server.
By default, the DNS server uses the Multibyte (UTF8) method to check names.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To change the name-checking method of a DNS server
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable DNS server, and then click Properties.
3. Click the Advanced tab.
4. In the Name checking list, click Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.
All names enables all three name-checking methods.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Property
Settings
Disable recursion
Off
BIND secondaries
On
Off
On
On
On
Name checking
Multibyte (UTF8)
Off
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To restore DNS server default preferences
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable DNS server, then click Properties.
3. Click the Advanced tab.
4. Click Reset to Default, and then click OK.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Keep forwarder configuration uncomplicated. For every DNS server that is configured with a forwarder, queries can be sent to a number of different places. Each
forwarder and each conditional forwarder must be administered for the benefit of DNS client queries, and this process can be time consuming. Use forwarders
strategically where they are needed the most for example, for resolving offsite queries or for sharing information between namespaces.
Avoid chaining your forwarders. If you have configured a DNS server named server1 to forward queries for wingtiptoys.corp.com to DNS server server2, do not
configure server2 to forward queries for wingtiptoys.corp.com to DNS server server3. This is an inefficient resolution process, and it can result in errors if server3 is
accidentally configured to forward queries for wingtiptoys.corp.com to server1.
Do not concentrate too great a load on forwarders. The recursive queries that forwarders send to the Internet can require a significant amount of time to answer
because of the nature of the Internet. When large numbers of internal DNS servers use these forwarders for Internet queries, the server can experience a substantial
concentration of network traffic. If network load is an issue, use more than one forwarder and distribute the load between them.
Do not create inefficient resolution by using forwarders. The DNS server attempts to forward domain names according to the order in which the domain names
are configured in the DNS console. For example, a DNS server in Seattle may be incorrectly configured to forward a query to a server in London, instead of another
server in Seattle, because the server in London is higher up in the forwarders list. This decreases the efficiency of name resolution on the network. Evaluate your
network's forwarding configurations periodically to see if there are similar, inefficient configurations.
To configure forwarders for a DNS server using the Windows graphical user interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
3. On the Action menu, click Properties.
4. On the Forwarders tab, under DNS domain, click a domain name.
Note
To create a new domain name, click New, and then, under DNS domain, type the domain name.
5. Under Selected domain's forwarder IP address list, type the Internet Protocol (IP) address of a forwarder, and then click Add.
Note
When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.
6. By default, the DNS server waits five seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds
before forward queries time out, you can change the number of seconds that the DNS server waits. If the overall recursion timeout (by default, 15 seconds) is
exceeded before all forwarders are exhausted, the DNS server fails the query. If the overall recursion timeout has not been exceeded and the server exhausts all
forwarders, it attempts standard recursion.
7. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain
check box.
Note
You can disable recursion for the DNS server so that it does not perform recursion on any query. If you disable recursion on the DNS server, you will not be able
to use forwarders on the same server.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To configure forwarders for a DNS server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneAdd ZoneName /Forwarder MasterIPaddress [/TimeOut Time][/Slave]
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local
computer, you can also type a period (.).
ZoneName
MasterIPaddress
Specifies a space-separated list of one or more IP addresses of the DNS servers where queries for ZoneName are forwarded. You can specify
Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is five seconds.
1. Use the Delete a resource record procedure to remove the address (A) resource record for the server.
2. Use the Modify an existing resource record procedure to update the name server (NS) records, in zones where the server is configured as authoritative, to no
longer include the server by name (as it appeared in the A record that was deleted in procedure 1).
3. If the server is the primary server for a standard zone, use the Modify the SOA record for a zone procedure to revise the owner field of the start of authority (SOA)
resource record for the zone to point to the new primary DNS server for the zone. (If the zone is a directory-integrated zone, this procedure is not necessary.)
4. Use the Verify a zone delegation procedure to check the parent zone to ensure that any records (NS or A resource records) that are used for delegation to the
zone are revised and that they no longer point to the removed server.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordDelete ZoneName NodeName RRType RRData [/f]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordDelete
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies
the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
/f
Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion
of the resource record.
Note
When advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify an existing resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRTypeRRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
Preference ServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
To modify the SOA record for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. Modify the properties for the SOA record as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify the SOA record for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [Ttl] SOAPrimSvrAdmin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in SOA resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com..
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Server aging and scavenging properties for determining the use of these features on a server-wide basis. These settings are used to determine the affect of
zone-level properties for any directory-integrated zones that are loaded at the server. For more information, see Set aging and scavenging properties for a DNS
server.
Zone aging and scavenging properties for determining the use of these features on a per zone basis. When zone-specific properties are set for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their
defaults from comparable settings that are maintained in server aging and scavenging properties. For more information, see Set aging and scavenging properties
for a zone.
Caution Enabling aging and scavenging for use with standard primary zones modifies the format of zone files. This change does not affect zone replication to
secondary servers, but the modified zone files cannot be loaded by other versions of DNS servers.
Service
Net
logon
24 hours
Clustering
24 hours
DHCP
client
24 hours
The DHCP Client service sends dynamic updates for the DNS records. This includes both computers that obtain a leased Internet Protocol (IP) address by
using Dynamic Host Configuration Protocol (DHCP) and computers that are configured statically for TCP/IP.
DHCP
server
Four days (half of the lease interval, which is eight days by default).
Refresh attempts are made only by DHCP servers that are configured to perform DNS dynamic updates on behalf of their clients, for example,
Windows 2000 Server DHCP servers and Windows Server 2003 DHCP servers. The period is based on the frequency in which DHCP clients renew their IP
address leases with the server. Typically, this occurs when 50 percent of the scope lease time has elapsed. If the DNS default scope lease duration of eight
days is used, the maximum refresh period for records that are updated by DHCP servers on behalf of clients is four days.
By default, the refresh interval is seven days. In most instances, this value is sufficient and does not need to be changed, unless any resource records in the zone are
refreshed less often than once every seven days.
Automatic scavenging. Automatic scavenging specifies that aging and scavenging of stale records is to be performed automatically by the server for any eligible
zones at a recurring interval that is specified as the scavenging period. When you use automatic scavenging, the default scavenging period is one day, and the
minimum allowed value that you can use for the scavenging period is one hour. For more information, see Configure automatic scavenging of stale resource
records.
Manual scavenging. Manual scavenging specifies that aging and scavenging of stale records is to be performed as a nonrecurring operation for any eligible zones
at the server. For more information, see Start scavenging of stale resource records.
To set aging and scavenging properties for a DNS server using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Set Aging/Scavenging for All Zones.
3. Select the Scavenge stale resource records check box.
4. Modify other aging and scavenging properties as needed
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To set aging and scavenging properties for a DNS server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
Value
For /ScavengingInterval, type a value in hours. The default is 168 hours (one week). For /DefaultAgingState, type 1 to enable aging for new
zones when they are created. Type 0 to disable aging for new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is
168 hours (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 hours (one week).
To set aging and scavenging properties for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To set aging and scavenging properties for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} {/Aging Value|/RefreshInterval Value|/NoRefreshInterval Value}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Specifies the name of the zone to which you want to set aging and scavenging. To apply the operation to all zones, use ..AllZones.
Value
For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in hours. The default setting is 168 hours
(one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 seconds (one hour).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start scavenging of stale resource records using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /StartScavenging
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
To reset aging and scavenging properties for a specific resource record using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable zone.
3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties.
4. Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent the record's aging or
potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always
reset this check box so that the dynamically updated record can be deleted.
If you added the record manually, select the Delete this record when it becomes stale check box to permit the record's aging or potential removal during
the scavenging process.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To reset aging and scavenging properties for a specific resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to
allow dynamic updates, type ..AllZones.
Value
The new value for the scavenging interval, specified in hours. The default is 168 hours (one week).
Setting a DNS computer name or host name for each computer. For example, in the fully qualified domain name (FQDN) wkstn1.sales.wingtiptoys.com., the DNS
computer name is wkstn1.
Setting a primary DNS suffix for the computer, which is placed after the computer name or host name to form the FQDN. Using the previous example, the primary
DNS suffix is sales.wingtiptoys.com.
Setting a list of DNS servers for clients to use when resolving DNS names, such as a preferred DNS server, and any alternate DNS servers to use if the preferred
server is not available.
Setting the DNS suffix search list or search method to be used by the client when it performs DNS query searches for short, unqualified domain names.
These tasks are discussed in more detail in each of the following sections.
If you are supporting both network basic input/output system (NetBIOS) and DNS namespaces on your network, you can use a different computer name in each
namespace. However, it is recommended that, wherever possible, you try to use computer names that are 15 characters or less and that you follow the RFC 1123 naming
requirements described in the previous paragraph.
