Infomration On DNS

My Collection
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)
Table Of Contents
Chapter 1
DNS Server Overview
Administering DNS Operations
Introduction to Administering DNS Operations
Managing DNS
DNS Operations Guide
Chapter 1
DNS Server Overview

Applies To: Windows Server 2008
By using the Domain Name System (DNS) server role, you can provide a primary name resolution process for users on your network. The name resolution process enables
users to locate computers on the network by querying for a user-friendly computer name instead of an IP address. A computer running the DNS server role can host the
records of a distributed DNS database and use the records to resolve DNS name queries that are sent by DNS client computers. These queries can include requests such
as the names of Web sites or computers in your network or on the Internet.
You can also integrate the DNS server role with Active Directory Domain Services (AD DS) to store and replicate DNS zones. This makes multimaster replication possible,
along with more secure transmission of DNS data. In turn, AD DS requires DNS so that clients can locate domain controllers.
In the following sections, learn more about the DNS server role, the required and optional features in the DNS server role, and hardware and software for running it. In
addition, learn how to open the administrative tool for the DNS server role and how to find more information about it.
What is the DNS server role?

DNS is a system for naming computers and network services that organizes them into a hierarchy of domains. DNS naming is used on TCP/IP networks, such as the
Internet, to locate computers and services with user-friendly names. When a user enters the DNS name of a computer in an application, DNS clients and servers work
together to look up the name and provide other information that is associated with the computer, such as its IP address or services that it provides for the network. This
process is called name resolution.
The DNS server role makes it possible for a server running Windows Server 2008 to act as a name resolution server for a TCP/IP network. The network can contain
computers running Windows as well as computers running other operating systems. The DNS service in Windows Server 2008 is tightly integrated with Dynamic Host
Configuration Protocol (DHCP) so that Windows-based DHCP clients and Windows-based DHCP servers automatically register host names and IP addresses on the DNS
server for the appropriate domain.
Typically, Windows Server 2008 DNS is integrated with AD DS. In this environment, DNS namespaces mirror the Active Directory forests and domains for an organization.
Network hosts and services are configured with DNS names so that they can be located in the network, and they are also configured with DNS servers that resolve the
names of Active Directory domain controllers.
Windows Server 2008 DNS is also often deployed as a nonAD DS, or "standard," DNS solution. For example, it can be deployed for the purposes of hosting the Internet
presence of an organization.
The Windows Server 2008 DNS server service supports and complies with standards that are specified in the set of DNS Requests for Comments (RFCs). Therefore, it is
fully compatible with any other RFC-compliant DNS server. A DNS client resolver is included as a service in all client and server versions of the Windows operating system.
New features in the DNS server role

The central feature of the DNS server role is the DNS Server service. This service provides a DNS server that is fully compliant with industry standards, and it supports all
standards-compliant DNS clients. You can administer a Windows Server 2008 DNS server by using a Microsoft Management Console (MMC) snap-in as well as a number
of command-line tools.
Windows Server 2008 supports the new features in the following table.
Feature
Description
DNAME
resource
record
support
The DNAME resource record provides nonterminal domain name redirection. That is, unlike the CNAME record, which creates an alias for a single node
only, a single DNAME resource record causes the renaming of a root and all descendents in a domain namespace subtree. This makes it possible for
organizations to rename a portion of their domain namespacefor example, to merge two namespaces as a result of a business acquisition.
Support
for IPv6
addresses
Internet Protocol version 6 (IPv6) specifies addresses that are 128 bits in length, compared to IP version 4 (IPv4) addresses, which are 32 bits long. This
greater length allows for a much greater number of globally unique addresses, which are required to accommodate the explosive growth of the Internet
around the world. IPv6 also provides for better routing and network autoconfiguration. The DNS server in Windows Server 2008 now supports IPv6
addresses as fully as it supports IPv4 addresses.
Read-only
domain
controller
support
Windows Server 2008 introduces a new type of domain controller, the read-only domain controller (RODC). An RODC provides, in effect, a shadow copy of
a domain controller. You can install it in locations where physical security cannot be guaranteed, such as branch offices.
To support RODCs, the DNS server in Windows Server 2008 supports a new type of zone, the primary read-only zone (also sometimes referred to as a
branch office zone). The primary read-only zone is created automatically when a computer running the DNS server role is promoted to be an RODC. The
zone contains a read-only copy of the DNS data that is stored in the read-only AD DS database on the RODC.
The writeable version of the data is stored on a centrally located domain controller, such as a hub site domain controller. The DNS zone data on the RODC
is updated when the DNS data is replicated from the centrally located domain controllers to the RODC according to the configured replication schedule.
The administrator of the RODC can view the contents of the read-only primary zone, but only a domain administrator with permissions on the centrally
located domain controller can change the zone data.
Singlelabel
name
resolution
The DNS Server service now supports a special zone called the GlobalNames zone to hold single-label host names. This zone can be replicated across an
entire forest, so that single-label host names (for example, webserver1) can be resolved throughout the forest without the use of the Windows Internet
Naming System (WINS) protocol. Although the GlobalNames zone is not intended to provide peer-to-peer single-label name resolution, you can use it to
simplify the location of servers and intranet Web sites, for example.
Hardware and software considerations

Use performance counters, testing in the lab, data from existing hardware in a production environment, and pilot roll-outs to determine the hardware capacity that is
necessary for your server.
Note
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.
Typical DNS server hardware recommendations include the following:
Single-processor computers with 400-megahertz (MHz) Pentium II CPUs

512 megabytes (MB) of RAM for each processor
At least 4 gigabytes (GB) of available hard disk space
A network adapter
Using faster CPUs, more RAM, and larger hard drives improve the scalability and performance of your DNS servers. DNS servers use approximately 100 bytes of RAM for
each resource record. Using this figure, which you can obtain by looking at each zone in the DNS snap-in, you can calculate how much memory you need.
Installing a DNS server

After you finish installing the operating system, a list of initial configuration tasks appears. To install a DNS server, in the list of tasks, click Add roles, and then click DNS
server.
Managing a DNS server

You can manage server roles with MMC snap-ins. Use the DNS snap-in to manage a DNS server. To open the DNS snap-in, click Start, point to Administrative Tools, and
then click DNS.
For more information

To learn more about the DNS server role, you can view the Help on your server. To view the Help, open the DNS snap-in as described in the previous section, and then
press F1.
2014 Microsoft. All rights reserved.

Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This Domain Name System (DNS) Administering guide provides administering information for DNS in the Microsoft Windows Server 2003 with Service Pack 1 (SP1)
operating system.
In this guide

Managing DNS
Monitoring DNS
Optimizing DNS
Securing DNS
This DNS Administering guide provides detailed procedures for managing DNS servers, clients, and resource records. It also provides procedures for monitoring,
optimizing, and securing your DNS infrastructure. For most procedures, this guide provides both a user interface (UI) and a command-line method of performing each
procedure. In addition, this guide provides sample scripts for the most frequently used, repetitive tasks.

This guide explains how to administer Microsoft Domain Name System (DNS). These activities are part of the operating phase of the information technology (IT) life cycle. If
you are not familiar with this guide, review the following sections of this introduction.
When to Use This Guide

You should use this guide when:
You want to manage DNS servers.

You want to manage DNS clients.
This guide assumes a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a thorough
understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to configure and
manage DNS settings.
This guide can be used by organizations that have deployed Windows Server 2003 Service Pack 1 (SP1). It includes information that is relevant to different roles within an IT
organization, including IT operations management and administrators. This guide contains high-level information that is required to plan a DNS operations environment,
along with management-level knowledge of the DNS and IT processes that are required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures
provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with DNS, it might be necessary for IT planners or managers to review the relevant
operations in this guide and provide the operators with parameters or data that must be entered when the operations are performed.
How to Use This Guide

The operations areas are divided into the following types of content:
Objectives are high-level goals for managing, monitoring, optimizing, and securing DNS. Each objective consists of one or more high-level tasks that describe how
the objective is accomplished. In this guide, Managing Domain Name System Servers is an example of an objective.
Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. In this guide, Modifying an Existing DNS Server is
an example of a task.
Procedures provide step-by-step instructions for completing tasks. In this guide, Change the name-checking method of a DNS server is an example of a procedure.
If you are an IT manager who will be delegating tasks to operators in your organization, you will want to:
Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures
for each task.
Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them.
When necessary, create tear sheets for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on the preference of your organization.
Managing DNS
This guide describes processes and procedures for improving the management of Windows Server 2003 Domain Name System (DNS) in your network infrastructure.
Ensuring that DNS is functioning properly helps increase system availability for your users.
The following tasks for managing DNS are described in this objective:
Managing Domain Name System Servers

Managing Domain Name System Clients
Managing Domain Name System Zones
Managing DNS Resource Records

The following tasks for managing Domain Name System (DNS) servers are described in this objective:
Adding a Primary DNS Server to an Existing Zone

Adding a Secondary DNS Server
Modifying an Existing DNS Server
Using Forwarders to Manage DNS Servers
Removing a DNS Server from the Network
Using DNS Aging and Scavenging

If you are installing Domain Name System (DNS) with Active Directory, use the Active Directory Installation Wizard option to automatically install and configure a local DNS
server. This option installs the DNS Server service on the computer where you are running the wizard, and it configures the computer's preferred DNS server setting to use
the new local DNS server. Configure any other computers that join this domain to use this DNS server's Internet Protocol (IP) address as their preferred DNS server.
If you are installing DNS on a member server, use the procedures in this task.
It is recommended that you manually configure the computer to use a static IP address. If the DNS server is configured to use Dynamic Host Configuration Protocol
DHCPassigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's
previous IP address will be unable to resolve the previous IP address and locate the DNS server.
After you install a DNS server, you can decide how to administer it and its zones. Although you can use a text editor to make changes to server boot and zone files, this
method is not recommended. The DNS console and the DNS command-line tool, Dnscmd, simplify maintenance of these files, and they should be used whenever possible.
After you begin managing these files by using the console or the command line, editing them manually is not recommended.
You can administer DNS zones that are stored in Active Directory by using the DNS console or the Dnscmd command-line tool only. These zones cannot be administered
by using a text editor.
If you uninstall a DNS server that hosts Active Directory-integrated zones, these zones are saved or deleted according to their storage type. For all storage types, the zone
data is stored on other domain controllers or DNS servers. It is not deleted unless the DNS server that you uninstall is the last DNS server hosting that zone.
If you uninstall a DNS server hosting standard DNS zones, the zone files will remain in the systemroot\system32\Dns directory, but they will not be reloaded if the DNS
server is reinstalled. If you create a new zone with the same name as an old zone, the old zone file is replaced with the new zone file.
When they write DNS server boot and zone data to text files, DNS servers use the Berkeley Internet Name Domain (BIND) file format that is recognized by legacy BIND 4
servers, not the more recent BIND 8 format.
Complete this task after you determine that you need to add a primary DNS server to your environment. For more information about planning a DNS infrastructure, see
Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
To complete this task, perform one the following procedures:
Install a new DNS server

Configure a DNS server
See Also
Other Resources
Deploying Domain Name System (DNS)

You can use this procedure to install Domain Name System (DNS) on a member server, which makes that server a DNS server.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as
command to perform this procedure.
Installing a new DNS server

To install a DNS server
1. Open the Windows Components Wizard.
2. In Components, select the Networking Services check box, and then click Details.
3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
4. If you are prompted to do so, in Copy files from, type the full path to the installation location, and then click OK.
Required files are copied to your hard disk.
Note
To open the Windows Components Wizard, click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.

You can use these procedures to configure a new Domain Name System (DNS) server. When you finish configuring the server, you may need to complete additional tasks,
such as enabling dynamic updates for its zones or adding resource records to its zones. See the other tasks in this guide to determine whether they are appropriate for
your environment.
You can perform this procedure by using the DNS snap-in or by using the Dnscmd tool at the command line.
Configuring a DNS server

Using the Windows interface
Using a command line
To configure a DNS server using the Windows interface

1. Open the DNS snap-in.
2. If necessary, add the applicable server to the console and connect to it.
3. In the console tree, click the applicable DNS server.
Where?
DNS/Applicable DNS server
4. On the Action menu, click Configure a DNS Server.
5. Follow the instructions in the Configure a DNS Server Wizard.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To configure a DNS server using the command line
At a command prompt,type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} Property {1|0}
Value
Description
dnscmd
Specifies the name of the command-line tool.
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
specify the DNS server on the local computer, you can also type a period (.).
/Config
Specifies the configuration command.
{ZoneName|..AllZones}
Specifies the name of the zone to be configured. To apply the configuration for all zones that are hosted by the specified DNS server,
type ..AllZones.
Property
Specifies the server property or zone property to be configured. There are different properties available for servers and zones. For a
list of the available properties, at a command prompt type: dnscmd/Config /help.
{1|0}
Sets configuration options to either 1 (on) or 0 (off). Note that some server and zone properties must be reset as part of a more
complex operation.
Note
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.

Domain Name System (DNS) design specifications recommend that at least two DNS servers be used to host each zone. For standard, primary zones, a secondary server
is required to add and configure the zone so that it appears to other DNS servers in the network. For directory-integrated, primary zones, secondary servers are
supported but not required for this purpose. For example, two DNS servers running on domain controllers can be redundant primary servers for a zone. They can provide
the same benefits as adding a secondary server while also providing additional benefits.
Secondary servers can be used to offload DNS query traffic in areas of the network where a zone is heavily queried. In addition, if a primary server is unavailable, a
secondary server can provide some name resolution in the zone until the primary server is available.
If you add a secondary server, try to locate it as close as possible to clients that have a high demand for names that are used in the zone. Also, consider placing secondary
servers across a router, either on other subnets (if you use a routed local area network (LAN)) or across wide area network (WAN) links. This constitutes a good use of a
secondary server as a local backup in scenarios in which an intermediate network link becomes the point of failure between DNS servers and clients that use the zone.
Because a primary server always maintains the master copy of updates and changes to the zone, a secondary server relies on DNS zone transfer mechanisms to obtain its
information and keep the information current. Issues such as zone transfer methods using either full or incremental zone transfers are more applicable when you use
secondary servers.
When you consider the impact of zone transfers that are caused by secondary servers, consider their advantage as a backup source of information, and measure this
against the added cost that they impose on your network infrastructure. A simple rule is that for each secondary server that you add, network usage (because of added
zone replication traffic) increases, and so does the time that is required to synchronize the zone at all secondary servers.
Secondary servers are used most heavily for forward lookup zones. If you are using reverse lookup zones, it is not necessary to add as many secondary servers for those
zones. Typically, a secondary server for a reverse lookup zone is not used outside the network and subnet that correspond to the reverse zone.
To complete this task, perform the following procedure:
Add a secondary server to a zone

Published: March 2, 2005
Updated: November 18, 2009
To add a secondary server to an existing zone, you must have network access to the server that acts as the master server for this server and its use of the zone. The
master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.
You can perform this procedure by using the DNS console or by using the Dnscmd command-line tool. This procedure can be performed on the secondary DNS server, or
on a computer with permission to manage the secondary DNS server. To add a secondary server to multiple zones, you must repeat this procedure for each zone.
Important
Before you add a secondary server to a zone, you must allow zone transfers from the primary to the secondary server. For more information, see Modify DNS zone
transfer settings.
Adding a secondary server to a zone

Using the command line
To add a secondary server to a zone using the Windows interface

1. Click Start, point to Administrative Tools, and then click DNS.
2. In the console tree, click the applicable Domain Name System (DNS) server.
3. On the Action menu, click New Zone.
4. Follow the instructions in the New Zone Wizard. When you add the zone, select Secondary zone as the zone type.
To add a secondary server to a zone using the command line

At a command prompt, type the following command, and then press ENTER:
Dnscmd ServerName /ZoneAdd ZoneName /Secondary MasterIPaddress... [/file FileName]
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.).
ZoneName
Specifies the fully qualified domain name (FQDN) of the secondary zone that you are adding. The zone name must be the same as the name of
the primary zone from which the secondary zone is created.
MasterIPaddress
Specifies one or more IP addresses for the secondary zone master servers, from which it copies zone data.
FileName
Specifies the name of the file to use for creating the secondary zone.
In the following example, zone transfers are first allowed from the primary DNS server primarydns.contoso.com at 10.0.0.2 to the secondary server
secondarydns.contoso.com at 11.0.0.2. Next, the secondary DNS server is added to the zone secondtest.contoso.com.
Dnscmd primarydns.contoso.com /zoneresetsecondaries secondtest.contoso.com /securelist 11.0.0.2
Dnscmd secondarydns.contoso.com /zoneadd secondtest.contoso.com /secondary 10.0.0.2
For more information about using dnscmd, see Dnscmd Syntax.

You may need to modify or update the configuration of your Domain Name System (DNS) servers for various reasons. For example, you may need to change the namechecking method of a DNS server to allow the DNS server to resolve nonRequest for Comments RFCcompliant names. In addition, you may need to modify or update a
DNS server in the process of troubleshooting or optimizing it.
Task requirements
To begin this task, perform the following requirements:
Install Dnscmd.
To complete this task, perform one of the following procedures:
Start, stop, pause, or restart a DNS server

Manually update DNS server data files
Clear the DNS server names cache
Change the boot method of a DNS server
Change the name-checking method of a DNS server
Restore DNS server default preferences
See Also
Other Resources

You can use the following procedure to start, stop, pause, or restart Domain Name System (DNS).
To start, stop, pause, or restart a DNS server
3. On the Action menu, point to All Tasks, and then click one of the following:
To start the DNS service on this server, click Start.
To stop the DNS service on this server, click Stop.
To interrupt the DNS service on this server, click Pause.
To stop and then automatically restart the DNS service on this server, click Restart.
Note
To open the DNS management console, click Start, point to Administrative Tools, and then click DNS.
Note
If you want to resume the service after you pause or stop it, on the Action menu, point to All Tasks, and then click Resume to immediately resume the service.

You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool. Use the DNS snap-in for standard Domain Name System (DNS)
zones and the Dnscmd command-line tool for Active Directoryintegrated zones.
Manually updating DNS server data files

To manually update DNS server data files using the Windows interface
3. On the Action menu, click Update Server Data Files.
Note
To manually update DNS server data files using the command line
dnscmd ServerName /ZoneUpdateFromDs ZoneName
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server
on the local computer, you can also type a period (.)
ZoneName
Specifies the name of the zone to which you want to set aging and scavenging.

You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.
Clearing the DNS server names cache

To clear the DNS server names cache using the Windows interface
3. On the Action menu, click Clear Cache.
Note
To clear the DNS server names cache using the command line
At a command prompt, type the following, and then press ENTER:
dnscmd ServerName /clearcache
Value
Description
ServerName

By default, Domain Name System (DNS) servers use information that is stored in the registry to initialize the service and load any zone data for use at the server. In
addition, you can configure the DNS server to boot from a file. Or, in Active Directory environments, you can supplement local registry data with zone data that is retrieved
for directory-integrated zones that are stored in the Active Directory database. If you use the file method, the file must be a text file named Boot, which is located on the
computer in the %Systemroot%\Windows\System32\Dns folder.
To change the boot method of a DNS server
2. In the console tree, right-click the applicable DNS server, and then click Properties.
3. Click the Advanced tab.
4. In the Load zone data on startup list, select one of the following:
From registry
From file
From Active Directory and registry
Note

The DNS Server service supports three different possible methods for checking the names that it receives and processes during normal operations:
Strict RFC ANSI: This method strictly enforces Request for Comments RFCcompliant naming rules for all Domain Name System DNS names that the server
processes. Names that are not RFC compliant are treated as erred data by the DNS server.
Non RFC (ANSI): This method allows names that are not RFC compliant, such as names that use American Standard Code for Information Interchange (ASCII)
characters but are not compliant with RFC host naming requirements, to be used with the DNS server.
Multibyte (UTF8): This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server.
By default, the DNS server uses the Multibyte (UTF8) method to check names.
To change the name-checking method of a DNS server
4. In the Name checking list, click Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.
All names enables all three name-checking methods.
Note

You can use the following procedure to configure the Domain Name System (DNS) server with the initial configuration settings that it had following installation. These initial
configuration settings are listed in the following table.
Property
Settings
Disable recursion
Off
BIND secondaries
On
Fail on load if bad zone data
Off
Enable round robin
On
Enable netmask ordering
On
Secure cache against pollution
On
Name checking
Multibyte (UTF8)
Load zone data on startup
Enable automatic scavenging of stale records
Off
To restore DNS server default preferences
2. In the console tree, right-click the applicable DNS server, then click Properties.
4. Click Reset to Default, and then click OK.
Note

If you want to use forwarders to manage the Domain Name System (DNS) traffic between your network and the Internet, configure your network firewall to allow only one
DNS server to communicate with the Internet. When you have configured the other DNS servers in your network to forward queries that they cannot resolve locally to that
DNS server, it will act as your forwarder.
Consider the following tips for efficient forwarder configuration and use:
Keep forwarder configuration uncomplicated. For every DNS server that is configured with a forwarder, queries can be sent to a number of different places. Each
forwarder and each conditional forwarder must be administered for the benefit of DNS client queries, and this process can be time consuming. Use forwarders
strategically where they are needed the most for example, for resolving offsite queries or for sharing information between namespaces.
Avoid chaining your forwarders. If you have configured a DNS server named server1 to forward queries for wingtiptoys.corp.com to DNS server server2, do not
configure server2 to forward queries for wingtiptoys.corp.com to DNS server server3. This is an inefficient resolution process, and it can result in errors if server3 is
accidentally configured to forward queries for wingtiptoys.corp.com to server1.
Do not concentrate too great a load on forwarders. The recursive queries that forwarders send to the Internet can require a significant amount of time to answer
because of the nature of the Internet. When large numbers of internal DNS servers use these forwarders for Internet queries, the server can experience a substantial
concentration of network traffic. If network load is an issue, use more than one forwarder and distribute the load between them.
Do not create inefficient resolution by using forwarders. The DNS server attempts to forward domain names according to the order in which the domain names
are configured in the DNS console. For example, a DNS server in Seattle may be incorrectly configured to forward a query to a server in London, instead of another
server in Seattle, because the server in London is higher up in the forwarders list. This decreases the efficiency of name resolution on the network. Evaluate your
network's forwarding configurations periodically to see if there are similar, inefficient configurations.
Configure forwarders for a DNS server

If you use this procedure to configure a conditional forwarder, note that you cannot use a domain name in a conditional forwarder if the DNS server hosts a primary zone,
secondary zone, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name wingtiptoys.corp.com (that is, it hosts the primary
zone for that domain name), you cannot configure that DNS server with a conditional forwarder for wingtiptoys.corp.com.
Configuring forwarders for a DNS server

To configure forwarders for a DNS server using the Windows graphical user interface
3. On the Action menu, click Properties.
4. On the Forwarders tab, under DNS domain, click a domain name.
Note
To create a new domain name, click New, and then, under DNS domain, type the domain name.
5. Under Selected domain's forwarder IP address list, type the Internet Protocol (IP) address of a forwarder, and then click Add.
Note
When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.
6. By default, the DNS server waits five seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds
before forward queries time out, you can change the number of seconds that the DNS server waits. If the overall recursion timeout (by default, 15 seconds) is
exceeded before all forwarders are exhausted, the DNS server fails the query. If the overall recursion timeout has not been exceeded and the server exhausts all
forwarders, it attempts standard recursion.
7. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain
check box.
Note
You can disable recursion for the DNS server so that it does not perform recursion on any query. If you disable recursion on the DNS server, you will not be able
to use forwarders on the same server.
Note
To configure forwarders for a DNS server using the command line
dnscmd ServerName /ZoneAdd ZoneName /Forwarder MasterIPaddress [/TimeOut Time][/Slave]
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local
computer, you can also type a period (.).
ZoneName
Specifies the fully qualified domain name (FQDN) of the zone.
MasterIPaddress
Specifies a space-separated list of one or more IP addresses of the DNS servers where queries for ZoneName are forwarded. You can specify
a list of space-separated IP addresses.

Time
Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is five seconds.

To remove a DNS server from the network, perform the following procedures to make changes in zones where the server is configured as an authoritative server for the
zone:
1. Use the Delete a resource record procedure to remove the address (A) resource record for the server.
2. Use the Modify an existing resource record procedure to update the name server (NS) records, in zones where the server is configured as authoritative, to no
longer include the server by name (as it appeared in the A record that was deleted in procedure 1).
3. If the server is the primary server for a standard zone, use the Modify the SOA record for a zone procedure to revise the owner field of the start of authority (SOA)
resource record for the zone to point to the new primary DNS server for the zone. (If the zone is a directory-integrated zone, this procedure is not necessary.)
4. Use the Verify a zone delegation procedure to check the parent zone to ensure that any records (NS or A resource records) that are used for delegation to the
zone are revised and that they no longer point to the removed server.
Delete a resource record

You can use the following procedure to delete a resource record from a zone. Pointer (PTR) resource records are deleted automatically if the corresponding address (A)
resource record is deleted.
Deleting a resource record

To delete a resource record using the Windows interface

2. In the console tree, click the applicable zone.
3. In the details pane, right-click the resource record that you want to delete, and then click Delete.
4. When you are asked to confirm that you want to delete the selected resource record, click OK.
Note
To delete a resource record using the command line
dnscmd ServerName /RecordDelete ZoneName NodeName RRType RRData [/f]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordDelete
Required. Deletes a resource record.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies
the zone's root node.
RRType
RRData
Required. Specifies the type of resource record to add, followed by the data to be contained in the resource record.
Resource record type
Resource record data
IPAddress
NS,CNAME,MB,MD,PTR,MF,MG,MR
HostName|DomainName
MX,RT,AFSDB
PreferenceServerName
SRV
Priority Weight Port HostName
SOA
PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
MailboxName ErrMailboxName
WKS
Protocol IPAddress Service...
WINS
MapFlag LookupTimeout CacheTimeout IPAddress...
WINSR
MapFlag LookupTimeout CacheTimeout RstDomainName
Value
Description
IPAddress
Specifies a standard IP address, for example, 255.255.255.255.
ipv6Address
Specifies a standard IPv6 address, for example, 1:2:3:4:5:6:7:8.
Protocol
Specifies the transmission protocol: UDP or TCP.
Service
Specifies a standard service, for example, domain, smtp.
HostName|DomainName
Specifies the FQDN of a resource record that is located in the DNS namespace.
/f
Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion
of the resource record.
Modify an existing resource record

You can use the following procedure to modify an existing resource record in a zone. You can perform this procedure by using the DNS snap-in or by using the Dnscmd
command-line tool.
Modifying an existing resource record

To modify an existing resource record using the Windows interface

3. In the details pane, right-click the resource record that you want to modify, and then click Properties.
4. In Properties, edit the properties that can be modified.
If necessary, you can view and modify advanced resource record properties with the DNS snap-in. To display advanced properties, on the View menu, click
Advanced.
5. When you have finished modifying the record, click OK.
Note
When advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Note
To modify an existing resource record using the command line
dnscmd ServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRTypeRRData
Value
Description
ServerName
/RecordAdd
Required. Adds a new resource record.
ZoneName
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which
specifies the zone's root node.
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
Preference ServerName
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
Modify the SOA record for a zone

You can use this procedure to change settings for the start of authority (SOA) resource record for a zone. The settings that are applied for the SOA record affect how zone
transfers are made between servers.
Modifying the SOA record for a zone

To modify the SOA record for a zone using the Windows interface
2. In the console tree, right-click the applicable zone, and then click Properties.
3. Click the Start of Authority (SOA) tab.
4. Modify the properties for the SOA record as needed.
Note
To modify the SOA record for a zone using the command line
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [Ttl] SOAPrimSvrAdmin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
server. To specify the DNS server on the local computer, you can also type a period (.)
/RecordAdd
Required. Adds or modifies a resource record.
ZoneName
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to
the ZoneName, or you can type @, which specifies the zone's root node.
/Aging
Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record remains in the DNS
database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in SOA resource record.
SOA
Required. Specifies the type of resource record that you are modifying.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record.
PrimSvr
Required. Specifies the FQDN name of the server that is the primary source for information about the zone, for example,
nameserver.place.sales.wingtiptoys.com..
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com..
Serial#\
Required. Specifies the version information for the zone.
Refresh
Required. Specifies the refresh interval for the zone. The standard setting is 3600 seconds (one hour).
Retry
Required. Specifies the retry interval for the zone. The standard setting is 600 seconds (10 minutes).
Expire
Required. Specifies the expire interval for the zone. The standard setting is 86400 seconds (one day).
MinTTL
Required. Specifies the minimum TTL value. This is the length of time that is used by other DNS servers to determine how long to cache
information for a record in the zone before expiring and discarding it. The standard setting is 3600 seconds (one hour).
Note
To modify any specific SOA record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
Verify a zone delegation

You do not need administrative credentials to perform this task. Therefore, as a security best practice, consider performing this task as a user without administrative
credentials.
To verify a zone delegation
1. At a command prompt, type the following command, and then press ENTER:
nslookup RootServerIpAddress
2. Type the following command, and then press ENTER:
nslookup
3. At the next prompt, type the following command, and then press ENTER:
set norecurse
set q=NS
5. Type the fully qualified domain name (FQDN) for the failed name.
Use the trailing period (.) when you type the name. If zone delegations are set correctly, a list of name server (NS) resource records for delegated servers is
returned in the response.
6. If the NS query response contains no names or Internet Protocol (IP) addresses for delegated servers, type q=ns, and then query again using the FQDN for the
parent zone of the failed name.
For example, if the failed name that you used in the previous step was sales.wingtiptoys.com, query for wingtiptoys.com.
7. If the response contains NS resource records, but no host address (A) resource records, type set recurse, and then query individually for any of the A resource
records of the servers that are listed in the NS resource records.
If, for each NS resource record that you encounter in a zone, you do not find at least one valid IP address in an A resource record, you have a broken delegation.
8. Either fix the broken delegation or retry the delegation test that is described in the previous step and use a different IP address.
If more than one A resource record or IP address is found, use it to repeat the delegation test described in the previous step. To fix a delegation, add or update an
A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.
Value
Description
RootServerIpAddress
The IP address of a valid root server for your network.
set norecursion
Instructs the root server to not perform recursion on your query.
set q=NS
Sends the query for NS resource records to the root server.

Aging and scavenging of stale resource records are features of Domain Name System (DNS) that are available when you deploy your server with primary zones.
Where aging and scavenging are available, you can use the DNS snap-in to perform the following related tasks for your DNS servers and any directory-integrated zones
that they load:
Enable or disable the use of scavenging at a DNS server

Enable or disable the use of scavenging for selected zones at the DNS server
Modify the no-refresh interval, either as a server default or by specifying an overriding value at selected zones
Modify the refresh interval, either as a server default or by specifying an overriding value at selected zones
Specify whether periodic scavenging occurs automatically at the DNS server for any of its eligible zones and how often these operations are repeated
Manually initiate a single scavenging operation for all eligible zones at the DNS server
View other related properties, such as the time stamp for individual resource records or the start-scavenging time for a specified zone
Enabling Scavenging of Stale Resource Records

By default, aging and scavenging features are disabled on all DNS servers and any of their zones. Before using these features, you should configure the following settings
for the applicable server and its directory-integrated zones:
Server aging and scavenging properties for determining the use of these features on a server-wide basis. These settings are used to determine the affect of
zone-level properties for any directory-integrated zones that are loaded at the server. For more information, see Set aging and scavenging properties for a DNS
server.
Zone aging and scavenging properties for determining the use of these features on a per zone basis. When zone-specific properties are set for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their
defaults from comparable settings that are maintained in server aging and scavenging properties. For more information, see Set aging and scavenging properties
for a zone.
Caution Enabling aging and scavenging for use with standard primary zones modifies the format of zone files. This change does not affect zone replication to
secondary servers, but the modified zone files cannot be loaded by other versions of DNS servers.
Modifying No-refresh Intervals

When the no-refresh interval is in effect for a specific resource record, attempts to dynamically refresh its time stamp are suppressed by the DNS server. This aspect of the
aging and scavenging mechanism prevents unnecessary refreshes from being processed by the server for aged resource records. These early refresh attempts, if not
handled in this way, might otherwise increase Active Directory replication traffic related to processing DNS zone changes.
To ensure that records do not refresh prematurely, keep the no-refresh interval comparable in length to the current refresh interval for each resource record. For example,
if you increase the refresh interval to a higher value, you can similarly increase the no-refresh interval.
In most instances, the default interval of seven days is sufficient and does not need to be changed.
Modifying Refresh Intervals