By default, the leftmost label in the FQDN for clients equals the NetBIOS computer name, unless this label is 16 or more characters, which is the maximum for NetBIOS
names. When the computer name exceeds the maximum length for NetBIOS, the NetBIOS computer name is truncated based on the full label that is specified.
Before you configure computers with varying DNS and NetBIOS names, consider the following issues and their implications for your deployment:
If Windows Internet Name Service (WINS) lookup is enabled for zones that are hosted by your DNS servers, you must use the same name for both NetBIOS and DNS
computer naming. Otherwise, the results of clients attempting to query and resolve the names of these computers will be inconsistent.
If you have an investment in using NetBIOS names to support legacy Microsoft networking technology, it is recommended that you revise NetBIOS computer names that
are used on your network to prepare for migration to a standard DNS-only environment. This prepares your network well for long-term growth and interoperability with
future naming requirements. For example, if you use the same computer name for both NetBIOS and DNS resolution, consider converting any special characters such as
the underscore (_) in your current NetBIOS names that do not comply with DNS naming standards. While these characters are permitted in NetBIOS names, they are more
often incompatible with traditional DNS host naming requirements and most existing DNS resolver client software.
Note
Although the use of the underscore (_) in DNS host names or in host address (A) resource records has traditionally been prohibited by DNS standards, the use of
underscores in service-related names such as those used for service locator SRV resource records has been proposed to avoid naming collisions in the Internet
DNS namespace.
In addition to DNS standard naming conventions, Windows Server 2003 DNS supports the use of extended American Standard Code for Information Interchange (ASCII)
and Unicode characters. However, because most resolver software that is written for other platforms (such as UNIX) is based on Internet DNS standards, this enhanced
character support can be used only in private networks with computers running Windows 2000 or Windows Server 2003 DNS.
The initial setup of DNS and TCP/IP displays a warning to suggest a standard DNS name if a nonstandard DNS name is entered.
By default, computers and servers use DNS to resolve any name that is greater than 15 characters in length. If the name is less than or equal to 15 characters, both
NetBIOS and DNS name resolution can be attempted and used to resolve the name.
The Net Logon service is an example of a service that shows the need for both NetBIOS and DNS names. In Windows Server 2003 DNS, the Net Logon service on a domain
controller registers its SRV resource records on a DNS server. For Windows NT Server 4.0 and earlier operating systems, domain controllers register a DomainName entry
in WINS to perform the same registration and to advertise their availability for providing authentication service to the network.
When a client computer is started on the network, it uses the DNS resolver to query a DNS server for SRV records for its configured domain name. This query is used to
locate domain controllers and provide logon authentication for accessing network resources. A client or a domain controller on the network optionally uses the NetBIOS
resolver service to query WINS servers, attempting to locate DomainName [1C] entries to complete the logon process.
Your DNS domain names should follow the same standards and recommended practices that apply to DNS computer naming described in the previous section. In general,
acceptable naming conventions for domain names include the use of letters A through Z, numerals 0 through 9, and the hyphen (-). The period (.) in a domain name is
always used to separate the discrete parts of a domain name, commonly known as labels. Each label corresponds to an additional level that is defined in the DNS
namespace tree.
For most computers, the primary DNS suffix that is configured for the computer can be the same as its Active Directory domain name, although the two values can also be
different.
Important
By default, the primary DNS suffix portion of a computer's FQDN must be the same as the name of the Active Directory domain where the computer is located. To allow
different primary DNS suffixes, a domain administrator may establish a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
A primary DNS domain name, which applies as the default, fully qualified, DNS name for the computer and all its configured network connections.
A connection-specific, DNS domain name, which can be configured as an alternate DNS domain name that applies only for a single network adapter that is installed
and configured on the computer.
Although most computers do not need to support or use more than one name in DNS, support for configuring multiple, connection-specific DNS names is sometimes
useful. For example, by using multiple names, a user can specify which network connection to use when connecting to a multihomed computer.
To complete these tasks, perform the following procedure:
Configure DNS settings in Network Connections
2014 Microsoft. All rights reserved.
Note
To open Network Connections, click Start, point to Control Panel, and then click Network Connections.
10.0.0.1
host-a
host-a.example.microsoft.com
host-b.example2.microsoft.com
Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you can add
lines for the following multihomed or multiaddressable DNS host computer:
10.0.0.1
10.0.0.2
10.0.0.3
host-a.example.microsoft.com
host-a.example.microsoft.com
host-a.example.microsoft.com
When multiple names or IP addresses are used in the Hosts file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the
DNS Client service is not running, only the first entry in the file is used to resolve the query.
To preload the DNS client resolver cache
1. At a command prompt, type the following command, and then press ENTER:
notepad %systemroot%\system32\drivers\etc\hosts
2. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-to-address mappings on separate
lines to be preloaded into the resolver cache of the client. For example, you might add:
10.0.0.1 host-a host-a.example.microsoft.com
3. On the File menu, click Save, and then Exit.
4. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents.
You can use this task after you determine that you need to add or remove a DNS zone from your environment. For more information about planning DNS zones, see
Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirement:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Caution
Deleting an Active Directoryintegrated zone effectively deletes the zone and eliminates its use at all other DNS servers that use the same directory store of zone data.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a DNS zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneDelete ZoneName [/DsDel] [/f]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
/ZoneDelete
Required. Specifies the command to delete the zone that is specified by ZoneName.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are deleting.
/DsDel
/f
Performs the command without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource
record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a new zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address
of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone, for example, 20.1.168.192.inaddr.arpa.
/Primary|/DsPrimary
Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.
/load
Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter
does not apply to /DsPrimary.
/a
AdminEmail
/DP
Adds the zone to an application directory partition. You may also use one of the following:
/DP /domain for a domain directory partition (replicates to all DNS servers in the domain).
/DP /forest for a forest directory partition (replicates to all DNS server in the forest).
/DP /legacy for a legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains
using legacy Windows 2000 Server domain controllers.
FQDN
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start or pause a zone using the command line
1. Open a command prompt. To start a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResume ZoneName
2. To pause a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZonePause ZoneName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneResume
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To start a zone transfer at a secondary server using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneRefresh ZoneName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
/ZoneRefresh
ZoneName
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To change the zone type using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also
type a period (.)
ZoneName
Property
MasterIPaddress...
Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses for the master
servers of the secondary or stub zone, from which it copies zone data.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the
/DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the
/DsPrimary zone type.
/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartitionFQDN
/OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory.
/OverWrite_Ds overwrites Active Directory data with data in DNS.
/DirectoryPartition stores the new zone in the application directory partition that is specified by
FQDN, such as DomainDnsZones.corp.sales.wingtiptoys.com.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Caution
If the zone file name is changed, be sure to update the zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and
updates might fail. This can occur in the following situations:
The zone type is primary on this server.
The zone type is secondary on this server, and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of
this zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To change zone replication scope using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneChangeDirectoryPartition ZoneName NewPartitionName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneChangeDirectoryPartition
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NewPartitionName
Required. The FQDN of the DNS application directory partition where the zone will be stored.
To modify the SOA record for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. Modify the properties for the SOA record as needed.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify the SOA record for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [Ttl] SOAPrimSvrAdmin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in SOA resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com..
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify DNS zone transfer settings using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetSecondaries ZoneName {/NoXfr|/NonSecure|/SecureNs|/SecureList[SecondaryIPAddress...]}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
ZoneName
/NoXfr
/NonSecure
/SecureNs
Permits zone transfers only to DNS servers that are listed in the zone using NS resource records.
/SecureList
Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.
SecondaryIPAddress
Required if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.
To specify DNS servers as authoritative for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Name Servers tab.
4. Click Add.
5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When you enter a name, click
Resolve to resolve the name to its IP address before adding it to the list.
To specify DNS servers as authoritative for a zone using the command line
1. At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node
name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record
remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the start-of-authority (SOA) resource
record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|DomainName
Required. Specifies the host name or FQDN of the new authoritative server.
To change the master server for a secondary zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable secondary zone, and then click Properties.
3. On the General tab, in IP address, specify the Internet Protocol (IP) address for a new master server, and then click Add to update the list.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To change the master server for a secondary zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] MasterIPaddress...
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
/ZoneResetMasters
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are updating.
/Local
MasterIPaddress...
Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If
you do not specify ServerIPs, you are requesting the DNS server to reset the value to an empty list. The request may be denied because a
zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
Refresh interval. Used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Retry interval. Used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time that the refresh
interval occurs.