When the refresh interval is in effect for a resource record, attempts to dynamically refresh its time stamp are accepted and processed by the DNS server. When you set
this interval, it is important that the length of time used be greater than the maximum possible refresh period for any resource records that are contained in the zone. This
period is equal to the maximum amount of time that it might take the record to be refreshed under normal network conditions, based on the specific source generating
the record refresh.
For example, the following table shows default refresh periods for various services that are known to register and refresh records dynamically in DNS.
Service
Default refresh period
Net
logon
24 hours
Clustering
24 hours
DHCP
client
24 hours
The DHCP Client service sends dynamic updates for the DNS records. This includes both computers that obtain a leased Internet Protocol (IP) address by
using Dynamic Host Configuration Protocol (DHCP) and computers that are configured statically for TCP/IP.
DHCP
server
Four days (half of the lease interval, which is eight days by default).
Refresh attempts are made only by DHCP servers that are configured to perform DNS dynamic updates on behalf of their clients, for example,
Windows 2000 Server DHCP servers and Windows Server 2003 DHCP servers. The period is based on the frequency in which DHCP clients renew their IP
address leases with the server. Typically, this occurs when 50 percent of the scope lease time has elapsed. If the DNS default scope lease duration of eight
days is used, the maximum refresh period for records that are updated by DHCP servers on behalf of clients is four days.
By default, the refresh interval is seven days. In most instances, this value is sufficient and does not need to be changed, unless any resource records in the zone are
refreshed less often than once every seven days.
Automated and Manually Initiated Scavenging

Although scavenging start time and other factors determine when zones and records are actually eligible for scavenging, you can initiate scavenging by using either of two
methods:
Automatic scavenging. Automatic scavenging specifies that aging and scavenging of stale records is to be performed automatically by the server for any eligible
zones at a recurring interval that is specified as the scavenging period. When you use automatic scavenging, the default scavenging period is one day, and the
minimum allowed value that you can use for the scavenging period is one hour. For more information, see Configure automatic scavenging of stale resource
records.
Manual scavenging. Manual scavenging specifies that aging and scavenging of stale records is to be performed as a nonrecurring operation for any eligible zones
at the server. For more information, see Start scavenging of stale resource records.
Modifying Time-Stamp Values

For resource records that are not added dynamically to DNS zone data, a record time-stamp value of zero is applied, which prevents these records from aging or removal
during scavenging.
You can, however, reset record properties manually to enable any statically entered records to qualify for the aging and scavenging process. If you do this, the record will
be deleted based on the modified time-stamp value, at which point you might need to re-create a record if it is still needed.
For more information, see Reset aging and scavenging properties for a specific resource record.
To complete this task, perform the following procedures:
1. Set aging and scavenging properties for a DNS server

2. Set aging and scavenging properties for a zone
3. Configure automatic scavenging of stale resource records
4. Start scavenging of stale resource records
5. Reset aging and scavenging properties for a specific resource record
Set aging and scavenging properties for a DNS server

The settings for server aging and scavenging properties determine the effect of zone-level properties for any directory-integrated zones that are loaded at the server.
Setting aging and scavenging properties for a DNS server

To set aging and scavenging properties for a DNS server using the Windows interface
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Set Aging/Scavenging for All Zones.
3. Select the Scavenge stale resource records check box.
4. Modify other aging and scavenging properties as needed
Note
To set aging and scavenging properties for a DNS server using the command line
dnscmd ServerName /Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}
Value
Description
ServerName
Value
For /ScavengingInterval, type a value in hours. The default is 168 hours (one week). For /DefaultAgingState, type 1 to enable aging for new
zones when they are created. Type 0 to disable aging for new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is
168 hours (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 hours (one week).
Set aging and scavenging properties for a zone

The settings for zone aging and scavenging properties determine the use of these features on a per-zone basis. When you set zone-specific properties for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their defaults
from comparable settings that are maintained in server aging and scavenging properties.
Setting aging and scavenging properties for a zone

To set aging and scavenging properties for a zone using the Windows interface
3. On the General tab, click Aging.
5. Modify other aging and scavenging properties as needed.
Note
To set aging and scavenging properties for a zone using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} {/Aging Value|/RefreshInterval Value|/NoRefreshInterval Value}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
ZoneName|..AllZones
Specifies the name of the zone to which you want to set aging and scavenging. To apply the operation to all zones, use ..AllZones.
Value
For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in hours. The default setting is 168 hours
(one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 seconds (one hour).
Configure automatic scavenging of stale resource records

To configure automatic scavenging of stale resource records
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Properties.
4. Select the Enable automatic scavenging of stale records check box.
5. To adjust the scavenging period, in Scavenging period, select an interval in the drop-down list (either hours or days), and then type a number in the text box.
Note
Start scavenging of stale resource records

Starting scavenging of stale resource records

To start scavenging of stale resource records using the Windows interface

2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Scavenge Stale Resource Records.
3. When you are prompted to confirm that you want to scavenge all stale resource records on the server, click OK.
Note
To start scavenging of stale resource records using the command line
dnscmd ServerName /StartScavenging
Value
Description
ServerName
Reset aging and scavenging properties for a specific resource

record
This procedure is used only for resource records that are registered dynamically. For records that you add to a zone manually, a time-stamp value of zero always applies
to the record, which excludes it from the scavenging process.
Note
Scavenging and aging properties for name server (NS) and start of authority (SOA) resource records are reset in the properties of the zone, not in the properties of the
resource record.
Resetting aging and scavenging properties for a specific resource record

To reset aging and scavenging properties for a specific resource record using the Windows interface
3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties.
4. Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent the record's aging or
potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always
reset this check box so that the dynamically updated record can be deleted.
If you added the record manually, select the Delete this record when it becomes stale check box to permit the record's aging or potential removal during
the scavenging process.
Note
To reset aging and scavenging properties for a specific resource record using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to
allow dynamic updates, type ..AllZones.
Value
The new value for the scavenging interval, specified in hours. The default is 168 hours (one week).

The following tasks are described in this objective:
Configuring DNS Client Settings for DNS Operations
Managing the DNS Client Resolver Cache
Renewing DNS Client Registration

Domain Name System (DNS) configuration involves the following tasks when TCP/IP properties are configured for each computer:
Setting a DNS computer name or host name for each computer. For example, in the fully qualified domain name (FQDN) wkstn1.sales.wingtiptoys.com., the DNS
computer name is wkstn1.
Setting a primary DNS suffix for the computer, which is placed after the computer name or host name to form the FQDN. Using the previous example, the primary
DNS suffix is sales.wingtiptoys.com.
Setting a list of DNS servers for clients to use when resolving DNS names, such as a preferred DNS server, and any alternate DNS servers to use if the preferred
server is not available.
Setting the DNS suffix search list or search method to be used by the client when it performs DNS query searches for short, unqualified domain names.
These tasks are discussed in more detail in each of the following sections.
Setting Computer Names

When you set a computer name for DNS, it is useful to think of the name as the leftmost portion of a fully qualified domain name (FQDN). For example, in
wkstn1.sales.wingtiptoys.com., wkstn1 is the computer name.
You can configure all Windows DNS clients with a computer name that is based on any of the standard supported characters that are defined in Request for Comments
(RFC) 1123, "Requirements for Internet Hosts -- Application and Support." These characters include the following:
Uppercase letters: A through Z

Lowercase letters: a through z
Numbers: 0 through 9
Hyphens (-)
If you are supporting both network basic input/output system (NetBIOS) and DNS namespaces on your network, you can use a different computer name in each
namespace. However, it is recommended that, wherever possible, you try to use computer names that are 15 characters or less and that you follow the RFC 1123 naming
requirements described in the previous paragraph.
By default, the leftmost label in the FQDN for clients equals the NetBIOS computer name, unless this label is 16 or more characters, which is the maximum for NetBIOS
names. When the computer name exceeds the maximum length for NetBIOS, the NetBIOS computer name is truncated based on the full label that is specified.
Before you configure computers with varying DNS and NetBIOS names, consider the following issues and their implications for your deployment:
If Windows Internet Name Service (WINS) lookup is enabled for zones that are hosted by your DNS servers, you must use the same name for both NetBIOS and DNS
computer naming. Otherwise, the results of clients attempting to query and resolve the names of these computers will be inconsistent.
If you have an investment in using NetBIOS names to support legacy Microsoft networking technology, it is recommended that you revise NetBIOS computer names that
are used on your network to prepare for migration to a standard DNS-only environment. This prepares your network well for long-term growth and interoperability with
future naming requirements. For example, if you use the same computer name for both NetBIOS and DNS resolution, consider converting any special characters such as
the underscore (_) in your current NetBIOS names that do not comply with DNS naming standards. While these characters are permitted in NetBIOS names, they are more
often incompatible with traditional DNS host naming requirements and most existing DNS resolver client software.
Note
Although the use of the underscore (_) in DNS host names or in host address (A) resource records has traditionally been prohibited by DNS standards, the use of
underscores in service-related names such as those used for service locator SRV resource records has been proposed to avoid naming collisions in the Internet
DNS namespace.
In addition to DNS standard naming conventions, Windows Server 2003 DNS supports the use of extended American Standard Code for Information Interchange (ASCII)
and Unicode characters. However, because most resolver software that is written for other platforms (such as UNIX) is based on Internet DNS standards, this enhanced
character support can be used only in private networks with computers running Windows 2000 or Windows Server 2003 DNS.
The initial setup of DNS and TCP/IP displays a warning to suggest a standard DNS name if a nonstandard DNS name is entered.
By default, computers and servers use DNS to resolve any name that is greater than 15 characters in length. If the name is less than or equal to 15 characters, both
NetBIOS and DNS name resolution can be attempted and used to resolve the name.
Setting Domain Names

The domain name is used with the client computer name to form the FQDN, which is also known as the full computer name. In general, the DNS domain name is the
remainder of the FQDN that is not used as the unique host name for the computer.
For example, the DNS domain name for a client computer can be defined as the following: If the FQDN is wkstn1.sales.wingtiptoys.com, the domain name is the
sales.wingtiptoys.com portion of this name.
DNS domain names have two variations: a DNS name and a NetBIOS name. The full computer name (a fully qualified DNS name) is used during querying and location of
named resources on your network. For earlier-version clients, the NetBIOS name is used to locate various types of NetBIOS services that are shared on your network.
The Net Logon service is an example of a service that shows the need for both NetBIOS and DNS names. In Windows Server 2003 DNS, the Net Logon service on a domain
controller registers its SRV resource records on a DNS server. For Windows NT Server 4.0 and earlier operating systems, domain controllers register a DomainName entry
in WINS to perform the same registration and to advertise their availability for providing authentication service to the network.
When a client computer is started on the network, it uses the DNS resolver to query a DNS server for SRV records for its configured domain name. This query is used to
locate domain controllers and provide logon authentication for accessing network resources. A client or a domain controller on the network optionally uses the NetBIOS
resolver service to query WINS servers, attempting to locate DomainName [1C] entries to complete the logon process.
Your DNS domain names should follow the same standards and recommended practices that apply to DNS computer naming described in the previous section. In general,
acceptable naming conventions for domain names include the use of letters A through Z, numerals 0 through 9, and the hyphen (-). The period (.) in a domain name is
always used to separate the discrete parts of a domain name, commonly known as labels. Each label corresponds to an additional level that is defined in the DNS
namespace tree.
For most computers, the primary DNS suffix that is configured for the computer can be the same as its Active Directory domain name, although the two values can also be
different.
Important
By default, the primary DNS suffix portion of a computer's FQDN must be the same as the name of the Active Directory domain where the computer is located. To allow
different primary DNS suffixes, a domain administrator may establish a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
Configuring a DNS Servers List

For DNS clients to operate effectively, a prioritized list of DNS name servers must be configured for each computer to use when processing queries and resolving DNS
names. In most cases, the client computer contacts and uses its preferred DNS server, which is the first DNS server on its locally configured list. The client computer
contacts and uses listed alternate DNS servers when the preferred server is not available. For this reason, it is important that the preferred DNS server be appropriate for
continuous client use under normal conditions.
Note
For computers running Windows XP, the DNS server list is used by clients only to resolve DNS names. When clients send dynamic updates for example, when they
change their DNS domain name or a configured Internet Protocol IP address they might contact these servers or other DNS servers as needed to update their DNS
resource records.
By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network (VPN) connection. To modify this
configuration, you can modify the advanced TCP/IP settings of the particular network connection or you can modify the registry.
By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone that is named with a single-label name is considered a TLD zone,
for example, com, edu, blank, or my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones
policy setting or you can modify the registry.
When DNS clients are configured dynamically by a Dynamic Host Configuration Protocol (DHCP) server, it is possible to have a larger list of provided DNS servers. To
provide an IP address list of DNS servers to your DHCP clients, enable option code 6 on the configured options types that are provided by your DHCP server. For
Windows Server 2003 DHCP servers, you can configure a list of up to 25 DNS servers for each client with this option.
To effectively share the load when multiple DNS servers are provided in a DHCP options-specified list, you can configure a separate DHCP scope that rotates the listed
order of DNS and WINS servers that are provided to clients.
Configuring a DNS Suffix Search List

For DNS clients, you can configure a DNS domain suffix search list that extends or revises their DNS search capabilities. By adding additional suffixes to the list, you can
search for short, unqualified computer names in more than one specified DNS domain. Then, if a DNS query fails, the DNS Client service can use this list to append other
name suffix endings to your original name and to repeat DNS queries to the DNS server for these alternate FQDNs.
For computers and servers, the following default DNS search behavior is predetermined and used for completing and resolving short, unqualified names.
When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short, unqualified names, and a DNS query is used to resolve
the resultant FQDN. If this query fails, the computer can try additional queries for alternate FQDNs by appending any connection-specific DNS suffix that is configured for
network connections.
If no connection-specific suffixes are configured or if queries for these resultant connection-specific FQDNs fail, the client can then begin to retry queries based on
systematic reduction of the primary suffix (also known as devolution).
For example, if the primary suffix is sales.wingtiptoys.com, the devolution process is able to retry queries for the short name by searching for it in the wingtiptoys.com and
com domains.
When the suffix search list is not empty and it has at least one DNS suffix specified, attempts to qualify and resolve short DNS names are limited to searching only those
FQDNs that are made possible by the specified suffix list. If queries for any FQDNs form as a result of appending and trying each suffix in the list, the query process fails,
producing a "Name not found" result.
Note
If the domain suffix list is used, clients continue to send additional alternate queries based on different DNS domain names when a query is not answered or resolved.
After a name is resolved using an entry in the suffix list, unused list entries are not tried. For this reason, it is most efficient to order the list with the most used domain
suffixes first.
Configuring Multiple Names

Computers running Windows XP and servers running Windows Server 2003 are given DNS names by default. Each computer can have its DNS names configured using one
of two possible methods:
A primary DNS domain name, which applies as the default, fully qualified, DNS name for the computer and all its configured network connections.
A connection-specific, DNS domain name, which can be configured as an alternate DNS domain name that applies only for a single network adapter that is installed
and configured on the computer.
Although most computers do not need to support or use more than one name in DNS, support for configuring multiple, connection-specific DNS names is sometimes
useful. For example, by using multiple names, a user can specify which network connection to use when connecting to a multihomed computer.
To complete these tasks, perform the following procedure:
Configure DNS settings in Network Connections

You can use this procedure to configure TCP/IP to use Domain Name System (DNS).
To complete this procedure, you must be a member of the Administrators group or the Network Configuration Operators group on the local computer.
To configure DNS settings in Network Connections
1. Open Network Connections.
2. Right-click the network connection that you want to configure, and then click Properties.
3. On the General tab (for a local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically.
5. If you want to configure DNS server addresses manually, click Use the following DNS server addresses, and in Preferred DNS server and Alternate DNS server,
type the Internet Protocol (IP) addresses of the preferred DNS server and alternate DNS server.
6. To configure advanced DNS properties, click Advanced, click the DNS tab, and then do one or more of the following:
To configure an additional DNS server IP address:
a. Under DNS server addresses, in order of use, click Add.
b. In DNS server, type the IP address of the DNS server, and then click Add.
To resolve an unqualified name by appending the primary DNS suffix and the DNS suffix of each connection (if configured), click Append primary and
connection specific DNS suffixes. If you also want to search the parent suffixes of the primary DNS suffix up to the second-level domain, select the Append
parent suffixes of the primary DNS suffix check box.
To resolve an unqualified name by appending the suffixes from a list of configured suffixes, click Append these DNS suffixes (in order), and then click Add
to add suffixes to the list.
To use a DNS dynamic update to register the IP addresses of this connection and the primary domain name of the computer, select the Register this
connection's addresses in DNS check box. This option is enabled by default. The primary domain name of the computer is the primary DNS suffix appended
to the computer name, and it can be viewed as the full computer name on the Computer Name tab (which is available in System in Control Panel).
To use a DNS dynamic update to register the IP addresses and the connection-specific domain name of this connection, select the Use this connection's
DNS suffix in DNS registration check box. This option is disabled by default. The connection-specific domain name of this connection is the DNS suffix for
this connection appended to the computer name.
To completely disable DNS dynamic update for all names on the computer, clear the Register this connection's addresses in DNS and Use this
connection's DNS suffix in DNS registration check boxes for all connections in Network Connections.
Note
To open Network Connections, click Start, point to Control Panel, and then click Network Connections.