Expire interval. Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed.
You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To adjust the refresh, retry, or expire interval for a zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is either Primary or Active Directory-Integrated.
4. Click the Start of Authority (SOA) tab.
5. In Refresh interval, Retry interval, or Expires after, click a time period in minutes, hours, or days, and type a number in the text box.
6. Click OK to save the adjusted interval.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To adjust the refresh, retry, or expire interval for a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the
local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com.
Serial#\
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA resource record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable dynamic updates using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of
the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
1|0
Configures dynamic update. To allow dynamic updates, type a value of 1. To not allow dynamic updates, type a value of 0.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable secure dynamic updates using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate 2
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
Required. Configures the server to allow secure dynamic updates. If you exclude the 2, the zone is set to perform standard dynamic
updates only.
Delegating a Zone
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS
servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improving DNS name resolution performance, or creating
a more fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.
If, for any of these reasons, your network can benefit from delegating zones, it may make sense to restructure your namespace by adding additional zones. When choosing
how to structure zones, use a plan that reflects the structure of your organization.
When you delegate zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the
authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers
that are being made authoritative for the new zone.
When a standard primary zone is first created, it is stored as a text file that contains all resource record information on a single DNS server. This server acts as the primary
master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.
When you structure your zones, there are several good reasons to use additional DNS servers for zone replication:
Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network
(WAN) link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
Install Nslookup.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To create a new zone delegation using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the start-of-authority (SOA) record is added. You can also type
the node name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in
the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the SOA resource record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|FQDN
Required. Specifies the host name or FQDN of the new authoritative server.
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the Domain Name System (DNS) server that hosts both the
parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion by using the stub zone's list of name servers, without needing to query the
Internet or the internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without
using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not a valid alternative to secondary zones with
regard to redundancy and load sharing.
When a DNS server loads a stub zone, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for
the zone. The list of master servers may contain a single server or multiple servers, and the list can be changed anytime.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To reload or transfer stub zones using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address
of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneReload
/ZoneUpdateFromDs
/ZoneRefresh
Refreshes the stub zone. The DNS server determines if the serial number in the stub zone's SOA resource record has expired. If the
serial number has expired, the DNS server performs a zone transfer from the stub zone's master server.
ZoneName
Required. Specifies the name of the stub zone that you want to reload or refresh.
Note
There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows
interface procedure.
To configure a stub zone to use local master servers using the Windows interface
1. Open DNS.
2. In the console tree, right-click the stub zone, and then click Properties.
3. On the General tab, under IP address, modify the list to display the Internet Protocol (IP) addresses of the local master servers that you want the DNS server to use
when loading and updating the stub zone.
Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone
on this server.
4. Select the Use the list above as a local list of masters check box, and then click OK.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To configure a stub zone to use local master servers using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] [MasterIPaddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on
the local computer, you can also type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
/Local
MasterIPaddress...
List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers
hosting other secondary copies for the zone. To clear the local list of masters, type the command without entering any IP addresses. Ensure
that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of
the stub zone on this server.
How the caching Time to Live (TTL) and lookup time-out values are configured for use with the WINS and WINS-R records
The format of the WINS and WINS-R resource records as they are used in zone files that are created by the DNS Server service
The Cache timeout value, which indicates to a DNS server how long it should cache any of the information that is returned in a WINS lookup. By default, this value is
set to 15 minutes.
The Lookup timeout value, which specifies how long to wait before timing out and expiring a WINS lookup that is performed by the DNS Server service. By default,
this value is set to two seconds.
You can configure these parameters by using the Advanced button in the zone properties dialog box when you configure the zone. This button appears on either the
WINS or WINS-R tab, depending on whether the zone that you are configuring is being used for forward lookup or reverse lookup.
If you are using either the WINS or WINS-R resource record, be aware that the minimum TTL that is set in the start-of-authority (SOA) record for the zone is not the default
TTL that is used with these records. Instead, when either an IP address or a host name is resolved with WINS lookup, the information is cached on the DNS server for the
amount of time that is configured for the WINS cache time-out value. If this address is then ever forwarded to another DNS server, the WINS cache time-out value TTL is
what is sent. If your WINS data rarely changes, you can increase the default TTL of 15 minutes.
Notes
If you have a zone that is configured for WINS lookup, all DNS servers that are authoritative for that zone need to be capable of WINS lookup or you will have
intermittent behavior.
Because you can specify that the WINS and WINS-R resource records not be replicated to other DNS servers, you can selectively enable and configure WINS lookup
at each of your secondary servers for zones where this feature is used. This is not a standard practice for other types of resource records, which are only to be
configured at the primary server for the zone.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Value
Description
set debug
Enables the nslookup command to operate in debug mode, providing extended information in the command output.
This mode is required to view query response information about whether the source for a query answer is:
Authoritative (from a DNS zone or a WINS server database)
Nonauthoritative (cached data from previous queries made by the DNS server or loaded from root hints)
set querytype
Changes the type of information query. More information about types can be found in Request for Comments (RFC) 1035.
Host address (A). Maps a Domain Name System (DNS) domain name to an Internet Protocol (IP) address that is used by a computer.
Alias canonical (CNAME). Maps an alias DNS domain name to another primary name or canonical name.
Mail Exchanger (MX). Maps a DNS domain name to the name of a computer that exchanges or forwards mail.
Pointer (PTR). Maps a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
Service (SRV). Maps a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
Other resource records, as needed.
You can create an A resource record for a static TCP/IP client computer manually by using the DNS snap-in.
Windows clients and servers use the DHCP Client service to dynamically register and update their own A resource records in DNS when an IP configuration change
occurs.
Dynamic Host Configuration Protocol DHCPenabled client computers running earlier versions of Microsoft operating systems can have their A resource records
registered and updated by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000 and Windows Server 2003 DHCP Server service
currently supports this feature.)
The host A resource record is not required for all computers, but it is required by computers that share resources on a network. Any computer that shares resources and
needs to be identified by its DNS domain name must use A resource records to provide DNS name resolution to the IP address for the computer.
Most A resource records that are required in a zone can include other workstations or servers that share resources, other DNS servers, mail servers, and Web servers.
These resource records make up the majority of resource records in a zone database.
When a host that is specified in an A resource record in the same zone needs to be renamed
When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide
the same service, for example, a group of redundant Web servers
When you rename a computer with an existing A resource record in the zone, you can use a CNAME resource record temporarily to allow a grace period for users and
programs to switch from specifying the old computer name to using the new one. To do this, you need the following:
For the new DNS domain name of the computer, a new A resource record is added to the zone.
For the old DNS domain name, a CNAME resource record is added that points to the new A resource record.
The original A resource record for the old DNS domain name (and its associated PTR resource record, if applicable) is removed from the zone.
When you use a CNAME resource record for aliasing or renaming a computer, set a temporary limit on how long the record is used in the zone before it is removed from
DNS. If you forget to delete the CNAME resource record and later its associated A resource record is deleted, the CNAME resource record can waste server resources by
trying to resolve queries for a name that is no longer used on the network.
The most common or popular use of a CNAME resource record is to provide a permanent, DNS-aliased domain name for generic name resolution of a service-based
name, such as www.sales.wingtiptoys.com, to more than one computer or one IP address that is used in a Web server. For example, the following shows the basic syntax of
how a CNAME resource record is used:
alias_name IN CNAME primary_canonical_name
In this example, a computer named host-a.sales.wingtiptoys.com must function as both a Web server named www.sales.wingtiptoys.com. and an FTP server named
ftp.sales.wingtiptoys.com. To achieve the intended use for naming this computer, you can add and use the following CNAME entries in the sales.wingtiptoys.com zone:
host-a
ftp
www
IN
IN
IN
A
CNAME
CNAME
10.0.0.20
host-a
host-a
If you later decide to move the FTP server to another computer, separate from the Web server on host-a, simply change the CNAME resource record in the zone for
ftp.sales.wingtiptoys.com and add an additional A resource record to the zone for the new computer hosting the FTP server.
Based on the earlier example, if the new computer is named hostb.sales.wingtiptoys.com, the new and revised A and CNAME resource records are as follows:
host-a
host-b
ftp
www
IN
IN
IN
IN
A
A
CNAME
CNAME
10.0.0.20
10.0.0.21
host-b
host-a
MX Resource Records
The MX resource record is used by e-mail applications to locate a mail server based on a DNS domain name that is used in the destination address for the e-mail
recipient of a message. For example, a DNS query for the name sales.wingtiptoys.com can be used to find an MX resource record, which enables an e-mail application to
forward or exchange mail to a user with the e-mail address user@wingtiptoys.com.