You can use the ipconfig command to troubleshoot Domain Name System (DNS) problems or to verify DNS settings. To complete this task for troubleshooting or
verification, perform the following procedures:
Preload the DNS client resolver cache

View a DNS client resolver cache
Flush and reset a client resolver cache

Entries that you add with this procedure are always answered first from the local resolver cache. They are not sent to the Domain Name System (DNS) query when queries
are made locally to resolve these names to host address (A) resource records.
Every line in the Hosts file contains an Internet Protocol (IP) address, followed by one or more host names. For example, you can add a line, such as the following line, with
an IP address (10.0.0.1) that maps to more than one DNS host name:
10.0.0.1
host-a
host-a.example.microsoft.com
host-b.example2.microsoft.com
Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you can add
lines for the following multihomed or multiaddressable DNS host computer:
10.0.0.1
10.0.0.2
10.0.0.3
When multiple names or IP addresses are used in the Hosts file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the
DNS Client service is not running, only the first entry in the file is used to resolve the query.
To preload the DNS client resolver cache
notepad %systemroot%\system32\drivers\etc\hosts
2. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-to-address mappings on separate
lines to be preloaded into the resolver cache of the client. For example, you might add:
10.0.0.1 host-a host-a.example.microsoft.com
3. On the File menu, click Save, and then Exit.
4. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents.

You can use the ipconfig /displaydns command to view the contents of the Domain Name System (DNS) client resolver cache, which includes entries that are preloaded
from the local Hosts file, as well as any recently obtained resource records for name queries that were resolved by the system. This information is used by the DNS Client
service to quickly resolve frequently queried names before it queries its configured DNS servers.
When you use the ipconfig /displaydns command to display current resolver cache contents, the resultant output generally includes the local host and loopback Internet
Protocol (IP) address (127.0.0.1) mappings. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file.
To view a DNS client resolver cache
ipconfig /displaydns

You can use the ipconfig /flushdns command to flush and reset the contents of the Domain Name System (DNS) client resolver cache. During DNS troubleshooting, if
necessary, you can use this procedure to discard negative cache entries from the cache, as well as any other dynamically added entries.
Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. To eliminate those entries from the cache, remove them from this file.
To flush and reset a client resolver cache
ipconfig /flushdns

You can use the ipconfig /registerdns command to initiate dynamic registration manually for the Domain Name System (DNS) names and Internet Protocol (IP) addresses
that are configured at a computer. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and
the DNS server without restarting the client.
By default, the ipconfig /registerdns command refreshes all Dynamic Host Configuration Protocol (DHCP) address leases and registers all related DNS names that are
configured and used by the client computer.
To renew DNS client registration
ipconfig /registerdns

The following tasks for managing Domain Name System (DNS) zones are described in this objective:
Adding and Removing a Zone
Start or pause a zone
Start a zone transfer at a secondary server
Modifying Zone Properties
Configuring Dynamic Updates
Delegating a Zone
Using Stub Zones for DNS Operations
Using WINS Lookup in DNS Zones

A zone starts as a storage database for a single Domain Name System (DNS) domain name. If other domains are added below the domain that is used to create the zone,
these domains can either be part of the same zone or belong to another zone. After a subdomain is added, it can then either be:
Managed and included as part of the original zone records.

Delegated away to another zone that is created to support the subdomain.
You can use this task after you determine that you need to add or remove a DNS zone from your environment. For more information about planning DNS zones, see
Task requirements
To begin this task, perform the following requirement:
Install Dnscmd.
Delete a DNS zone

Add a new zone
See Also
Other Resources
Delete a DNS zone

Although it can also be used to delete a primary zone, the following procedure is most often used to delete a secondary copy of a zone. You can perform this procedure
by using the DNS snap-in or by using the Dnscmd command-line tool.
Deleting a standard primary zone is usually unnecessary, unless you are redesigning your Domain Name System (DNS) namespace and the zone is no longer needed or
used. In most cases, you can change the zone type if you only want to modify the zone.
Caution
Deleting an Active Directoryintegrated zone effectively deletes the zone and eliminates its use at all other DNS servers that use the same directory store of zone data.
Deleting a DNS zone

To delete a DNS zone using the Windows interface

Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Delete.
4. When you are asked to confirm that you want to delete the zone, click OK.
Note
To delete a DNS zone using the command line
dnscmd ServerName /ZoneDelete ZoneName [/DsDel] [/f]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
/ZoneDelete
Required. Specifies the command to delete the zone that is specified by ZoneName.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are deleting.
/DsDel
Deletes the zone from Active Directory.
/f
Performs the command without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource
record.
Add a new zone

You can use this procedure to create a new primary, secondary, stub, or reverse lookup zone. You can perform this procedure by using the DNS snap-in or by using the
Dnscmd command-line tool.
Adding a new zone

To add a new zone using the Windows interface

2. In the console tree, right-click a DNS server, and then click New Zone to start the New Zone Wizard.
3. Follow the instructions in the wizard to create a new primary, secondary, stub, or reverse lookup zone.
Note
To add a new zone using the command line
dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address
of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneAdd
Required. Adds a zone.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone, for example, 20.1.168.192.inaddr.arpa.
/Primary|/DsPrimary
Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.
/load
Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter
does not apply to /DsPrimary.
/a
Adds an administrator e-mail address for the zone.
AdminEmail
Specifies the administrator e-mail name for the zone.
/DP
Adds the zone to an application directory partition. You may also use one of the following:
/DP /domain for a domain directory partition (replicates to all DNS servers in the domain).
/DP /forest for a forest directory partition (replicates to all DNS server in the forest).
/DP /legacy for a legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains
using legacy Windows 2000 Server domain controllers.
FQDN
Specifies the FQDN of the directory partition.

You can use this procedure to start or pause a zone. By default, zones are started when they are created or loaded at the server. Only zones that have previously been
paused need to be restarted.
Starting or pausing a zone

To start or pause a zone using the Windows interface

Where?
4. On the General tab, click Start or Pause, and then click OK.
Note
To start or pause a zone using the command line
1. Open a command prompt. To start a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResume ZoneName
2. To pause a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZonePause ZoneName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the
DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneResume
Required. Resumes the hosting of the zone by the DNS server.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.

This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resource record in the primary
zone. If the SOA resource records are synchronized, there is no zone transfer. If the SOA resource records are not synchronized, there is a zone transfer.
By default, the Domain Name System (DNS) server only allows a zone transfer to authoritative DNS servers that are listed in the name server (NS) resource records for the
zone.
Starting a zone transfer at a secondary server

To start a zone transfer at a secondary server using the Windows interface

2. In the console tree, right-click the applicable zone, and then click Transfer from master.
Note
To start a zone transfer at a secondary server using the command line
dnscmd ServerName /ZoneRefresh ZoneName
Value
Description
ServerName
/ZoneRefresh
Required. Updates the secondary zone.
ZoneName
Required. Specifies the name of the secondary zone to update.

You might decide to modify certain Domain Name System (DNS) zone properties based on a design or performance evaluation of your network. These settings affect zone
transfers and zone types. For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=45677).
Task requirements
Install Dnscmd.
1. Change the DNS zone type

2. Change a DNS zone file name
3. Change the zone replication scope
4. Modify the SOA record for a zone
5. Modify DNS zone transfer settings
6. Specify DNS servers as authoritative for a zone
7. Change the master server for a secondary zone
8. Create a notify list for a zone
9. Adjust the refresh, retry, or expire intervals for a zone
See Also
Other Resources
Change the DNS zone type

You can use the following procedure to change the Domain Name System (DNS) zone type. You can select a primary, secondary, or stub zone. When you select the
secondary or stub zone type, you must specify the Internet Protocol (IP) address of another DNS server to be used as the source for obtaining updated information for the
zone.
If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-Integrated is available. When you select this zone
type, zone data is stored and replicated as part of the Active Directory database.
Changing a zone from secondary to primary can affect other zone activities, including the management of dynamic updates and zone transfers and the use of DNS notify
lists to notify other servers about changes in the zone. Changing a zone from stub to primary (or the reverse) is not recommended because of the purpose of stub zones.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
Changing the zone type

To change the zone type using the Windows interface

3. On the General tab, note the current zone type, and then click Change.
4. In the Change Zone Type dialog box, click a zone type other than the current one, and then click OK.
Note
To change the zone type using the command line
dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also
type a period (.)
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of zone.
Property
Required. One of the following zone types:

/Primary
Standard primary zone. The FileName must be required.
/DsPrimary
Active Directory-integrated primary zone.
/Secondary
Secondary zone. You must specify at least one MasterIPaddress...
/Stub
Stub zone. You must specify at least one MasterIPaddress....
/DsStub
Active Directory-integrated stub zone. You must specify at least one MasterIPaddress....
MasterIPaddress...
Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses for the master
servers of the secondary or stub zone, from which it copies zone data.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the
/DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the
/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartitionFQDN
/OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory.
/OverWrite_Ds overwrites Active Directory data with data in DNS.
/DirectoryPartition stores the new zone in the application directory partition that is specified by
FQDN, such as DomainDnsZones.corp.sales.wingtiptoys.com.
See Also
Other Resources
Change a DNS zone file name

When you use the following procedure, the name of the zone file changes, not the name of the zone. You can use Windows Explorer to view or verify the new zone file
name.
The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database, not a text file on the DNS
server computer.
To change a zone file name
Where?
4. On the General tab, in the Zone file name text box, type the new file name for this zone, and then click OK.
Caution
If the zone file name is changed, be sure to update the zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and
updates might fail. This can occur in the following situations:
The zone type is primary on this server.
The zone type is secondary on this server, and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of
this zone.
Note
Change the zone replication scope

You can use the following procedure to change the replication scope for a zone. Only Active Directory-integrated primary and stub forward lookup zones can change their
replication scope. Secondary forward lookup zones cannot change their replication scope.
Changing zone replication scope

To change zone replication scope using the Windows interface

3. On the General tab, note the current zone replication type, and then click Change.
4. Select a replication scope for the zone.
Note
To change zone replication scope using the command line
dnscmd ServerName /ZoneChangeDirectoryPartition ZoneName NewPartitionName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneChangeDirectoryPartition
Required. Changes a zone's replication scope.
ZoneName
NewPartitionName
Required. The FQDN of the DNS application directory partition where the zone will be stored.


Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
/Aging
Ttl
SOA
/OpenAcl
PrimSvr
Admin
Serial#\
Refresh
Retry
Expire
MinTTL
Note
Modify DNS zone transfer settings

You can use the following procedure to change Domain Name System (DNS) zone transfer settings. To improve the security of your DNS infrastructure, zone transfers
should be allowed only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to
perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.
Modifying DNS zone transfer settings

To modify DNS zone transfer settings using the Windows interface

2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the Internet Protocol (IP) address of one or more
DNS servers.
Note
To modify DNS zone transfer settings using the command line
dnscmd ServerName /ZoneResetSecondaries ZoneName {/NoXfr|/NonSecure|/SecureNs|/SecureList[SecondaryIPAddress...]}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To
ZoneName
/NoXfr
Disables zone transfers for the zone.
/NonSecure
Permits zone transfers to any DNS server.
/SecureNs
Permits zone transfers only to DNS servers that are listed in the zone using NS resource records.
/SecureList
Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.
SecondaryIPAddress
Required if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.
Specify DNS servers as authoritative for a zone

Domain Name System (DNS) servers that you specify with the following procedure are added to those server Internet Protocol (IP) addresses that are already present for
the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when you add DNS servers to act
as secondary servers and also to specify that these servers are known to be authoritative when they answer queries for zone data.
DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone that is added to the server.
Specifying DNS servers as authoritative for a zone

To specify DNS servers as authoritative for a zone using the Windows interface
3. Click the Name Servers tab.
4. Click Add.
5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.
Note
Note
To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When you enter a name, click
Resolve to resolve the name to its IP address before adding it to the list.
To specify DNS servers as authoritative for a zone using the command line
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS
server on the local computer, you can also type a period (.)
/RecordAdd
Required. Specifies the command to add a resource record.
ZoneName
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node
name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record
remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the start-of-authority (SOA) resource
record).
NS
Required. Specifies that you are adding a name server (NS) resource record to the zone that is specified in ZoneName.
HostName|DomainName
Required. Specifies the host name or FQDN of the new authoritative server.
Change the master server for a secondary zone

You can use the following procedure to specify a new master server for a secondary zone. You can perform this procedure by using the DNS snap-in or by using the
Changing the master server for a secondary zone

To change the master server for a secondary zone using the Windows interface
2. In the console tree, right-click the applicable secondary zone, and then click Properties.
3. On the General tab, in IP address, specify the Internet Protocol (IP) address for a new master server, and then click Add to update the list.
Note
To open DNS, click Start, point to Administrative Tools, and then click DNS.
To change the master server for a secondary zone using the command line
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] MasterIPaddress...
Value
Description
ServerName
specify the DNS server on the local computer, you can also type a period (.)
/ZoneResetMasters
Required. Updates the master servers for a secondary zone.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are updating.
/Local
Specifies the local master list for Active Directory-integrated zones.
MasterIPaddress...
Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If
you do not specify ServerIPs, you are requesting the DNS server to reset the value to an empty list. The request may be denied because a
zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone.
Create a notify list for a zone

You can use the following procedure to create or change a notify list for a zone. Changes to the notify list properties are available only on primary zones. For secondary
zones, these properties are read only.
By default, the DNS server allows a zone transfer only to authoritative DNS servers that are listed in the name server (NS) resource records for the zone.
To create or change a notify list for a zone
Where?
4. Click the Zone Transfers tab.
5. Click Notify.
6. Verify that the Automatically notify check box is selected.
7. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. Your options are as follows:
Use the default, Servers listed on the Name Servers tab, to permit only those servers that appear by Internet Protocol (IP) address on the Name Servers tab
to be included in the notify list.
Select The following servers if you want to specify a different notify list to be used instead.
8. If you selected The following servers in the previous step, add or remove server IP addresses to form the notify list as needed:
To add a server to the notify list, type its IP address in the IP address box, and then click Add.
To remove a server from the notify list, click the server IP address in the list box, and then click Remove.
Note
Adjust the refresh, retry, or expire intervals for a zone

You can use the following procedure to change the following intervals for a Domain Name System (DNS) zone:
Refresh interval. Used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Retry interval. Used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time that the refresh
interval occurs.
Expire interval. Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed.
The default values for each interval are as follows:
Refresh interval: 15 minutes.

Retry interval: 10 minutes.
Expire interval: one day.
Adjusting the refresh, retry, or expire interval for a zone

To adjust the refresh, retry, or expire interval for a zone using the Windows interface
3. On the General tab, verify that the zone type is either Primary or Active Directory-Integrated.
5. In Refresh interval, Retry interval, or Expires after, click a time period in minutes, hours, or days, and type a number in the text box.
6. Click OK to save the adjusted interval.
Note
To adjust the refresh, retry, or expire interval for a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the
local computer, you can also type a period (.)
/RecordAdd
ZoneName
NodeName
/Aging
database unless it is updated or removed manually.
/OpenAcl
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource record.
SOA
PrimSvr
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com.
Serial#\
Refresh
Retry
Expire
MinTTL
Note
To modify any specific SOA resource record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).

Dynamic update enables Domain Name System (DNS) client computers to register and dynamically update their resource records with a DNS server whenever changes
occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host
Configuration Protocol (DHCP) to obtain an Internet Protocol (IP) address.
The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load either a standard primary or
directory-integrated zone. By default, the DNS Client service dynamically updates host address (A) resource records in DNS when it is configured for TCP/IP.
Secure dynamic update is available only for zones that are integrated into Active Directory. After you directory-integrate a zone, access control list (ACL) editing features
are available in the DNS snap-in. You can use these features to add or remove users or groups from the ACL for a specified zone or resource record.
For more information about planning DNS zones and dynamic updates, see Deploying Domain Name System (DNS) on the Microsoft Web site
You can use this task to enable or disable dynamic updates or to allow only secure dynamic updates.
Task requirements
Install Dnscmd.
Enable dynamic updates

Enable secure dynamic updates
See Also
Other Resources

You can use the following procedure to enable dynamic updates for a zone. You can perform this procedure by using the DNS snap-in or by using the Dnscmd commandline tool.
Enabling dynamic updates

To enable dynamic updates using the Windows interface

3. On the General tab, verify that the zone Type is either Primary or Active Directory-Integrated.
4. In Dynamic updates, click Nonsecure and secure.
Note
To enable dynamic updates using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of
the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS
server to allow dynamic updates, type ..AllZones.
1|0
Configures dynamic update. To allow dynamic updates, type a value of 1. To not allow dynamic updates, type a value of 0.