The MX resource record shows the DNS domain name for the computer or computers that process e-mail for a domain. If multiple MX resource records exist, the DNS
Client service attempts to contact e-mail servers in the order of preference from lowest value (highest priority) to highest value (lowest priority). The following shows the
basic syntax for use of an MX resource record:
mail_domain_name IN MX preference mailserver_host
By using the MX resource records shown below in the sales.wingtiptoys.com zone, e-mail that is addressed to user@sales.wingtiptoys.com is delivered to
user@mailserver0.sales.wingtiptoys.com first, if possible. If this server is unavailable, the resolver client can then use user@mailserver1.sales.wingtiptoys.com instead.
@
@
IN
IN
MX
MX
1
2
mailserver0
mailserver1
Note that the use of the "at" symbol (@) in the records indicates that the mailer DNS domain name is the same as the name of origin (sales.wingtiptoys.com) for the zone.
You can create a PTR resource record for a static TCP/IP client computer manually by using DNS, either as a separate procedure or as part of the procedure for
creating an A resource record.
Computers use the DHCP Client service to dynamically register and update their PTR resource record in DNS when an IP configuration change occurs.
All other DHCP-enabled client computers can have their PTR resource records registered and updated by the DHCP server if they obtain their IP lease from a
qualified server. The Windows 2000 and Windows Server 2003 DHCP Server service provides this capability.
The PTR resource record is used only in reverse lookup zones to support reverse lookup.
1. The computer that operates your DNS server is running on another platform, such as UNIX, and it cannot accept or recognize dynamic updates.
2. A DNS server at this computer that does not use the DNS Server service that is provided with Windows Server 2003 is authoritative for the primary zone that
corresponds to the DNS domain name for your Active Directory domain.
3. The DNS server supports the SRV resource record, as defined in the Internet draft "A DNS RR specifying the location of services (DNS SRV)," but the DNS server
does not support dynamic updates.
For example, the DNS Server service that is provided with Windows NT Server 4.0, when it is updated to Service Pack 4 or later, fits this description.
In the future, the SRV resource record might also be used to register and look up other well-known TCP/IP services on your network if applications implement and support
DNS name queries that specify this record type.
Install Dnscmd.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add an A resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the
local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource record.
Required. Specifies the resource record type of the record that you are adding.
IPAddress
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add an MX resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone in which you will add the new MX resource record.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and
scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
MX
Required. Specifies the MX resource record type for the record that you are adding.
Preference
Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect to the other mail
exchange servers. Lower numbers are given greater preference.
MXServerName
Required. Specifies the FQDN for a mail exchanger. The value entered here must resolve to a corresponding host A resource record in this
zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a CNAME resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
ZoneName
Required. Specifies the name of the zone where this CNAME resource record will be added.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @,
which specifies the zone's root node.
/Aging
Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource
record.
CNAME
Required. Specifies the resource record type of the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDNs, a trailing period (.) is used to fully
qualify the name.
To add a PTR resource record to a reverse zone using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable reverse lookup zone.
3. On the Action menu, click New Pointer (PTR).
4. In the Host IP number text box, type the host Internet Protocol (IP) address octet number.
5. In Host name, type the fully qualified domain name (FQDN) for the DNS host computer for which this pointer record is to be used to provide reverse lookup
(address-to-name resolution).
As an option, you can click Browse to search the Domain Name System (DNS) namespace for hosts in this domain that have host address (A) records already
defined.
6. Click OK to add the new record to the zone.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a PTR resource record to a reverse zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the FQDN of the zone where this new PTR resource record will be added.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @,
which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged
and scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed
manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
PTR
Required. Specifies the resource record type for the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of a resource record that is located in the DNS namespace. The host that you specify is used as the data
for answering reverse lookups based on the address information that is specified by this PTR resource record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To add a resource record to a zone using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and
scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
RRTypeRRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
PriorityWeightPortHostName
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
When advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify an existing resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRTypeRRData
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
Preference ServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To delete a resource record using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordDelete ZoneName NodeName RRType RRData [/f]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordDelete
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies
the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
/f
Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion
of the resource record.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
To disable NS resource record registration using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /DisableNSRecordsAutoCreation0x1
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/DisableNSRecordsAutoCreation
Determines the local DNS server configuration for registering NS resource records for authoritative zones.
0x1
Specifies that the DNS server that is specified in ServerName should not add NS resource records for authoritative zones.
To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
/AllowNSRecordsAutoCreation
Required. Specifies that domain controllers that are entered for Value add their names to NS resource records for the zone
that is specified in ZoneName. NS resource records that were previously registered for this zone are not affected. Therefore,
you must remove them manually if you do not want them.
IpAddresses...
Required. Specifies the IP addresses of the domain controllers that add their names in NS resource records for the zone that
is specified in ZoneName. Type a space-separated list of the IP addresses of the DNS servers, for example, 10.0.0.0 172.16.0.0
192.168.0.0.
If any domain controllers in the specified zone are not listed for IpAddresses..., their names are deleted from the NS resource records for the zone that is specified in
ZoneName.
To specify that all domain controllers are allowed to add their names to NS resource records for the zone or to clear the list of allowed DNS server IP addresses, type the
command and omit IpAddresses...:
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation
Regardless of the settings that are specified in this command, query responses that are sent to DNS clients from authoritative DNS servers and selected domain controllers
will indicate that the responses are from authoritative DNS servers.
2014 Microsoft. All rights reserved.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To restrict the DNS resource records that are updated by NetlLogon
1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service.
The following table contains the list of data.
Data Value
LdapIpAddress
DnsDomainName
Ldap
SRV
_ldap._tcp.DnsDomainName
LdapAtSite
SRV
_ldap._tcp.SiteNam._sites.DnsDomainName
Pdc
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
Gc
SRV
_ldap._tcp.gc._msdcs.DnsForestName
GcAtSite
SRV
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
DcByGuid
SRV
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
GcIpAddress
_gc._msdcs.DnsForestName
DsaCname
CNAME
DsaGuid._msdcs.DnsForestName
Kdc
SRV
_kerberos._tcp.dc._msdcs.DnsDomainName
KdcAtSite
SRV
_kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName
Dc
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
DcAtSite
SRV
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
Rfc1510Kdc
SRV
_kerberos._tcp.DnsDomainName
Rfc1510KdcAtSite
SRV
_kerberos._tcp.SiteName._sites.DnsDomainName
GenericGc
SRV
_gc._tcp.DnsForestName
GenericGcAtSite
SRV
_gc._tcp.SiteName._sites.DnsForestName
Rfc1510UdpKdc
SRV
_kerberos._udp.DnsDomainName
Rfc1510Kpwd
SRV
_kpasswd._tcp.DnsDomainName
Rfc1510UdpKpwd
SRV
_kpasswd._udp.DnsDomainName
Notes
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified
while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the
delay is no later than 15 minutes after the Net Logon service starts.
Monitoring DNS
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Monitoring your Domain Name System (DNS) infrastructure on a regular basis and resolving any issues that you find will help to keep your network accessible to your
users.
The following tasks for monitoring DNS are described in this objective:
Event ID
Description
140
The DNS server could not initialize the Remote Procedure Call (RPC) service. If it is not running, start the RPC service or reboot the computer. For
specific error code, see the Record Data page on the Event Viewer.
In order for DNS to run, the Remote Procedure Call (RPC) service must be running on the DNS server.
a. Verify that the Remote Procedure Call (RPC) service has been started.
b. Open Administrative Tools, and double-click Services.
c. If the service has been started, try restarting the server.
d. If the error continues, remove and reinstall the Client for Microsoft Networks service on the network connection. This will reinstall the
Netlogon and RPC locator services.
403
The DNS server could not create a Transmission Control Protocol (TCP) socket. Restart the DNS server or reboot the computer. For the specific
error code, see the Record Data page.
The Wsock32.dll might be incompatible with a third-party TCP/IP stack. This problem can also occur if the TCP/IP protocol is not bound to the
network adapter.
If you are using a third-party TCP/IP protocol, verify that the protocol is compatible with the Wsock32.dll.
Check the bindings of the protocol stack. It is a good idea to have TCP/IP bound at the top of the stack. If the error continues, remove and reinstall
the TCP/IP protocol, and then try again.
a. Open Control Panel, and then double-click Network and Dial-up Connections.
b. Right-click the connection, and then click Properties.
c. Verify that the bindings for all protocols to network adapters are enabled and that no broken connections exist in the stack.
407
DNS server could not bind the main datagram socket. The data is the error.