You can use this procedure to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directoryintegrated zones. If the zone
type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Enabling secure dynamic updates

To enable secure dynamic updates using the Windows interface

3. On the General tab, verify that the zone type is Active Directory-Integrated.
4. In Dynamic updates, click Secure only.
Note
To enable secure dynamic updates using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate 2
Value
Description
ServerName
ZoneName|..AllZones
Required. Configures the server to allow secure dynamic updates. If you exclude the 2, the zone is set to perform standard dynamic
updates only.
Delegating a Zone
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS
servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or department in your organization.
You want to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improving DNS name resolution performance, or creating
a more fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.
If, for any of these reasons, your network can benefit from delegating zones, it may make sense to restructure your namespace by adding additional zones. When choosing
how to structure zones, use a plan that reflects the structure of your organization.
When you delegate zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the
authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers
that are being made authoritative for the new zone.
When a standard primary zone is first created, it is stored as a text file that contains all resource record information on a single DNS server. This server acts as the primary
master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.
When you structure your zones, there are several good reasons to use additional DNS servers for zone replication:
Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network
(WAN) link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.
Task requirements
Install Dnscmd.
Install Nslookup.
Create a new zone delegation

See Also
Other Resources

You can use the following procedure to create a new zone delegation. All domains (or subdomains) that appear as part of the applicable zone delegation must be created
in the current zone before you perform delegation as described in this procedure. As necessary, use the DNS snap-in to first add domains to the zone before you perform
this procedure. You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.
Creating a new zone delegation

To create a new zone delegation using the Windows interface

2. In the console tree, right-click the applicable subdomain, and then click New Delegation.
3. Follow the instructions in the New Delegation Wizard to finish creating the new delegated domain.
Note
To create a new zone delegation using the command line
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Value
Description
ServerName
ZoneName
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the start-of-authority (SOA) record is added. You can also type
the node name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in
the DNS database unless it is updated or removed manually.
/OpenAcl
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the SOA resource record).
NS
HostName|FQDN

credentials.
nslookup
set norecurse
set q=NS
Value
Description
RootServerIpAddress
set norecursion
set q=NS

You can use stub zones to:
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the Domain Name System (DNS) server that hosts both the
parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion by using the stub zone's list of name servers, without needing to query the
Internet or the internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without
using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not a valid alternative to secondary zones with
regard to redundancy and load sharing.
When a DNS server loads a stub zone, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for
the zone. The list of master servers may contain a single server or multiple servers, and the list can be changed anytime.
Task requirements
Install Dnscmd.
Reload or transfer stub zones

Configure a stub zone to use local master servers
See Also
Other Resources

You can use the following procedure to reload or transfer stub zones. You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line
tool.
Reloading or transferring stub zones

To reload or transfer stub zones using the Windows interface

2. In the console tree, right-click the applicable stub zone, and do one of the following:
To reload the stub zone from storage, click Reload.
To have the DNS server determine if the serial number in the stub zone's start-of-authority (SOA) resource record has expired and then perform a zone
transfer from the stub zone's master server, click Transfer from Master.
To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record, click Reload from
Master.
Note
To reload or transfer stub zones using the command line
dnscmd ServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName
Value
Description
ServerName
/ZoneReload
Reloads the stub zone.
/ZoneUpdateFromDs
Reloads the stub zone from Active Directory.
/ZoneRefresh
Refreshes the stub zone. The DNS server determines if the serial number in the stub zone's SOA resource record has expired. If the
serial number has expired, the DNS server performs a zone transfer from the stub zone's master server.
ZoneName
Required. Specifies the name of the stub zone that you want to reload or refresh.
Note
There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows
interface procedure.

You can use this procedure to specify local master servers that you want the Domain Name System (DNS) server to use when loading and updating the stub zone.
When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in
Active Directory. If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is
deleted.
The DNS server keeps the master servers list from Active Directory stored in memory.
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate
authority. As a security best practice, consider using the Run as command to perform this procedure.
Configuring a stub zone to use local master servers

To configure a stub zone to use local master servers using the Windows interface
1. Open DNS.
2. In the console tree, right-click the stub zone, and then click Properties.
3. On the General tab, under IP address, modify the list to display the Internet Protocol (IP) addresses of the local master servers that you want the DNS server to use
when loading and updating the stub zone.
Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone
on this server.
4. Select the Use the list above as a local list of masters check box, and then click OK.
Note
To configure a stub zone to use local master servers using the command line
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] [MasterIPaddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on
the local computer, you can also type a period (.)
ZoneName
/Local
Configures the local master list for Active Directoryintegrated zones.
MasterIPaddress...
List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers
hosting other secondary copies for the zone. To clear the local list of masters, type the command without entering any IP addresses. Ensure
that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of
the stub zone on this server.

The DNS Server service provides the ability to use Windows Internet Name Service (WINS) servers to look up names that are not found in the Domain Name System (DNS)
domain namespace by checking the network basic input/output system (NetBIOS) namespace that is managed by WINS.
For WINS lookup integration, two special resource record types the WINS and WINS-R resource records are enabled and added to a zone. When the WINS resource
record is used, DNS queries that fail to find a matched host address (A) resource record in the zone are forwarded to WINS servers that are configured in the WINS
resource record. For reverse lookup zones, the WINS-R resource record can be enabled and used to provide a similar benefit for further resolving a reverse query that is
not answerable in the reverse in-addr.arpa domain.
For example, you can use WINS lookup when you are using a mixed-mode client environment consisting of UNIX clients that use only DNS name resolution and earlierversion Microsoft clients that require NetBIOS naming. In these environments, WINS lookup provides a method for permitting UNIX DNS clients to locate your WINS clients
by extending DNS host name resolution into the WINS-managed NetBIOS namespace.
The WINS lookup integration feature is supported only by Windows DNS servers. If you use a mixture of Windows and other DNS servers to host a zone, you should select
the Do not replicate this record check box option for any primary zones when you use the WINS lookup record. This prevents the WINS lookup record from being
included in zone transfers to other DNS servers that do not support or recognize this record. If you do not enable the WINS lookup record to be used only on the local
server, it can cause data errors or failed zone transfers at servers running other DNS server implementations that replicate the zone:
How the caching Time to Live (TTL) and lookup time-out values are configured for use with the WINS and WINS-R records
The format of the WINS and WINS-R resource records as they are used in zone files that are created by the DNS Server service
WINS Lookup Interoperability

Typically, WINS lookup provides the best and most predictable results if only Windows DNS servers are used, and it is only available directly for use at Windows DNS
servers. There are ways, however, that you can use and benefit from WINS lookup as an interoperable solution when other DNS servers are deployed.
For example, consider adding a Windows DNS server that hosts a new WINS lookup-enabled zone. When you create and name the zone, use a subdomain that is added to
your existing DNS namespace that is used just for WINS-specific referrals that are added to your DNS domain namespace.
For instance, in sales.wingtiptoys.com, call the zone wins.sales.wingtiptoys.com when you create it. You can then use this new WINS referral zone as the root zone for any of
your WINS-aware computers that have names that are not found in your other traditional DNS zones.
To use the WINS referral zone, you must specify its domain name (wins.sales.wingtiptoys.com) in a DNS suffix search list for your clients. The suffix list is configurable as
part of the TCP/IP properties for a client connection, and it can be updated either manually, by using Dynamic Host Configuration Protocol (DHCP) or by using
Group Policy. As long as the name of the WINS referral zone is included in the domain suffix list, any DNS names that are not resolved in traditional zones can be resolved
by using the WINS referral subdomain.
Under normal conditions, this should result in recursion from your other DNS servers to the Windows DNS servers that host the WINS-enabled zone. If the queried host
names match NetBIOS computer names that are found in the WINS database, the names are resolved to the Internet Protocol (IP) addresses that are mapped in WINS data
there.
In our example, the WINS-enabled zone is used only for WINS lookup; therefore, no additional resource records need to be added to it. In general, WINS records can be
added to any forward lookup zone.
By using a specific subdomain just for WINS lookup and specifying a static DNS suffix list to be used in resolving and searching for names, you can prevent unusual
situations in which DNS queries for different fully qualified domain names (FQDNs) resolve to the same WINS client name and IP address. This might easily occur if you add
and configure many zones at each level of your namespace and enable each of them to use WINS lookup integration.
For example, suppose you have two zones, both configured to use WINS lookup. The zones are rooted and originate at the following DNS domain names:
sales1.wingtiptoys.com.
With this configuration, a WINS client named HOST-A can be unintentionally resolved by using either of the following FQDNs:
host-a.sales1.wingtiptoys.com.
Advanced Parameters for WINS Lookups

The two following advanced timing parameters are used with the WINS and WINS-R records:
The Cache timeout value, which indicates to a DNS server how long it should cache any of the information that is returned in a WINS lookup. By default, this value is
set to 15 minutes.
The Lookup timeout value, which specifies how long to wait before timing out and expiring a WINS lookup that is performed by the DNS Server service. By default,
this value is set to two seconds.
You can configure these parameters by using the Advanced button in the zone properties dialog box when you configure the zone. This button appears on either the
WINS or WINS-R tab, depending on whether the zone that you are configuring is being used for forward lookup or reverse lookup.
If you are using either the WINS or WINS-R resource record, be aware that the minimum TTL that is set in the start-of-authority (SOA) record for the zone is not the default
TTL that is used with these records. Instead, when either an IP address or a host name is resolved with WINS lookup, the information is cached on the DNS server for the
amount of time that is configured for the WINS cache time-out value. If this address is then ever forwarded to another DNS server, the WINS cache time-out value TTL is
what is sent. If your WINS data rarely changes, you can increase the default TTL of 15 minutes.
Notes
If you have a zone that is configured for WINS lookup, all DNS servers that are authoritative for that zone need to be capable of WINS lookup or you will have
intermittent behavior.
Because you can specify that the WINS and WINS-R resource records not be replicated to other DNS servers, you can selectively enable and configure WINS lookup
at each of your secondary servers for zones where this feature is used. This is not a standard practice for other types of resource records, which are only to be
configured at the primary server for the zone.
Task requirements
Install Dnscmd.
1. Allow DNS to use WINS resolution

2. Verify that WINS is answering a DNS query
See Also
Other Resources
Allow DNS to use WINS resolution

You can use the following procedure to enable Domain Name System (DNS) to use Windows Internet Name Service (WINS) name resolution. The specified WINS servers
that are configured in this procedure are used for final referral of names that are not found in the applicable zone.
To allow DNS to use WINS resolution
3. Do one of the following:
If the applicable zone is a forward lookup zone, on the WINS tab, select the Use WINS forward lookup check box. In IP address, type the Internet Protocol
(IP) address of a WINS server to be used for resolution of names not found in DNS, and then click Add.
If the applicable zone is a reverse lookup zone, on the WINS-R tab, select the Use WINS-R lookup check box. In Domain to append to returned name, type
a name.
4. Select the Do not replicate this record check box for this WINS record, if applicable.
If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, select this check box. This prevents these records
from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option
because Berkeley Internet Name Domain (BIND) does not recognize WINS records.
Note
Verify that WINS is answering a DNS query

You can use the following procedure to verify that Windows Internet Name Service (WINS) is resolving a Domain Name System (DNS) query.
Normally, when a DNS server answers a query from its authoritative zone data, it uses the set minimum or default Time to Live (TTL) for the zone or the record-specific TTL
value (if one is configured). In so doing, TTLs are decreased in answers that the server returns if they are based on nonauthoritative data, such as a cached record at the
server.
WINS lookups present an exceptional case, in which an answer that is received back from a WINS server is cached by the DNS server but is also considered to be
authoritative data. In this case, the WINS sourced data is returned to clients as authoritative, but it ages while it is in the DNS server names cache, which causes the TTL that
is used by the server to decrease over time.
You do not need administrative credentials to perform this procedure. Therefore, as a security best practice, consider performing this procedure as a user without
administrative credentials.
To verify that WINS is answering a DNS query
nslookup
2. At the nslookup ("") prompt, type the following command, and then press ENTER:
set debug
3. Next, either type:
set querytype=a
if you are testing for a WINS forward lookup, or:
set querytype=ptr
if you are testing for a WINS-R reverse lookup, and then press ENTER.
Respectively, these two commands can be used to set the query type to filter either by host address (A) or pointer (PTR) resource records as appropriate for
researching either a forward lookup or a reverse lookup.
4. Based on whether you are verifying possible WINS sourcing for either a forward lookup or a reverse lookup, type the appropriate fully qualified domain name
(FQDN).
For example, if the forward lookup that you are tracing is for a domain name host-a.sales.wingtiptoys.com, type:
host-a.sales.wingtiptoys.com.
If the reverse lookup that you are tracing is for an Internet Protocol (IP) address 10.0.0.1, type:
1.0.0.10.in-addr.arpa.
5. In the response, note whether the server answered authoritatively or nonauthoritatively, and note the TTL value.
6. If the server answered authoritatively, repeat the same query that you performed in step 4.
7. In the response, note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value that was specified in the first
query answer.
If the TTL value decreased for an authoritatively answered query, the source of the query answer is a WINS server.
8. To leave debug mode and return to the command prompt, type exit, and then press ENTER.
Value
Description
set debug
Enables the nslookup command to operate in debug mode, providing extended information in the command output.
This mode is required to view query response information about whether the source for a query answer is:
Authoritative (from a DNS zone or a WINS server database)
Nonauthoritative (cached data from previous queries made by the DNS server or loaded from root hints)
set querytype
Changes the type of information query. More information about types can be found in Request for Comments (RFC) 1035.

The following tasks for managing Domain Name System (DNS) resource records are described in this objective:
Adding, Changing, and Deleting Resource Records
Disable NS resource record registration
Allow NS resource record creation for domain controllers
Restrict the DNS resource records that are updated by Netlogon

After you create a zone, additional resource records must be added to it. The most common resource records include the following:
Host address (A). Maps a Domain Name System (DNS) domain name to an Internet Protocol (IP) address that is used by a computer.
Alias canonical (CNAME). Maps an alias DNS domain name to another primary name or canonical name.
Mail Exchanger (MX). Maps a DNS domain name to the name of a computer that exchanges or forwards mail.
Pointer (PTR). Maps a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
Service (SRV). Maps a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
Other resource records, as needed.
Host A Resource Records

Host A resource records are used in a zone to associate DNS domain names of computers (or "hosts") to their IP addresses. These resource records can be added to a
zone in several ways:
You can create an A resource record for a static TCP/IP client computer manually by using the DNS snap-in.
Windows clients and servers use the DHCP Client service to dynamically register and update their own A resource records in DNS when an IP configuration change
occurs.
Dynamic Host Configuration Protocol DHCPenabled client computers running earlier versions of Microsoft operating systems can have their A resource records
registered and updated by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000 and Windows Server 2003 DHCP Server service
currently supports this feature.)
The host A resource record is not required for all computers, but it is required by computers that share resources on a network. Any computer that shares resources and
needs to be identified by its DNS domain name must use A resource records to provide DNS name resolution to the IP address for the computer.
Most A resource records that are required in a zone can include other workstations or servers that share resources, other DNS servers, mail servers, and Web servers.
These resource records make up the majority of resource records in a zone database.
Alias CNAME Resource Records