This error can occur if there is a mismatch between the configured IP address in the Advanced IP Addressing dialog box and the addresses listed in
the Server Properties dialog box for the DNS server. This problem can also occur if the TCP/IP protocol is not bound to the network adapter.
Verify that the TCP/IP addresses configured in the Advanced IP Addressing dialog box match those configured in the Server Properties dialog box
in DNS Manager:
a. Open Control Panel, and double-click Network.
b. Click the Protocols tab, and click TCP/IP Protocol in the Network Protocols list.
c. Click Properties, and then click Advanced.
Match the IP addresses to those displayed in the DNS server Properties dialog box:
a. In DNS Manager, right-click the DNS server name, and then click Properties.
b. Compare the IP addresses with those from the Advanced IP Addressing dialog box. If there are no IP addresses configured in the Advanced
IP Addressing dialog box or on the Interfaces tab of the Server Properties dialog box, enter the IP address of your network adapter. Use the
ipconfig -all command to obtain your IP address.
Check the binding of the TCP/IP protocol to the network adapter:
a. Open Control Panel, and double-click Network.
b. Click the Bindings tab.
c. Verify that the bindings for all protocols to network adapters are enabled and that no broken connections exist in the stack.
408
DNS server could not open socket for address [IP address of server].
The DNS server could not open a socket with the current TCP/IP and DNS service configurations.
Verify that this is a valid IP address on this computer.
If the IP is not valid:
a. Use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces.
b. Stop and restart the DNS server. (If this was the only IP interface on this computer, the DNS server may not have started as a result of this
error. In that case, remove the DNS\Parameters\ListenAddress value in the services section of the registry and restart.)
If the IP is valid:
Verify that no other application (for example, another DNS server) is running that would attempt to use the DNS port.
4000,
4004,
4007,
4014, 4015
The DNS Server service relies on Active Directory to store and retrieve information for Active Directoryintegrated zones. This error indicates that
Active Directory is not responding to requests from the DNS Server service. Ensure that Active Directory is functioning properly, troubleshoot any
problems, and then restart the DNS Server service.
For information about troubleshooting Active Directory, see Active Directory Troubleshooting Topics (http://go.microsoft.com/fwlink/?LinkId=95789).
To restart the DNS Server service:
a. Open the Services console. To open Services, click Start, click Control Panel, double-click Administrative Tools, and then click Services.
b. Right-click DNS Server, and then click Restart.
If the problem continues, restart the computer, and then use the Services console to verify that the DNS Server service has started.
4001
The DNS Server service relies on Active Directory to store and retrieve information for Active Directoryintegrated zones. This error indicates that
Active Directory is not responding to requests from the DNS Server service. Ensure that Active Directory is functioning properly, troubleshoot any
problems, and then reload the zone.
For information about troubleshooting Active Directory, see Active Directory Troubleshooting Topics (http://go.microsoft.com/fwlink/?LinkId=95789).
To reload a zone:
a. Open the DNS console.
b. In the console tree, right-click the applicable zone, and then click Reload.
4016
The DNS Server service relies on Active Directory to store and retrieve information for Active Directoryintegrated zones. This error indicates that
Active Directory is not responding to requests from the DNS Server service. Ensure that Active Directory is functioning properly, troubleshoot any
problems, and then retry the operation that failed.
For information about troubleshooting Active Directory, see Active Directory Troubleshooting Topics (http://go.microsoft.com/fwlink/?LinkId=95789).
Add a zone
If the event message indicates that an attempt to add a zone failed, you must create the zone after resolving any problems with Active Directory.
To add a zone:
a. Open the DNS console.
b. In the console tree, expand the DNS server, right-click the zone folder for the type of zone that you want to add, and then click New Zone to
open the New Zone Wizard.
c. Follow the instructions in the wizard to create the zone.
Delete a zone
If the event message indicates that an attempt to remove a zone failed, you must delete the zone after resolving any problems with Active Directory.
To delete a zone:
a. Open the DNS console.
b. In the console tree, expand the DNS server, right-click the zone folder for the type of zone that you want to delete.
c. Right-click the zone, and then click Delete.
Note
To open the DNS console, click Start, point to Administrative Tools, and then click DNS.
Note
If the DNS server for which you want to view the log is located on another computer, in the console tree, click DNS, and then on the Action menu, click Connect to DNS
Server. Click The following computer, and then specify the name or Internet Protocol (IP) address of the remote computer.
Value
Description
server_ip_address
The Internet Protocol (IP) address of the DNS server. For example, if the IP address of your DNS server is 10.0.0.1, type:
nslookup 127.0.0.1 10.0.0.1
Note
In the previous procedure, the syntax for the nslookup command is: nslookup[-option] host server . This command can be entered from any computer that is
running a Microsoft Windows operating system and has network connectivity to the DNS server you wish to query. Only the host entry is required for the
command. However, if an IP address or hostname for the server is not supplied, then the default DNS server specified in TCP/IP properties will be queried.
When you enter 127.0.0.1 as the host, this IP address will automatically resolve to the name localhost if the DNS Server service is running at the IP address that
you specify as the server.
Event
ID
6527
Description
Zone expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut
down.
This event ID might appear when the DNS server is configured to host a secondary copy of the zone from another DNS server acting as its source or
master server. Verify that this server has network connectivity to its configured master server.
If the problem continues, consider one or more of the following options:
a. Delete the zone and recreate it, specifying either a different master server, or an updated and corrected IP address for the same master server.
b. If zone expiration continues, consider adjusting the expire interval.
6004
The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative %2.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Optimizing DNS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When Domain Name System (DNS) servers are initialized for service, they use server configuration settings that are taken from the parameters that are stated in a boot
information file, the registry, and (possibly) zone information that is provided through Active Directory integration.
In most situations, the installation defaults are acceptable and should not require modification. However, when necessary, you can tune various parameters to
accommodate special deployment needs and situations.
The following table describes advanced parameters that you can change to optimize the performance of DNS servers.
Parameter
Description
Disable
recursion
Determines whether or not the DNS server uses recursion. By default, the DNS Server service is enabled to use recursion.
BIND
secondaries
Determines whether to use fast transfer format for transfer of a zone to DNS servers running legacy Berkeley Internet Name Domain (BIND)
implementations.
By default, all Windows-based DNS servers use a fast zone transfer format. This format uses compression, and it can include multiple records per TCP
message during a connected transfer. This format is also compatible with more recent BIND-based DNS servers that run versions 4.9.4 and later.
Fail on load
if bad zone
data
Enable
round robin
Determines whether the DNS server uses the round robin mechanism to rotate and reorder a list of resource records if multiple resource records exist of
the same type that exist for a query answer.
By default, the DNS Server service uses round robin.
Enable
netmask
ordering
Determines whether the DNS server reorders address (A) resource records within the same resource record that is set in the server's response to a query
based on the Internet Protocol (IP) address of the source of the query.
By default, the DNS Server service uses local subnet priority to reorder A resource records.
Secure
cache
against
pollution
Determines whether the DNS server attempts to clean up responses to avoid cache pollution. This setting is enabled by default.
By default, DNS servers use a secure response option that eliminates adding unrelated resource records that are included in a referral answer to their
cache. In most cases, any names that are added in referral answers are typically cached, and they help expedite the resolution of subsequent DNS
queries.
With this feature, however, the server can determine that referred names are potentially polluting or insecure and then discard them. The server
determines whether to cache the name that is offered in a referral on the basis of whether or not it is part of the exact, related, DNS domain name tree
for which the original queried name was made.
For example, if a query is made originally for sales.wingtiptoys.com and a referral answer provides a record for a name outside the wingtiptoys.com
domain name tree, such as tailspintoys.com, that name is not cached where this feature is enabled for use.
For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
To optimize DNS, complete the following procedures:
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
To enable or disable fast DNS zone transfers using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
Where?
DNS/applicable DNS server
3. On the Action menu, click Properties.
4. Click the Advanced tab.
5. In Server options, select the BIND secondaries check box, and then click OK.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable or disable fast DNS zone transfers using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /BindSecondaries {1|0}
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.)
/BindSecondaries
Specifies use of the fast transfer format that is used by legacy BIND servers.
{1|0}
To enable fast transfer format when transferring a zone to legacy BIND DNS servers, type 1 (on). To disable fast transfer format, type 0
(off).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To disable DNS round robin using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /RoundRobin {1|0}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server.
To specify the DNS server on the local computer, you can also type a period (.).
/RoundRobin
{1|0}
To enable round robin, type 1 (on). To disable round robin, type 0 (off).