Alias CNAME resource records are also sometimes called canonical name resource records. With these records, you can use more than one name to point to a single host,
making it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. For example, the well-known server names
ftp, www are registered by using CNAME resource records that map to the DNS host name for example, server1 for the server computer that hosts these services.
CNAME resource records are recommended for use in the following scenarios:
When a host that is specified in an A resource record in the same zone needs to be renamed
When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide
the same service, for example, a group of redundant Web servers
When you rename a computer with an existing A resource record in the zone, you can use a CNAME resource record temporarily to allow a grace period for users and
programs to switch from specifying the old computer name to using the new one. To do this, you need the following:
For the new DNS domain name of the computer, a new A resource record is added to the zone.
For the old DNS domain name, a CNAME resource record is added that points to the new A resource record.
The original A resource record for the old DNS domain name (and its associated PTR resource record, if applicable) is removed from the zone.
When you use a CNAME resource record for aliasing or renaming a computer, set a temporary limit on how long the record is used in the zone before it is removed from
DNS. If you forget to delete the CNAME resource record and later its associated A resource record is deleted, the CNAME resource record can waste server resources by
trying to resolve queries for a name that is no longer used on the network.
The most common or popular use of a CNAME resource record is to provide a permanent, DNS-aliased domain name for generic name resolution of a service-based
name, such as www.sales.wingtiptoys.com, to more than one computer or one IP address that is used in a Web server. For example, the following shows the basic syntax of
how a CNAME resource record is used:
alias_name IN CNAME primary_canonical_name
In this example, a computer named host-a.sales.wingtiptoys.com must function as both a Web server named www.sales.wingtiptoys.com. and an FTP server named
ftp.sales.wingtiptoys.com. To achieve the intended use for naming this computer, you can add and use the following CNAME entries in the sales.wingtiptoys.com zone:
host-a
ftp
www
IN
IN
IN
A
CNAME
CNAME
10.0.0.20
host-a
host-a
If you later decide to move the FTP server to another computer, separate from the Web server on host-a, simply change the CNAME resource record in the zone for
ftp.sales.wingtiptoys.com and add an additional A resource record to the zone for the new computer hosting the FTP server.
Based on the earlier example, if the new computer is named hostb.sales.wingtiptoys.com, the new and revised A and CNAME resource records are as follows:
host-a
host-b
ftp
www
IN
IN
IN
IN
A
A
CNAME
CNAME
10.0.0.20
10.0.0.21
host-b
host-a
MX Resource Records
The MX resource record is used by e-mail applications to locate a mail server based on a DNS domain name that is used in the destination address for the e-mail
recipient of a message. For example, a DNS query for the name sales.wingtiptoys.com can be used to find an MX resource record, which enables an e-mail application to
forward or exchange mail to a user with the e-mail address user@wingtiptoys.com.
The MX resource record shows the DNS domain name for the computer or computers that process e-mail for a domain. If multiple MX resource records exist, the DNS
Client service attempts to contact e-mail servers in the order of preference from lowest value (highest priority) to highest value (lowest priority). The following shows the
basic syntax for use of an MX resource record:
mail_domain_name IN MX preference mailserver_host
By using the MX resource records shown below in the sales.wingtiptoys.com zone, e-mail that is addressed to user@sales.wingtiptoys.com is delivered to
user@mailserver0.sales.wingtiptoys.com first, if possible. If this server is unavailable, the resolver client can then use user@mailserver1.sales.wingtiptoys.com instead.
@
@
IN
IN
MX
MX
1
2
mailserver0
mailserver1
Note that the use of the "at" symbol (@) in the records indicates that the mailer DNS domain name is the same as the name of origin (sales.wingtiptoys.com) for the zone.
PTR Resource Records

PTR resource records are used to support the reverse lookup process, based on zones that are created and rooted in the in-addr.arpa domain. These records are used to
locate a computer by its IP address and to resolve this information to the DNS domain name for that computer.
PTR resource records can be added to a zone in several ways:
You can create a PTR resource record for a static TCP/IP client computer manually by using DNS, either as a separate procedure or as part of the procedure for
creating an A resource record.
Computers use the DHCP Client service to dynamically register and update their PTR resource record in DNS when an IP configuration change occurs.
All other DHCP-enabled client computers can have their PTR resource records registered and updated by the DHCP server if they obtain their IP lease from a
qualified server. The Windows 2000 and Windows Server 2003 DHCP Server service provides this capability.
The PTR resource record is used only in reverse lookup zones to support reverse lookup.
SRV Resource Records

To locate Active Directory domain controllers, SRV resource records are required. Typically, you can avoid manual administration of the SRV resource record when you
install Active Directory.
By default, the Active Directory Installation Wizard attempts to locate a DNS server based on the list of preferred or alternate DNS servers, which are configured in any of
its TCP/IP client properties, for any of its active network connections. If a DNS server that can accept dynamic update of the SRV resource record (and other resource
records that are related to registering Active Directory as a service in DNS) is contacted, the configuration process is complete.
If, during the installation, a DNS server that can accept updates for the DNS domain name that is used to name your Active Directory domain is not found, the wizard can
install a DNS server locally and automatically configure it with a zone to support the Active Directory domain.
For example, if the Active Directory domain that you choose for your first domain in the forest is sales.wingtiptoys.com, a zone that is rooted at the DNS domain name of
sales.wingtiptoys.com is added and configured to use with the DNS server that is running on the new domain controller.
Whether or not you install the DNS Server service locally, a file (Netlogon.dns) is written and created during the Active Directory installation process that contains the SRV
resource records and other resource records that are necessary to support the use of Active Directory. This file is created in the systemroot\System32\Config folder.
If you are using a DNS server that fits one of the following scenarios, use the records in Netlogon.dns to manually configure the primary zone on that server to support
Active Directory:
1. The computer that operates your DNS server is running on another platform, such as UNIX, and it cannot accept or recognize dynamic updates.
2. A DNS server at this computer that does not use the DNS Server service that is provided with Windows Server 2003 is authoritative for the primary zone that
corresponds to the DNS domain name for your Active Directory domain.
3. The DNS server supports the SRV resource record, as defined in the Internet draft "A DNS RR specifying the location of services (DNS SRV)," but the DNS server
does not support dynamic updates.
For example, the DNS Server service that is provided with Windows NT Server 4.0, when it is updated to Service Pack 4 or later, fits this description.
In the future, the SRV resource record might also be used to register and look up other well-known TCP/IP services on your network if applications implement and support
DNS name queries that specify this record type.
Other Resource Records

Other additional resource records are supported by Windows Server 2003 DNS, and they are used less frequently in most zones. You can add these additional types of
resource records as needed by using the DNS snap-in.
Task requirements
Install Dnscmd.
Add an A resource record to a zone

Add an MX resource record to a zone
Add a CNAME resource record to a zone
Add a PTR resource record to a reverse zone
Add a resource record to a DNS zone
Add a domain to a zone
View unsupported resource records

You can use the following procedure to add a host address (A) resource record to a zone. Pointer (PTR) resource records that are created automatically when you add an
A resource record to a zone are deleted automatically if the corresponding A resource record is deleted.
Adding an A resource record to a zone

To add an A resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A).
3. In Name, type the Domain Name System (DNS) computer name for the new host.
4. In IP address, type the Internet Protocol (IP) address for the new host.
5. As an option, select the Create associated pointer (PTR) record check box to create an additional PTR resource record in a reverse zone for this host, based on
the information that you enter in Name and IP address.
6. Click Add Host to add the new host (A) resource record to the zone.
Note
To add an A resource record to a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress
Value
Description
ServerName
local computer, you can also type a period (.).
/RecordAdd
ZoneName
NodeName
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS
/OpenAcl
Ttl
Required. Specifies the resource record type of the record that you are adding.
IPAddress
Required. The IP address for the host.

You can use the following procedure to add a mail exchanger (MX) resource record to a zone. You can perform this procedure by using the DNS snap-in or by using the
Adding an MX resource record to a zone

To add an MX resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click NewMail Exchanger (MX).
3. In Host or child domain, type the domain name for which this record is to be used to deliver mail.
4. In Mail server, type the Domain Name System (DNS) host computer name of the mail exchanger or mail server host that delivers mail for the specified domain
name.
As an option, you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined.
5. Adjust the value in Mail server priority as needed for this zone.
6. Click OK to add the new record to the zone.
Note
To add an MX resource record to a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName
Value
Description
ServerName
DNS server on the local computer, you can also type a period (.).
/RecordAdd
Adds a new resource record.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone in which you will add the new MX resource record.
NodeName
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and
scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.
Ttl
Specifies the Time to Live (TTL) setting for the resource record.
MX
Required. Specifies the MX resource record type for the record that you are adding.
Preference
Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect to the other mail
exchange servers. Lower numbers are given greater preference.
MXServerName
Required. Specifies the FQDN for a mail exchanger. The value entered here must resolve to a corresponding host A resource record in this
zone.

You can use the following procedure to add an alias canonical (CNAME) resource record to a zone. You can perform this procedure by using the DNS snap-in or by using
the Dnscmd command-line tool.
Adding a CNAME resource record to a zone

To add a CNAME resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click New Alias (CNAME).
3. In Alias name, type the alias name.
4. In Fully qualified domain name (FQDN) for target host, type the FQDN of the Domain Name System (DNS) host computer for which this alias is to be used.
As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host address (A) records already defined.
Note
To add a CNAME resource record to a zone using the command line
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName
Value
Description
ServerName
/RecordAdd
ZoneName
Required. Specifies the name of the zone where this CNAME resource record will be added.
NodeName
Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @,
which specifies the zone's root node.
/Aging
Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS
/OpenAcl
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource
record.
CNAME
HostName|DomainName
Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDNs, a trailing period (.) is used to fully
qualify the name.

You can use the following procedure to add a pointer (PTR) resource record to a reverse zone. When you create a new address (A) resource record, there is an option to
create an associated PTR resource record automatically. PTR resource records that are created automatically during the addition of an A resource record to a zone are
deleted automatically if the corresponding A resource record is deleted.
Adding a PTR resource record to a reverse zone

To add a PTR resource record to a reverse zone using the Windows interface
2. In the console tree, right-click the applicable reverse lookup zone.
3. On the Action menu, click New Pointer (PTR).
4. In the Host IP number text box, type the host Internet Protocol (IP) address octet number.
5. In Host name, type the fully qualified domain name (FQDN) for the DNS host computer for which this pointer record is to be used to provide reverse lookup
(address-to-name resolution).
As an option, you can click Browse to search the Domain Name System (DNS) namespace for hosts in this domain that have host address (A) records already
defined.
Note
To add a PTR resource record to a reverse zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName
Value
Description
ServerName
/RecordAdd
ZoneName
Required. Specifies the FQDN of the zone where this new PTR resource record will be added.
NodeName
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged
and scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed
manually.
/OpenAcl
record.
Ttl
PTR
Required. Specifies the resource record type for the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of a resource record that is located in the DNS namespace. The host that you specify is used as the data
for answering reverse lookups based on the address information that is specified by this PTR resource record.

You can use the following procedure to add a resource record to a zone. You can perform this procedure by using the DNS snap-in or by using the Dnscmd commandline tool.
Adding a resource record to a zone

To add a resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable zone, and then click Other New Records.
3. In Select a resource record type, select the type of resource record that you want to add.
4. Click Create Record.
5. In New Resource Record, enter the information necessary to complete the resource record.
6. After you specify all the necessary information for the resource record, click OK to add the new record to the zone.
Note
To add a resource record to a zone using the command line
dnscmd ServerName /RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
ServerName
DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
NodeName
/Aging
scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Ttl
RRTypeRRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
PriorityWeightPortHostName
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName

You can use the following procedure to add a new domain to a zone.
To add a domain to a zone
Where?
3. On the Action menu, click New Domain, and then type the name of the new domain without using periods.
4. Click OK to add the new domain to the zone.
Note

command-line tool.


Advanced.
Note
Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName



Note
Value
Description
ServerName
/RecordDelete
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
/f

You can use the following procedure to view unsupported resource records in a zone.
To view unsupported resource records
3. In the details pane, right-click the record that you want to view, and then click Properties.
4. In Properties, view properties that are specific to this record.
5. When you have finished viewing the record, click OK.
Note

The following procedure restricts name server (NS) resource records that are registered for Active Directory domain controllers only. You can perform this procedure by
using the Registry Editor or by using the Dnscmd command-line tool.
To configure the Domain Name System (DNS) server to automatically add NS resource records corresponding to itself when loading a zone, you can assign a value of 0x0
to the registry key or enter no value (the default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.
If you configure the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative
zones that are located on the DNS server are deleted automatically.
Regardless of the settings of these registry entries, query responses that are sent to DNS clients from the authoritative DNS server will indicate that the responses are from
an authoritative DNS server.
The registry key entry that is described in this procedure does not exist by default. It must be created and configured according to this procedure.
Caution
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group
Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry,
use extreme caution.
Disabling NS resource record registration

To disable NS resource record registration using the Windows interface

1. Open Registry Editor.
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
3. Add the following REG_DWORD value:
DisableNSRecordsAutoCreation
4. Assign a value of 0x1.
The REG_DWORD value is a local DNS server setting, and it applies to DNS zones for which this DNS server is authoritative.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
To disable NS resource record registration using the command line
dnscmd ServerName /Config /DisableNSRecordsAutoCreation0x1
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
/DisableNSRecordsAutoCreation
Determines the local DNS server configuration for registering NS resource records for authoritative zones.
0x1
Specifies that the DNS server that is specified in ServerName should not add NS resource records for authoritative zones.
To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.

You can use the following procedure to allow name server (NS) resource record creation for specific domain controllers. This procedure applies to domain controller NS
resource records in Active Directoryintegrated Domain Name System DNS zones that are hosted on DNS servers that are configured to not add these resource records
for their authoritative zones.
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using the
Run as command to perform this procedure.
To allow NS resource record creation for specific domain controllers
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses...
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
ZoneName
/AllowNSRecordsAutoCreation
Required. Specifies that domain controllers that are entered for Value add their names to NS resource records for the zone
that is specified in ZoneName. NS resource records that were previously registered for this zone are not affected. Therefore,
you must remove them manually if you do not want them.
IpAddresses...
Required. Specifies the IP addresses of the domain controllers that add their names in NS resource records for the zone that
is specified in ZoneName. Type a space-separated list of the IP addresses of the DNS servers, for example, 10.0.0.0 172.16.0.0
192.168.0.0.
If any domain controllers in the specified zone are not listed for IpAddresses..., their names are deleted from the NS resource records for the zone that is specified in
ZoneName.
To specify that all domain controllers are allowed to add their names to NS resource records for the zone or to clear the list of allowed DNS server IP addresses, type the
command and omit IpAddresses...:
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation
Regardless of the settings that are specified in this command, query responses that are sent to DNS clients from authoritative DNS servers and selected domain controllers
will indicate that the responses are from authoritative DNS servers.
Restrict the DNS resource records that are updated by

Netlogon
The following procedure restricts Domain Name System (DNS) resource records that are registered by the Net Logon service for Active Directory domain controllers only.
Caution
To restrict the DNS resource records that are updated by NetlLogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service.
The following table contains the list of data.
Data Value
Resource Record Type
DNS Resource Record
LdapIpAddress
DnsDomainName
Ldap
SRV
_ldap._tcp.DnsDomainName
LdapAtSite
SRV
_ldap._tcp.SiteNam._sites.DnsDomainName
Pdc
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
Gc
SRV
_ldap._tcp.gc._msdcs.DnsForestName
GcAtSite
SRV
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
DcByGuid
SRV
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
GcIpAddress
_gc._msdcs.DnsForestName
DsaCname
CNAME
DsaGuid._msdcs.DnsForestName
Kdc
SRV
_kerberos._tcp.dc._msdcs.DnsDomainName
KdcAtSite
SRV
_kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName
Dc
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
DcAtSite
SRV
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
Rfc1510Kdc
SRV
_kerberos._tcp.DnsDomainName
Rfc1510KdcAtSite
SRV
_kerberos._tcp.SiteName._sites.DnsDomainName
GenericGc
SRV
_gc._tcp.DnsForestName
GenericGcAtSite
SRV
_gc._tcp.SiteName._sites.DnsForestName
Rfc1510UdpKdc
SRV
_kerberos._udp.DnsDomainName
Rfc1510Kpwd
SRV
_kpasswd._tcp.DnsDomainName
Rfc1510UdpKpwd
SRV
_kpasswd._udp.DnsDomainName
Notes
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified
while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the
delay is no later than 15 minutes after the Net Logon service starts.
DNS Operations Guide

The DNS Operations Guide provides administering and troubleshooting information for Domain Name System DNS in the Microsoft Windows Server 2003 with
Service Pack 1 (SP1) operating system.
In this guide

Troubleshooting Domain Name System
Additional Resources for Domain Name System

This Domain Name System (DNS) Administering guide provides administering information for DNS in the Microsoft Windows Server 2003 with Service Pack 1 (SP1)
operating system.
In this guide

Managing DNS
Monitoring DNS
Optimizing DNS
Securing DNS
This DNS Administering guide provides detailed procedures for managing DNS servers, clients, and resource records. It also provides procedures for monitoring,
optimizing, and securing your DNS infrastructure. For most procedures, this guide provides both a user interface (UI) and a command-line method of performing each
procedure. In addition, this guide provides sample scripts for the most frequently used, repetitive tasks.