Property
Setting
Disable recursion
Off
BIND secondaries
On
Off
On
On
On
Name checking
Multibyte (UTF8)
Off
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To restore DNS server default preferences
1. Open the DNS snap-in.
2. In the console tree, right-click the applicable DNS server, and then click Properties.
3. Click the Advanced tab.
4. Click Reset to Default, and then click OK.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Disable recursion
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the following procedure to disable recursion on the Domain Name System (DNS) server.
Note
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Disabling recursion
Using the Windows interface
Using the command line
Note
To open the DNS snap-in, click Start, , point to Administrative Tools, and then click DNS.
To disable recursion using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /NoRecursion {1|0}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.).
/NoRecursion
{1|0}
Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To disable local subnet prioritization using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /LocalNetPriority {1|0}
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
/LocalNetPriority
{1|0}
To enable netmask ordering, type 1 (on). To disable netmask ordering, type 0 (off).
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To clear the server names cache using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /clearcache
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/clearcache
Configure DNSSEC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the following procedure to modify the configuration of Domain Name System (DNS) Security Extensions (DNSSEC). The value of the registry entry
EnableDnsSec determines whether the DNS server includes or excludes DNSSEC resource records when it receives queries.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To configure DNSSEC
1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
3. Add the following DWORD entry:
EnableDnsSec
4. Do one of the following:
To exclude DNSSEC resource records in query responses other than responses to requests for SIG, KEY or NXT resource records, assign a value of 0x0.
Appropriate resource records will be included in responses to requests for SIG, KEY, or NXT resource records only.
To include the DNSSEC resource records in all query responses (according to RFC 2535), assign a value of 0x2.
To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671), assign a value
of 0x1, or do not create the value at all. The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Configure EDNS0
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the following procedure to modify EDNS0 configuration. The value of the registry key EDNSCacheTimeout determines how long the Domain Name System
(DNS) server keeps information about the extension mechanisms for DNS (EDNS) versions that are supported by other DNS servers that have responded to a query with
an OPT resource record.
You can perform this procedure by using Registry Editor or by using the Dnscmd command-line tool.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Configuring EDNS0
Using the Windows interface
Using the command line
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
To modify EDNS0 configuration using the command line
At a command prompt, type one of the following commands, and then press ENTER:
dnscmd ServerName /Config /EDNSCacheTimeout Value
dnscmd ServerName /Config /EnableEDNSProbes Value
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/Config
/EDNSCacheTimeout
Required. Specifies the length of time that the DNS server remembers the EDNS parameters remote servers report.
/EnableEdnsProbes
Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS.
Value
Required. For /EDNSCacheTimeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes,
type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS
server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.
Caution
When you configure the UDP packet size to be larger than 512 bytes, remember that UDP packets must travel through devices other than UDP hosts, such as routers,
and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices
and the path's maximum transmission unit MTU, if possible and configure your UDP hosts according to this maximum.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use
Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the
registry, use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To change UDP message size
1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
3. Add the following DWORD entry:
MaximumUdpPacketSize
4. Type a maximum UDP packet size value in bytes.
The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format).
5. Restart the DNS server.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Securing DNS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain Name System (DNS) was originally designed as an open protocol. Therefore, it is vulnerable to attackers. Security features in Windows Server 2003 DNS can help
you prevent an attack on your DNS infrastructure. Before considering which of the Windows Server 2003 security features to use, you should be aware of the following:
Footprinting. The process by which DNS zone data, including DNS domain names, computer names, and Internet Protocol (IP) addresses for sensitive network
resources, is obtained by an attacker. An attacker commonly begins an attack by using this DNS data to diagram, or "footprint," a network. DNS domain names and
computer names usually indicate the function or location of a domain or computer to help users remember and identify domains and computers more easily. An
attacker takes advantage of this same DNS naming principle to learn the function or location of domains and computers in the network.
Denial-of-service attack. A scenario in which an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network
with recursive queries. As a DNS server is flooded with queries, its CPU usage eventually reaches its maximum, and the DNS Server service becomes unavailable.
Without a fully operating DNS server on the network, network services that use DNS are unavailable to network users.
Data modification. An attempt by an attacker that has footprinted a network by using DNS to use valid IP addresses in IP packets that the attacker has created. This
gives these packets the appearance of coming from a valid IP address in the network. This process is commonly called IP "spoofing." With a valid IP address that
is, an IP address within the IP address range of a subnet the attacker can gain access to the network and destroy data or conduct other attacks.
Redirection. A scenario in which an attacker is able to redirect queries for DNS names to servers that are under the control of the attacker. One method of
redirection involves an attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers that are under the
control of the attacker. For example, if a query is made originally for sales.wingtiptoys.com and a referral answer provides a record for a domain name that the
attacker has outside the wingtiptoys.com domain, the DNS server uses the cached data for the attacker's domain to resolve a query for that name. Redirection can
occur whenever an attacker has writable access to DNS data, for example, in a scenario that includes dynamic updates that are not secure.
Low-Level Security
Low-level security is a standard DNS deployment without any security precautions configured. You should deploy this level of DNS security only in network environments
where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity:
Medium-Level Security
Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory:
The DNS infrastructure of your organization has limited exposure to the Internet.
All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Dynamic update that is not secure is not allowed for any DNS zones.
Internal DNS servers communicate with external DNS servers through a firewall with a limited list of allowed source addresses and destination addresses.
External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.
All Internet name resolution is performed by using proxy servers and gateways.
High-Level Security
High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a
domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a
typical configuration, but it is recommended whenever Internet connectivity is not required:
The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
DNS servers that are configured with forwarders use internal DNS server IP addresses only.
All DNS servers limit zone transfers to specified IP addresses.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Internal DNS servers are configured with root hints that point to the internal DNS servers that host the root zone for your internal namespace.
All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific
individuals to perform administrative tasks on the DNS server.
All DNS zones are stored in Active Directory. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
Secure dynamic update is configured for DNS zones except the top-level zones and root zones, which do not allow dynamic updates at all.
Securing DNS
The following tasks for securing DNS are described in this objective:
Configure secure dynamic updates. By default, the Dynamic updates option is not set to allow dynamic updates. This is the most secure setting because it
prevents an attacker from updating DNS zones. However, this setting prevents you from taking advantage of the benefits to administration that dynamic updates
provide. To make it possible for computers to update DNS data securely, store DNS zones in Active Directory, and use the secure dynamic update feature. Secure
dynamic update restricts DNS zone updates to only the following:
Computers that are authenticated and joined to the Active Directory domain where the DNS server is located
The specific security settings that are defined in the access control lists (ACLs) for the DNS zone
Restrict zone transfers. By default, the DNS Server service allows zone information to be transferred only to servers that are listed in the name server (NS) resource
records of a zone. This is a secure configuration. However, for increased security this configuration should be changed to enable the option to allow zone transfers
to specified Internet Protocol (IP) addresses. Changing this configuration to allow zone transfers to any server at all may expose your DNS data to an attacker who is
attempting to footprint your network.
Understand the compromise involved in zone delegation. When you decide whether to delegate DNS domain names to zones that are hosted on DNS servers that
are administered separately, it is important to consider the security implications of giving the ability to administer the DNS data for your network to multiple
individuals. DNS zone delegation involves a compromise between the security benefits of having a single authoritative DNS server for all DNS data and the
administrative benefits of distributing responsibility for your DNS namespace to separate administrators. This issue is very important when you delegate the toplevel domains of a private DNS namespace, because those domains contain very sensitive DNS data.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To enable secure dynamic updates using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate 2
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
Required. Configures the server to allow secure dynamic updates. If you exclude the 2, the zone is set to perform standard dynamic
updates only.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To modify DNS zone transfer settings using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResetSecondaries ZoneName {/NoXfr|/NonSecure|/SecureNs|/SecureList[SecondaryIPAddress...]}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
ZoneName
/NoXfr
/NonSecure
/SecureNs
Permits zone transfers only to DNS servers that are listed in the zone using NS resource records.
/SecureList
Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.
SecondaryIPAddress
Required if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.
Delegating a Zone
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS
servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improving DNS name resolution performance, or creating
a more fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.
If, for any of these reasons, your network can benefit from delegating zones, it may make sense to restructure your namespace by adding additional zones. When choosing
how to structure zones, use a plan that reflects the structure of your organization.
When you delegate zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the
authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers
that are being made authoritative for the new zone.
When a standard primary zone is first created, it is stored as a text file that contains all resource record information on a single DNS server. This server acts as the primary
master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.
When you structure your zones, there are several good reasons to use additional DNS servers for zone replication:
Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network
(WAN) link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
Install Nslookup.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To create a new zone delegation using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the start-of-authority (SOA) record is added. You can also type
the node name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in
the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the SOA resource record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|FQDN
Required. Specifies the host name or FQDN of the new authoritative server.
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Limit the Internet Protocol (IP) addresses that the DNS Server service listens on to the IP address that is used by its DNS clients as their preferred DNS server. By
default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries on all its IP addresses.
Leave the Secure cache against pollution option enabled. By default, the DNS Server service is secured from cache pollution, which occurs when DNS query
responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from polluting the cache of a DNS server
with resource records that were not requested by the DNS server. Changing this default setting reduces the integrity of the responses that are provided by DNS
Server service.
Disable recursion. By default, recursion is not disabled for the DNS Server service. This enables the DNS server to perform recursive queries on behalf of its DNS
clients and the DNS servers that have forwarded DNS client queries to it. Recursion can be used by attackers to deny the DNS Server service. Therefore, if a DNS
server in your network is not intended to receive recursive queries, it should be disabled.
If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root
domain, not to the DNS servers that host the Internet root domain. This prevents your internal DNS servers from sending private information over the Internet when
they resolve names.
For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
To restrict the DNS server to listen on selected IP addresses using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
Where?
DNS/applicable DNS server
3. On the Action menu, click Properties.
4. On the Interfaces tab, click Only the following IP addresses.
5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.
6. Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.
If you want to remove an IP address from the list, click the IP address, and then click Remove.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To restrict the DNS server to listen on selected IP addresses using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ResetListenAddresses [ListenAddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
/ResetListenAddresses
Required. Resets the IP addresses of the interfaces on which the DNS server listens.
ListenAddress...
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service
listens for DNS message communications on all configured IP addresses for the server computer.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Disable recursion
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the following procedure to disable recursion on the Domain Name System (DNS) server.
Note
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Disabling recursion
Using the Windows interface
Using the command line
Note
To open the DNS snap-in, click Start, , point to Administrative Tools, and then click DNS.
To disable recursion using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /NoRecursion {1|0}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.).
/NoRecursion
{1|0}
Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
Whenever possible, specify static Internet Protocol (IP) addresses for the preferred and alternate DNS servers that are to be used by a DNS client. If a DNS client is
configured to obtain its DNS server addresses automatically, it will obtain them from a Dynamic Host Configuration Protocol (DHCP) server. While this method of
obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate
DNS servers, you eliminate one possible avenue of attack.
Control which DNS clients have access to the DNS server. If a DNS server is configured to listen only on specific IP addresses, only DNS clients that are configured to
use these IP addresses as preferred and alternate DNS servers will contact the DNS server.
For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
See Also
Other Resources
Deploying Domain Name System (DNS)
2014 Microsoft. All rights reserved.
Note
To open Network Connections, click Start, point to Control Panel, and then click Network Connections.
To restrict the DNS server to listen on selected IP addresses using the Windows interface
1. Open the DNS snap-in.
2. In the console tree, click the applicable DNS server.
Where?
DNS/applicable DNS server
3. On the Action menu, click Properties.
4. On the Interfaces tab, click Only the following IP addresses.
5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.
6. Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.
If you want to remove an IP address from the list, click the IP address, and then click Remove.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To restrict the DNS server to listen on selected IP addresses using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ResetListenAddresses [ListenAddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
/ResetListenAddresses
Required. Resets the IP addresses of the interfaces on which the DNS server listens.
ListenAddress...
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service
listens for DNS message communications on all configured IP addresses for the server computer.
Acknowledgments
Produced by: Microsoft Windows Server User Assistance team
Project Writer: Andrea Weiss
Project Editor: Jim Becker
2014 Microsoft. All rights reserved.
You have a problem that you believe is related to DNS, but you do not know how to resolve it.
You configure DNS settings, but DNS does not behave the way that you anticipate.
A program is not working properly, and you believe that DNS is causing the problem.
Do not use this guide to find out how to perform a task, such as configuring a stub zone or installing DNS. Information about how to perform tasks and configure settings
can be found in Administering DNS Operations.
This guide assumes that you have a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a
thorough understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to
configure and manage DNS settings.
Make sure you have administrative rights on the computer that you are troubleshooting.
You cannot modify DNS settings unless you are a member of the Administrators group on the computer that you are troubleshooting.
To verify that you are a member of the Administrators group that you are troubleshooting
1. Open the Computer Management snap-in.
2. In the console tree, double-click Local Users and Groups, and then click Groups.
3. In the details pane, double-click Administrators and verify that your account name or a group to which your account is a member appears in the Members list.
Install all critical updates and security updates for Windows Server 2003.
Some updates might be required for DNS to function properly.
To verify that you have all critical updates and security updates for Windows Server 2003
Click Start, click Windows Update, and then follow the instructions that appear on your screen.
You can also run Dcdiag.exe on computers running Windows XP Professional, Windows XP Professional with SP1, or Windows XP Professional with Service Pack 2 (SP2).
Options for other tools vary by tool.
Administrative credentials: To complete this procedure, you must be a member of the Builtin Administrators group.
Operating system: Windows Server 2003 with SP1. You cannot use Suptools.msi to install the SP1 version of Windows Support Tools on a computer that is not
running Windows Server 2003 with SP1.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
To enable DNS debug logging
1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the applicable DNS server, then click Properties.
3. Click the Debug Logging tab.
4. Select Log packets for debugging, and then select the events that you want the DNS server to record for debug logging
Notes
To set the debug logging options, you must first select Log packets for debugging.
To obtain useful debug logging output, select an option under Packet direction, an option under Transport protocol, and at least one more option.
In addition to selecting events for the DNS debug log file, you can specify the file name, location, and maximum file size for the file. In most cases, the default
selections are adequate. You may want to limit the traffic that the logging captures. If you want to limit the logging traffic to traffic between your server and a
specific DNS server, select the Filter packets by IP address check box, and then click Filter to add the appropriate IP addresses.
If you suspect that domain controllers are having difficulty resolving DNS names, see Perform DNS Health Check (http://go.microsoft.com/fwlink/?LinkId=111844).
2014 Microsoft. All rights reserved.
Cause
The host might not be configured properly to allow secure dynamic DNS updates. It might be configured to use an external DNS server, or it might be experiencing other
DNS configuration problems.
Solution
First, try to solve this problem by using the troubleshooting information in Dynamic updates for host records fail.
Hosts that perform secure dynamic updates should be members of a Windows 2000 Server or Windows Server 2003 domain, and they should be in a domain that is in the
same forest as the DNS server.
Verify that there is no problem with the machine account of the host that is attempting the update. Determine whether other hosts successfully perform secure dynamic
updates. If the problem is occurring on only one host, try removing the host from the domain and then rejoining it to the domain.
Verify that a record does not already exist with the same name. By default, records that are created by one host cannot be modified or removed by a different host. If
there is an existing record with the same name, delete the existing record and have the host attempt to register again.
To initiate a dynamic update for host and PTR records
At a command prompt, type the following command, and then press ENTER:
ipconfig /registerdns
Cause
The DNS server might be experiencing cache pollution. This is caused by the DNS server receiving and caching an inaccurate start of authority (SOA) record for a portion
of the Internet namespace. For example:
Solution
Configure the DNS server for protection against cache pollution by completing the following procedure.
To configure the DNS server for protection against cache pollution
1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the DNS server that you want to protect against cache pollution, click Properties, and then click the Advanced tab.
3. Select the Secure cache against pollution check box, and then click OK.
Cause
Several problems can cause DNS name resolution to fail. If you have reviewed the topics for other problems in Troubleshooting Domain Name System Problems and they
do not seem to be the cause of the problem, DNS settings might be configured incorrectly on the DNS client.
Solution
Verify that the client does not have an external DNS server, such as a DNS server from an Internet service provider (ISP), in its TCP/IP configuration. In most cases, the client
should not use a DNS server from an ISP as either the preferred or alternate DNS server, because the DNS server at the ISP is unable to resolve internal names. Using a
DNS server from an ISP in a client's TCP/IP configuration can also cause problems with conflicting internal and external namespaces.
To verify DNS configuration in TCP/IP settings
1. Log on to the DNS client computer with the Administrator account.
2. Click Start, click Control Panel, and then double-click Network Connections.
3. In Network and Dial-up Connections, right-click the local area connection that you want, and then click Properties.
4. In Local Area Network Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
5. Ensure that the appropriate DNS server IP addresses are configured in Preferred DNS server and Alternate DNS server. If Obtain an IP address automatically is
selected, click the Alternate Configuration tab, and then review all the IP settings that are configured there.