This guide explains how to administer Microsoft Domain Name System (DNS). These activities are part of the operating phase of the information technology (IT) life cycle. If
you are not familiar with this guide, review the following sections of this introduction.

You want to manage DNS servers.

You want to manage DNS clients.
This guide assumes a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a thorough
understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to configure and
manage DNS settings.
This guide can be used by organizations that have deployed Windows Server 2003 Service Pack 1 (SP1). It includes information that is relevant to different roles within an IT
organization, including IT operations management and administrators. This guide contains high-level information that is required to plan a DNS operations environment,
along with management-level knowledge of the DNS and IT processes that are required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures
provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with DNS, it might be necessary for IT planners or managers to review the relevant
operations in this guide and provide the operators with parameters or data that must be entered when the operations are performed.
How to Use This Guide

The operations areas are divided into the following types of content:
Objectives are high-level goals for managing, monitoring, optimizing, and securing DNS. Each objective consists of one or more high-level tasks that describe how
the objective is accomplished. In this guide, Managing Domain Name System Servers is an example of an objective.
Tasks are used to group related procedures and provide general guidance for achieving the goals of an objective. In this guide, Modifying an Existing DNS Server is
an example of a task.
Procedures provide step-by-step instructions for completing tasks. In this guide, Change the name-checking method of a DNS server is an example of a procedure.
If you are an IT manager who will be delegating tasks to operators in your organization, you will want to:
Read through the objectives and tasks to determine how to delegate permissions and whether you need to install tools before operators perform the procedures
for each task.
Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them.
When necessary, create tear sheets for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on the preference of your organization.
Managing DNS
This guide describes processes and procedures for improving the management of Windows Server 2003 Domain Name System (DNS) in your network infrastructure.
Ensuring that DNS is functioning properly helps increase system availability for your users.
The following tasks for managing DNS are described in this objective:


The following tasks for managing Domain Name System (DNS) servers are described in this objective:


If you are installing Domain Name System (DNS) with Active Directory, use the Active Directory Installation Wizard option to automatically install and configure a local DNS
server. This option installs the DNS Server service on the computer where you are running the wizard, and it configures the computer's preferred DNS server setting to use
the new local DNS server. Configure any other computers that join this domain to use this DNS server's Internet Protocol (IP) address as their preferred DNS server.
If you are installing DNS on a member server, use the procedures in this task.
It is recommended that you manually configure the computer to use a static IP address. If the DNS server is configured to use Dynamic Host Configuration Protocol
DHCPassigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's
previous IP address will be unable to resolve the previous IP address and locate the DNS server.
After you install a DNS server, you can decide how to administer it and its zones. Although you can use a text editor to make changes to server boot and zone files, this
method is not recommended. The DNS console and the DNS command-line tool, Dnscmd, simplify maintenance of these files, and they should be used whenever possible.
After you begin managing these files by using the console or the command line, editing them manually is not recommended.
You can administer DNS zones that are stored in Active Directory by using the DNS console or the Dnscmd command-line tool only. These zones cannot be administered
by using a text editor.
If you uninstall a DNS server that hosts Active Directory-integrated zones, these zones are saved or deleted according to their storage type. For all storage types, the zone
data is stored on other domain controllers or DNS servers. It is not deleted unless the DNS server that you uninstall is the last DNS server hosting that zone.
If you uninstall a DNS server hosting standard DNS zones, the zone files will remain in the systemroot\system32\Dns directory, but they will not be reloaded if the DNS
server is reinstalled. If you create a new zone with the same name as an old zone, the old zone file is replaced with the new zone file.
When they write DNS server boot and zone data to text files, DNS servers use the Berkeley Internet Name Domain (BIND) file format that is recognized by legacy BIND 4
servers, not the more recent BIND 8 format.
Complete this task after you determine that you need to add a primary DNS server to your environment. For more information about planning a DNS infrastructure, see
To complete this task, perform one the following procedures:

See Also
Other Resources

You can use this procedure to install Domain Name System (DNS) on a member server, which makes that server a DNS server.
Installing a new DNS server

To install a DNS server
1. Open the Windows Components Wizard.
2. In Components, select the Networking Services check box, and then click Details.
3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
4. If you are prompted to do so, in Copy files from, type the full path to the installation location, and then click OK.
Required files are copied to your hard disk.
Note
To open the Windows Components Wizard, click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.

You can use these procedures to configure a new Domain Name System (DNS) server. When you finish configuring the server, you may need to complete additional tasks,
such as enabling dynamic updates for its zones or adding resource records to its zones. See the other tasks in this guide to determine whether they are appropriate for
your environment.
You can perform this procedure by using the DNS snap-in or by using the Dnscmd tool at the command line.
Configuring a DNS server

To configure a DNS server using the Windows interface

2. If necessary, add the applicable server to the console and connect to it.
Where?
DNS/Applicable DNS server
4. On the Action menu, click Configure a DNS Server.
5. Follow the instructions in the Configure a DNS Server Wizard.
Note
To configure a DNS server using the command line
At a command prompt,type the following command, and then press ENTER:
dnscmd ServerName /Config {ZoneName|..AllZones} Property {1|0}
Value
Description
dnscmd
Specifies the name of the command-line tool.
ServerName
/Config
Specifies the configuration command.
{ZoneName|..AllZones}
Specifies the name of the zone to be configured. To apply the configuration for all zones that are hosted by the specified DNS server,
type ..AllZones.
Property
Specifies the server property or zone property to be configured. There are different properties available for servers and zones. For a
list of the available properties, at a command prompt type: dnscmd/Config /help.
{1|0}
Sets configuration options to either 1 (on) or 0 (off). Note that some server and zone properties must be reset as part of a more
complex operation.
Note
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.

Domain Name System (DNS) design specifications recommend that at least two DNS servers be used to host each zone. For standard, primary zones, a secondary server
is required to add and configure the zone so that it appears to other DNS servers in the network. For directory-integrated, primary zones, secondary servers are
supported but not required for this purpose. For example, two DNS servers running on domain controllers can be redundant primary servers for a zone. They can provide
the same benefits as adding a secondary server while also providing additional benefits.
Secondary servers can be used to offload DNS query traffic in areas of the network where a zone is heavily queried. In addition, if a primary server is unavailable, a
secondary server can provide some name resolution in the zone until the primary server is available.
If you add a secondary server, try to locate it as close as possible to clients that have a high demand for names that are used in the zone. Also, consider placing secondary
servers across a router, either on other subnets (if you use a routed local area network (LAN)) or across wide area network (WAN) links. This constitutes a good use of a
secondary server as a local backup in scenarios in which an intermediate network link becomes the point of failure between DNS servers and clients that use the zone.
Because a primary server always maintains the master copy of updates and changes to the zone, a secondary server relies on DNS zone transfer mechanisms to obtain its
information and keep the information current. Issues such as zone transfer methods using either full or incremental zone transfers are more applicable when you use
secondary servers.
When you consider the impact of zone transfers that are caused by secondary servers, consider their advantage as a backup source of information, and measure this
against the added cost that they impose on your network infrastructure. A simple rule is that for each secondary server that you add, network usage (because of added
zone replication traffic) increases, and so does the time that is required to synchronize the zone at all secondary servers.
Secondary servers are used most heavily for forward lookup zones. If you are using reverse lookup zones, it is not necessary to add as many secondary servers for those
zones. Typically, a secondary server for a reverse lookup zone is not used outside the network and subnet that correspond to the reverse zone.

Published: March 2, 2005
To add a secondary server to an existing zone, you must have network access to the server that acts as the master server for this server and its use of the zone. The
master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.
You can perform this procedure by using the DNS console or by using the Dnscmd command-line tool. This procedure can be performed on the secondary DNS server, or
on a computer with permission to manage the secondary DNS server. To add a secondary server to multiple zones, you must repeat this procedure for each zone.
Important
Before you add a secondary server to a zone, you must allow zone transfers from the primary to the secondary server. For more information, see Modify DNS zone
transfer settings.
Adding a secondary server to a zone

To add a secondary server to a zone using the Windows interface

1. Click Start, point to Administrative Tools, and then click DNS.
3. On the Action menu, click New Zone.
4. Follow the instructions in the New Zone Wizard. When you add the zone, select Secondary zone as the zone type.
To add a secondary server to a zone using the command line

Dnscmd ServerName /ZoneAdd ZoneName /Secondary MasterIPaddress... [/file FileName]
Value
Description
ServerName
ZoneName
Specifies the fully qualified domain name (FQDN) of the secondary zone that you are adding. The zone name must be the same as the name of
the primary zone from which the secondary zone is created.
MasterIPaddress
Specifies one or more IP addresses for the secondary zone master servers, from which it copies zone data.
FileName
Specifies the name of the file to use for creating the secondary zone.
In the following example, zone transfers are first allowed from the primary DNS server primarydns.contoso.com at 10.0.0.2 to the secondary server
secondarydns.contoso.com at 11.0.0.2. Next, the secondary DNS server is added to the zone secondtest.contoso.com.
Dnscmd primarydns.contoso.com /zoneresetsecondaries secondtest.contoso.com /securelist 11.0.0.2
Dnscmd secondarydns.contoso.com /zoneadd secondtest.contoso.com /secondary 10.0.0.2
For more information about using dnscmd, see Dnscmd Syntax.

You may need to modify or update the configuration of your Domain Name System (DNS) servers for various reasons. For example, you may need to change the namechecking method of a DNS server to allow the DNS server to resolve nonRequest for Comments RFCcompliant names. In addition, you may need to modify or update a
DNS server in the process of troubleshooting or optimizing it.
Task requirements
Install Dnscmd.

See Also
Other Resources

You can use the following procedure to start, stop, pause, or restart Domain Name System (DNS).
To start, stop, pause, or restart a DNS server
3. On the Action menu, point to All Tasks, and then click one of the following:
To start the DNS service on this server, click Start.
To stop the DNS service on this server, click Stop.
To interrupt the DNS service on this server, click Pause.
To stop and then automatically restart the DNS service on this server, click Restart.
Note
To open the DNS management console, click Start, point to Administrative Tools, and then click DNS.
Note
If you want to resume the service after you pause or stop it, on the Action menu, point to All Tasks, and then click Resume to immediately resume the service.

You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool. Use the DNS snap-in for standard Domain Name System (DNS)
zones and the Dnscmd command-line tool for Active Directoryintegrated zones.
Manually updating DNS server data files

To manually update DNS server data files using the Windows interface
3. On the Action menu, click Update Server Data Files.
Note
To manually update DNS server data files using the command line
dnscmd ServerName /ZoneUpdateFromDs ZoneName
Value
Description
ServerName
ZoneName
Specifies the name of the zone to which you want to set aging and scavenging.

Clearing the DNS server names cache

To clear the DNS server names cache using the Windows interface
Note
To clear the DNS server names cache using the command line
At a command prompt, type the following, and then press ENTER:
Value
Description
ServerName

By default, Domain Name System (DNS) servers use information that is stored in the registry to initialize the service and load any zone data for use at the server. In
addition, you can configure the DNS server to boot from a file. Or, in Active Directory environments, you can supplement local registry data with zone data that is retrieved
for directory-integrated zones that are stored in the Active Directory database. If you use the file method, the file must be a text file named Boot, which is located on the
computer in the %Systemroot%\Windows\System32\Dns folder.
To change the boot method of a DNS server
4. In the Load zone data on startup list, select one of the following:
From registry
From file
Note

The DNS Server service supports three different possible methods for checking the names that it receives and processes during normal operations:
Strict RFC ANSI: This method strictly enforces Request for Comments RFCcompliant naming rules for all Domain Name System DNS names that the server
processes. Names that are not RFC compliant are treated as erred data by the DNS server.
Non RFC (ANSI): This method allows names that are not RFC compliant, such as names that use American Standard Code for Information Interchange (ASCII)
characters but are not compliant with RFC host naming requirements, to be used with the DNS server.
Multibyte (UTF8): This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server.
By default, the DNS server uses the Multibyte (UTF8) method to check names.
To change the name-checking method of a DNS server
4. In the Name checking list, click Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.
All names enables all three name-checking methods.
Note

You can use the following procedure to configure the Domain Name System (DNS) server with the initial configuration settings that it had following installation. These initial
configuration settings are listed in the following table.
Property
Settings
Disable recursion
Off
BIND secondaries
On
Off
Enable round robin
On
On
On
Name checking
Multibyte (UTF8)
Off
Note

If you want to use forwarders to manage the Domain Name System (DNS) traffic between your network and the Internet, configure your network firewall to allow only one
DNS server to communicate with the Internet. When you have configured the other DNS servers in your network to forward queries that they cannot resolve locally to that
DNS server, it will act as your forwarder.
Consider the following tips for efficient forwarder configuration and use:
Keep forwarder configuration uncomplicated. For every DNS server that is configured with a forwarder, queries can be sent to a number of different places. Each
forwarder and each conditional forwarder must be administered for the benefit of DNS client queries, and this process can be time consuming. Use forwarders
strategically where they are needed the most for example, for resolving offsite queries or for sharing information between namespaces.
Avoid chaining your forwarders. If you have configured a DNS server named server1 to forward queries for wingtiptoys.corp.com to DNS server server2, do not
configure server2 to forward queries for wingtiptoys.corp.com to DNS server server3. This is an inefficient resolution process, and it can result in errors if server3 is
accidentally configured to forward queries for wingtiptoys.corp.com to server1.
Do not concentrate too great a load on forwarders. The recursive queries that forwarders send to the Internet can require a significant amount of time to answer
because of the nature of the Internet. When large numbers of internal DNS servers use these forwarders for Internet queries, the server can experience a substantial
concentration of network traffic. If network load is an issue, use more than one forwarder and distribute the load between them.
Do not create inefficient resolution by using forwarders. The DNS server attempts to forward domain names according to the order in which the domain names
are configured in the DNS console. For example, a DNS server in Seattle may be incorrectly configured to forward a query to a server in London, instead of another
server in Seattle, because the server in London is higher up in the forwarders list. This decreases the efficiency of name resolution on the network. Evaluate your
network's forwarding configurations periodically to see if there are similar, inefficient configurations.

If you use this procedure to configure a conditional forwarder, note that you cannot use a domain name in a conditional forwarder if the DNS server hosts a primary zone,
secondary zone, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name wingtiptoys.corp.com (that is, it hosts the primary
zone for that domain name), you cannot configure that DNS server with a conditional forwarder for wingtiptoys.corp.com.
Configuring forwarders for a DNS server

To configure forwarders for a DNS server using the Windows graphical user interface
4. On the Forwarders tab, under DNS domain, click a domain name.
Note
To create a new domain name, click New, and then, under DNS domain, type the domain name.
5. Under Selected domain's forwarder IP address list, type the Internet Protocol (IP) address of a forwarder, and then click Add.
Note
When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.
6. By default, the DNS server waits five seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds
before forward queries time out, you can change the number of seconds that the DNS server waits. If the overall recursion timeout (by default, 15 seconds) is
exceeded before all forwarders are exhausted, the DNS server fails the query. If the overall recursion timeout has not been exceeded and the server exhausts all
forwarders, it attempts standard recursion.
7. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain
check box.
Note
You can disable recursion for the DNS server so that it does not perform recursion on any query. If you disable recursion on the DNS server, you will not be able
to use forwarders on the same server.
Note
To configure forwarders for a DNS server using the command line
dnscmd ServerName /ZoneAdd ZoneName /Forwarder MasterIPaddress [/TimeOut Time][/Slave]
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local
computer, you can also type a period (.).
ZoneName
Specifies the fully qualified domain name (FQDN) of the zone.
MasterIPaddress
Specifies a space-separated list of one or more IP addresses of the DNS servers where queries for ZoneName are forwarded. You can specify
a list of space-separated IP addresses.

Time
Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is five seconds.

To remove a DNS server from the network, perform the following procedures to make changes in zones where the server is configured as an authoritative server for the
zone:
1. Use the Delete a resource record procedure to remove the address (A) resource record for the server.
2. Use the Modify an existing resource record procedure to update the name server (NS) records, in zones where the server is configured as authoritative, to no
longer include the server by name (as it appeared in the A record that was deleted in procedure 1).
3. If the server is the primary server for a standard zone, use the Modify the SOA record for a zone procedure to revise the owner field of the start of authority (SOA)
resource record for the zone to point to the new primary DNS server for the zone. (If the zone is a directory-integrated zone, this procedure is not necessary.)
4. Use the Verify a zone delegation procedure to check the parent zone to ensure that any records (NS or A resource records) that are used for delegation to the
zone are revised and that they no longer point to the removed server.