6. Type the following at a command prompt, and then press ENTER:
ipconfig /all
7. Review the DNS server settings, and verify that they are correct.
a. If the DNS server settings are not correct, ensure the appropriate settings are configured on the Dynamic Host Configuration Protocol (DHCP) server.
b. If your computer has an IP address that begins with 169.254, it is not obtaining an IP address from a DHCP server and likely does not have Alternate
Configuration enabled. In this case, diagnose the issue with the DHCP server or set an appropriate static IP address either directly or as an alternate
configuration.
Next, use the following procedure to verify that the name can be resolved by the DNS server.
To verify name resolution
At a command prompt, type the following command, and then press ENTER:
nslookup host_name server_IP_address
Substitute the actual host name that you are trying to resolve for host_name and the IP address of the DNS server for server_IP_address. For example, if the host name that
you are trying to resolve has a fully qualified domain name (FQDN) of server5.contoso.com and the DNS server's IP address is 192.168.0.200, type the following command,
and then press ENTER:
nslookup server5 192.168.0.200
You can also try using the FQDN:
nslookup server5.contoso.com 192.168.0.200
If the host name alone does not resolve, but the FQDN does resolve, confirm that the primary or connection-specific DNS suffix is configured correctly. You can use the
following procedure to add a DNS suffix search list.
To add a DNS suffix search list
1. Click Start, right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Double-click Internet Protocol (TCP/IP), and then click Advanced.
4. Click the DNS tab, and then click Append these DNS suffixes (in order).
5. Click Add, type the domain suffix of the desired domain, and then click Add.
If both Nslookup commands fail to resolve the name, the problem is likely with the DNS server records or configuration, or it may be the result of a connectivity issue
between the DNS client and DNS server, such as a firewall blocking DNS queries (which are typically offered on TCP port 53). You can use the Portqry tool to test network
connectivity between two computers. For more information about downloading and using Portqry, see article 832919 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=111855).
If the connection is not successful, look for a firewall on the DNS client, DNS server, or somewhere between the two that could cause the connection failure. If you are
diagnosing a connection failure between two computers, you can try using the Portqry tool to test it. For more information about downloading and using Portqry, see
article 832919 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=111855).
If Portqry fails, there may be a connectivity issue between the computers. You can try using the Tracert or Pathping tools to find out where the failure exists. However, these
tools are not always reliable because many hosts and servers disable the Internet Control Message Protocol (ICMP) echo functionality on which these tools depend.
However, using one of these tools may help locate the source of a problem. For more information about using Tracert, see article 314868 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=111861). For information about using Pathping, see Pathping (http://go.microsoft.com/fwlink/?LinkId=111864)
Note
If you locate and correct any issues on the DNS server, it is probable that your client computer cached the incorrect information, and your name resolution queries may
still fail. To resolve this issue, clear the DNS client resolve cache on the client computer. To clear the cache, type the following command at a command prompt, and
then press ENTER:
Ipconfig /flushdns
For additional information about troubleshooting the DNS client configuration, see Validate DNS Client Settings (http://go.microsoft.com/fwlink/?LinkId=111865).
2014 Microsoft. All rights reserved.
The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed.
Correct the problem then either press F5, or on the Action menu, click Refresh.
For more information about troubleshooting DNS zone problems, see Help.
Cause
The primary DNS server might not be configured properly to allow zone transfers from the secondary DNS server.
Solution
Use the following procedure to verify that the primary DNS server is configured to allow zone transfers from the secondary DNS server.
To verify that the primary DNS server is configured to allow zone transfers from the secondary DNS server
1. On the primary DNS server, click Start, point to All Programs, click Administrative Tools, and then click DNS.
2. In the console tree, double-click the DNS server.
3. In the console tree, double-click Forward Lookup Zones or Reverse Lookup Zones, as applicable.
4. Right-click the zone, click Properties, and then click the Zone Transfers tab.
5. Ensure that the Allow zone transfers check box is selected.
If zone transfer fails with Event ID 6525 Zone transfer for secondary zone <zone_name> refused by master server and the master server allows dynamic updates for the
zone, these failures are due to the zone transfer throttling mechanism, and they are expected. This mechanism limits the number of zone transfers to allow regular dynamic
updates to take place.
2014 Microsoft. All rights reserved.
There might not be any error messages associated with these events. The only symptom of the problem might be the fact that the hosts records do not show up in the
Domain Name System (DNS) zone.
Cause
The host might not be configured properly to allow dynamic DNS updates. It might be configured to use an external DNS server, or it might be experiencing other DNS
configuration problems.
Solution
You can use the following procedure to verify that the host is configured for dynamic DNS updates.
To verify that the host is configured for dynamic DNS updates
1. Log on to the computer with the Administrator account.
2. Click Start, click Control Panel, and then double-click Network Connections.
3. In Network Connections, right-click Local Area Connection, and then click Properties.
4. In Local Area Network Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
5. In Internet Protocol (TCP/IP) Properties, click Advanced, and then click the DNS tab.
6. Ensure that both of the following check boxes are selected:
Register this connections addresses in DNS
Use this connections DNS suffix in DNS registration
7. Click OK.
You can use the following procedure to verify that the client does not have an external DNS server, such as a DNS server from an Internet service provider (ISP), in its
TCP/IP configuration. In most cases, the client should not use a DNS server from an ISP as either the preferred or alternate DNS server, because the DNS server at the ISP
is unable to resolve internal names. Using a DNS server from an ISP in a client's TCP/IP configuration can also cause problems with conflicting internal and external
namespaces.
To verify DNS configuration in TCP/IP settings
1. Log on to the computer with the Administrator account.
2. Click Start, click Control Panel, and then double-click Network Connections.
3. In Network Connections, right-click Local Area Connection, and then click Properties.
4. In Local Area Network Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
5. If Obtain an IP address automatically is selected, type the following at a command prompt:
ipconfig /all
6. Review the DNS server settings and verify that they are correct.
You can use the following procedure to verify that the start-of-authority (SOA) resource record can be resolved by the DNS servers. In this procedure, you use the
Nslookup.exe tool to test name resolution for the SOA record for the domain that the client is attempting to register in. Test this name resolution from each one of the
DNS servers that the client is configured to use.
To verify that the SOA record can be resolved by the DNS servers
1. At a command prompt, type the following command, and then press ENTER:
nslookup
2. At the nslookup: prompt, type the following command, and then press ENTER:
set querytype=SOA
3. At the nslookup: prompt, type the full name of the DNS zone that the client should be registering in and include a terminating dot at the end of the domain
name and then press ENTER.
4. To test another DNS server, at the nslookup: prompt, type the following command, and then press ENTER:
server IP_address
Then, type the domain name to be tested, and then press ENTER.
If this query attempt fails from any of your DNS servers, you might need to remove that DNS server from the clients TCP/IP settings.
You can use the following procedure to verify that the DNS zone is enabled for dynamic updates. Open the DNS management console to verify that the zone that the
clients need to register in is configured to accept dynamic updates.
To verify that the DNS zone is enabled for dynamic updates
1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
2. In the console tree, double-click the appropriate DNS server name, and then double-click Forward Lookup Zones.
3. Right-click the zone, and then click Properties.
4. On the General tab, view the Dynamic updates setting and make sure that it is set to Nonsecure and secure or Secure only.
5. If the setting is already set to Secure only and updates are still failing, try setting the zone to Nonsecure and secure for testing. If failures are seen only for Secure
only, see Secure dynamic updates fail.
You can use the following procedure to verify that the Dynamic Host Configuration Protocol (DHCP) Client service is started. The DHCP Client service is used to perform
dynamic updates, and it must be running.
To verify the status of DHCP or to start DHCP
1. Click Start, point to All Programs, point to Administrative Tools, and then click Services.
2. In the details pane, double-click DHCP Client and verify that the status of that service is Started. If the status is not Started, click Start to start the service.
You can use the following procedure to verify whether a single-label DNS domain name is being used.
To verify whether a single-label DNS domain name is being used
1. At a command prompt, type the following, and then press ENTER:
ipconfig /all
2. View the Primary DNS Suffix and the Connection-specific DNS Suffix to make sure that the specified domain name has at least two parts, separated by a dot, for
example, fabrikam.com. An example of a single-label domain is fabrikam.
3. If the host is using a single-label domain name, and this is correct for the environment, you have to use the registry setting of UpdateTopLevelDomainZones. For
more information about this registry setting, see article 300684, "Information about configuring Windows for domains with single-label DNS names," in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=37924).
For information about troubleshooting DNS problems, see Troubleshooting Domain Name System.