Note
Value
Description
ServerName
/RecordDelete
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
/f

command-line tool.


Advanced.
Note
Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName


Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
/Aging
Ttl
SOA
/OpenAcl
PrimSvr
Admin
Serial#\
Refresh
Retry
Expire
MinTTL
Note

credentials.
nslookup
set norecurse
set q=NS
Value
Description
RootServerIpAddress
set norecursion
set q=NS

Aging and scavenging of stale resource records are features of Domain Name System (DNS) that are available when you deploy your server with primary zones.
Where aging and scavenging are available, you can use the DNS snap-in to perform the following related tasks for your DNS servers and any directory-integrated zones
that they load:
Enable or disable the use of scavenging at a DNS server

Enable or disable the use of scavenging for selected zones at the DNS server
Modify the no-refresh interval, either as a server default or by specifying an overriding value at selected zones
Modify the refresh interval, either as a server default or by specifying an overriding value at selected zones
Specify whether periodic scavenging occurs automatically at the DNS server for any of its eligible zones and how often these operations are repeated
Manually initiate a single scavenging operation for all eligible zones at the DNS server
View other related properties, such as the time stamp for individual resource records or the start-scavenging time for a specified zone
Enabling Scavenging of Stale Resource Records

By default, aging and scavenging features are disabled on all DNS servers and any of their zones. Before using these features, you should configure the following settings
for the applicable server and its directory-integrated zones:
Server aging and scavenging properties for determining the use of these features on a server-wide basis. These settings are used to determine the affect of
zone-level properties for any directory-integrated zones that are loaded at the server. For more information, see Set aging and scavenging properties for a DNS
server.
Zone aging and scavenging properties for determining the use of these features on a per zone basis. When zone-specific properties are set for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their
defaults from comparable settings that are maintained in server aging and scavenging properties. For more information, see Set aging and scavenging properties
for a zone.
Caution Enabling aging and scavenging for use with standard primary zones modifies the format of zone files. This change does not affect zone replication to
secondary servers, but the modified zone files cannot be loaded by other versions of DNS servers.
Modifying No-refresh Intervals

When the no-refresh interval is in effect for a specific resource record, attempts to dynamically refresh its time stamp are suppressed by the DNS server. This aspect of the
aging and scavenging mechanism prevents unnecessary refreshes from being processed by the server for aged resource records. These early refresh attempts, if not
handled in this way, might otherwise increase Active Directory replication traffic related to processing DNS zone changes.
To ensure that records do not refresh prematurely, keep the no-refresh interval comparable in length to the current refresh interval for each resource record. For example,
if you increase the refresh interval to a higher value, you can similarly increase the no-refresh interval.
In most instances, the default interval of seven days is sufficient and does not need to be changed.
Modifying Refresh Intervals

When the refresh interval is in effect for a resource record, attempts to dynamically refresh its time stamp are accepted and processed by the DNS server. When you set
this interval, it is important that the length of time used be greater than the maximum possible refresh period for any resource records that are contained in the zone. This
period is equal to the maximum amount of time that it might take the record to be refreshed under normal network conditions, based on the specific source generating
the record refresh.
For example, the following table shows default refresh periods for various services that are known to register and refresh records dynamically in DNS.
Service
Default refresh period
Net
logon
24 hours
Clustering
24 hours
DHCP
client
24 hours
The DHCP Client service sends dynamic updates for the DNS records. This includes both computers that obtain a leased Internet Protocol (IP) address by
using Dynamic Host Configuration Protocol (DHCP) and computers that are configured statically for TCP/IP.
DHCP
server
Four days (half of the lease interval, which is eight days by default).
Refresh attempts are made only by DHCP servers that are configured to perform DNS dynamic updates on behalf of their clients, for example,
Windows 2000 Server DHCP servers and Windows Server 2003 DHCP servers. The period is based on the frequency in which DHCP clients renew their IP
address leases with the server. Typically, this occurs when 50 percent of the scope lease time has elapsed. If the DNS default scope lease duration of eight
days is used, the maximum refresh period for records that are updated by DHCP servers on behalf of clients is four days.
By default, the refresh interval is seven days. In most instances, this value is sufficient and does not need to be changed, unless any resource records in the zone are
refreshed less often than once every seven days.
Automated and Manually Initiated Scavenging

Although scavenging start time and other factors determine when zones and records are actually eligible for scavenging, you can initiate scavenging by using either of two
methods:
Automatic scavenging. Automatic scavenging specifies that aging and scavenging of stale records is to be performed automatically by the server for any eligible
zones at a recurring interval that is specified as the scavenging period. When you use automatic scavenging, the default scavenging period is one day, and the
minimum allowed value that you can use for the scavenging period is one hour. For more information, see Configure automatic scavenging of stale resource
records.
Manual scavenging. Manual scavenging specifies that aging and scavenging of stale records is to be performed as a nonrecurring operation for any eligible zones
at the server. For more information, see Start scavenging of stale resource records.
Modifying Time-Stamp Values

For resource records that are not added dynamically to DNS zone data, a record time-stamp value of zero is applied, which prevents these records from aging or removal
during scavenging.
You can, however, reset record properties manually to enable any statically entered records to qualify for the aging and scavenging process. If you do this, the record will
be deleted based on the modified time-stamp value, at which point you might need to re-create a record if it is still needed.
For more information, see Reset aging and scavenging properties for a specific resource record.
1. Set aging and scavenging properties for a DNS server

2. Set aging and scavenging properties for a zone
3. Configure automatic scavenging of stale resource records
4. Start scavenging of stale resource records
5. Reset aging and scavenging properties for a specific resource record
Set aging and scavenging properties for a DNS server

The settings for server aging and scavenging properties determine the effect of zone-level properties for any directory-integrated zones that are loaded at the server.
Setting aging and scavenging properties for a DNS server

To set aging and scavenging properties for a DNS server using the Windows interface
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Set Aging/Scavenging for All Zones.
4. Modify other aging and scavenging properties as needed
Note
To set aging and scavenging properties for a DNS server using the command line
dnscmd ServerName /Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}
Value
Description
ServerName
Value
For /ScavengingInterval, type a value in hours. The default is 168 hours (one week). For /DefaultAgingState, type 1 to enable aging for new
zones when they are created. Type 0 to disable aging for new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is
168 hours (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 hours (one week).
Set aging and scavenging properties for a zone

The settings for zone aging and scavenging properties determine the use of these features on a per-zone basis. When you set zone-specific properties for a selected
zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their defaults
from comparable settings that are maintained in server aging and scavenging properties.
Setting aging and scavenging properties for a zone

To set aging and scavenging properties for a zone using the Windows interface
3. On the General tab, click Aging.
5. Modify other aging and scavenging properties as needed.
Note
To set aging and scavenging properties for a zone using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} {/Aging Value|/RefreshInterval Value|/NoRefreshInterval Value}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
ZoneName|..AllZones
Specifies the name of the zone to which you want to set aging and scavenging. To apply the operation to all zones, use ..AllZones.
Value
For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in hours. The default setting is 168 hours
(one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 seconds (one hour).
Configure automatic scavenging of stale resource records

To configure automatic scavenging of stale resource records
2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Properties.
4. Select the Enable automatic scavenging of stale records check box.
5. To adjust the scavenging period, in Scavenging period, select an interval in the drop-down list (either hours or days), and then type a number in the text box.
Note
Start scavenging of stale resource records

Starting scavenging of stale resource records

To start scavenging of stale resource records using the Windows interface

2. In the console tree, right-click the applicable Domain Name System (DNS) server, and then click Scavenge Stale Resource Records.
3. When you are prompted to confirm that you want to scavenge all stale resource records on the server, click OK.
Note
To start scavenging of stale resource records using the command line
dnscmd ServerName /StartScavenging
Value
Description
ServerName
Reset aging and scavenging properties for a specific resource

record
This procedure is used only for resource records that are registered dynamically. For records that you add to a zone manually, a time-stamp value of zero always applies
to the record, which excludes it from the scavenging process.
Note
Scavenging and aging properties for name server (NS) and start of authority (SOA) resource records are reset in the properties of the zone, not in the properties of the
resource record.
Resetting aging and scavenging properties for a specific resource record

To reset aging and scavenging properties for a specific resource record using the Windows interface
3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties.
4. Depending on the how the resource record was originally added to the zone, do one of the following:
If the record was added dynamically using dynamic update, clear the Delete this record when it becomes stale check box to prevent the record's aging or
potential removal during the scavenging process. If dynamic updates to this record continue to occur, the Domain Name System (DNS) server will always
reset this check box so that the dynamically updated record can be deleted.
If you added the record manually, select the Delete this record when it becomes stale check box to permit the record's aging or potential removal during
the scavenging process.
Note
To reset aging and scavenging properties for a specific resource record using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the
ZoneName|..AllZones
Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to
allow dynamic updates, type ..AllZones.
Value
The new value for the scavenging interval, specified in hours. The default is 168 hours (one week).

The following tasks are described in this objective:

Domain Name System (DNS) configuration involves the following tasks when TCP/IP properties are configured for each computer:
Setting a DNS computer name or host name for each computer. For example, in the fully qualified domain name (FQDN) wkstn1.sales.wingtiptoys.com., the DNS
computer name is wkstn1.
Setting a primary DNS suffix for the computer, which is placed after the computer name or host name to form the FQDN. Using the previous example, the primary
DNS suffix is sales.wingtiptoys.com.
Setting a list of DNS servers for clients to use when resolving DNS names, such as a preferred DNS server, and any alternate DNS servers to use if the preferred
server is not available.
Setting the DNS suffix search list or search method to be used by the client when it performs DNS query searches for short, unqualified domain names.
These tasks are discussed in more detail in each of the following sections.
Setting Computer Names

When you set a computer name for DNS, it is useful to think of the name as the leftmost portion of a fully qualified domain name (FQDN). For example, in
wkstn1.sales.wingtiptoys.com., wkstn1 is the computer name.
You can configure all Windows DNS clients with a computer name that is based on any of the standard supported characters that are defined in Request for Comments
(RFC) 1123, "Requirements for Internet Hosts -- Application and Support." These characters include the following:
Uppercase letters: A through Z

Lowercase letters: a through z
Numbers: 0 through 9
Hyphens (-)
If you are supporting both network basic input/output system (NetBIOS) and DNS namespaces on your network, you can use a different computer name in each
namespace. However, it is recommended that, wherever possible, you try to use computer names that are 15 characters or less and that you follow the RFC 1123 naming
requirements described in the previous paragraph.
By default, the leftmost label in the FQDN for clients equals the NetBIOS computer name, unless this label is 16 or more characters, which is the maximum for NetBIOS
names. When the computer name exceeds the maximum length for NetBIOS, the NetBIOS computer name is truncated based on the full label that is specified.
Before you configure computers with varying DNS and NetBIOS names, consider the following issues and their implications for your deployment:
If Windows Internet Name Service (WINS) lookup is enabled for zones that are hosted by your DNS servers, you must use the same name for both NetBIOS and DNS
computer naming. Otherwise, the results of clients attempting to query and resolve the names of these computers will be inconsistent.
If you have an investment in using NetBIOS names to support legacy Microsoft networking technology, it is recommended that you revise NetBIOS computer names that
are used on your network to prepare for migration to a standard DNS-only environment. This prepares your network well for long-term growth and interoperability with
future naming requirements. For example, if you use the same computer name for both NetBIOS and DNS resolution, consider converting any special characters such as
the underscore (_) in your current NetBIOS names that do not comply with DNS naming standards. While these characters are permitted in NetBIOS names, they are more
often incompatible with traditional DNS host naming requirements and most existing DNS resolver client software.
Note
Although the use of the underscore (_) in DNS host names or in host address (A) resource records has traditionally been prohibited by DNS standards, the use of
underscores in service-related names such as those used for service locator SRV resource records has been proposed to avoid naming collisions in the Internet
DNS namespace.
In addition to DNS standard naming conventions, Windows Server 2003 DNS supports the use of extended American Standard Code for Information Interchange (ASCII)
and Unicode characters. However, because most resolver software that is written for other platforms (such as UNIX) is based on Internet DNS standards, this enhanced
character support can be used only in private networks with computers running Windows 2000 or Windows Server 2003 DNS.
The initial setup of DNS and TCP/IP displays a warning to suggest a standard DNS name if a nonstandard DNS name is entered.
By default, computers and servers use DNS to resolve any name that is greater than 15 characters in length. If the name is less than or equal to 15 characters, both
NetBIOS and DNS name resolution can be attempted and used to resolve the name.
Setting Domain Names

The domain name is used with the client computer name to form the FQDN, which is also known as the full computer name. In general, the DNS domain name is the
remainder of the FQDN that is not used as the unique host name for the computer.
For example, the DNS domain name for a client computer can be defined as the following: If the FQDN is wkstn1.sales.wingtiptoys.com, the domain name is the
sales.wingtiptoys.com portion of this name.
DNS domain names have two variations: a DNS name and a NetBIOS name. The full computer name (a fully qualified DNS name) is used during querying and location of
named resources on your network. For earlier-version clients, the NetBIOS name is used to locate various types of NetBIOS services that are shared on your network.
The Net Logon service is an example of a service that shows the need for both NetBIOS and DNS names. In Windows Server 2003 DNS, the Net Logon service on a domain
controller registers its SRV resource records on a DNS server. For Windows NT Server 4.0 and earlier operating systems, domain controllers register a DomainName entry
in WINS to perform the same registration and to advertise their availability for providing authentication service to the network.
When a client computer is started on the network, it uses the DNS resolver to query a DNS server for SRV records for its configured domain name. This query is used to
locate domain controllers and provide logon authentication for accessing network resources. A client or a domain controller on the network optionally uses the NetBIOS
resolver service to query WINS servers, attempting to locate DomainName [1C] entries to complete the logon process.
Your DNS domain names should follow the same standards and recommended practices that apply to DNS computer naming described in the previous section. In general,
acceptable naming conventions for domain names include the use of letters A through Z, numerals 0 through 9, and the hyphen (-). The period (.) in a domain name is
always used to separate the discrete parts of a domain name, commonly known as labels. Each label corresponds to an additional level that is defined in the DNS
namespace tree.
For most computers, the primary DNS suffix that is configured for the computer can be the same as its Active Directory domain name, although the two values can also be
different.
Important
By default, the primary DNS suffix portion of a computer's FQDN must be the same as the name of the Active Directory domain where the computer is located. To allow
different primary DNS suffixes, a domain administrator may establish a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
Configuring a DNS Servers List

For DNS clients to operate effectively, a prioritized list of DNS name servers must be configured for each computer to use when processing queries and resolving DNS
names. In most cases, the client computer contacts and uses its preferred DNS server, which is the first DNS server on its locally configured list. The client computer
contacts and uses listed alternate DNS servers when the preferred server is not available. For this reason, it is important that the preferred DNS server be appropriate for
continuous client use under normal conditions.
Note
For computers running Windows XP, the DNS server list is used by clients only to resolve DNS names. When clients send dynamic updates for example, when they
change their DNS domain name or a configured Internet Protocol IP address they might contact these servers or other DNS servers as needed to update their DNS
resource records.
By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network (VPN) connection. To modify this
configuration, you can modify the advanced TCP/IP settings of the particular network connection or you can modify the registry.
By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone that is named with a single-label name is considered a TLD zone,
for example, com, edu, blank, or my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones
policy setting or you can modify the registry.
When DNS clients are configured dynamically by a Dynamic Host Configuration Protocol (DHCP) server, it is possible to have a larger list of provided DNS servers. To
provide an IP address list of DNS servers to your DHCP clients, enable option code 6 on the configured options types that are provided by your DHCP server. For
Windows Server 2003 DHCP servers, you can configure a list of up to 25 DNS servers for each client with this option.
To effectively share the load when multiple DNS servers are provided in a DHCP options-specified list, you can configure a separate DHCP scope that rotates the listed
order of DNS and WINS servers that are provided to clients.
Configuring a DNS Suffix Search List

For DNS clients, you can configure a DNS domain suffix search list that extends or revises their DNS search capabilities. By adding additional suffixes to the list, you can
search for short, unqualified computer names in more than one specified DNS domain. Then, if a DNS query fails, the DNS Client service can use this list to append other
name suffix endings to your original name and to repeat DNS queries to the DNS server for these alternate FQDNs.
For computers and servers, the following default DNS search behavior is predetermined and used for completing and resolving short, unqualified names.
When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short, unqualified names, and a DNS query is used to resolve
the resultant FQDN. If this query fails, the computer can try additional queries for alternate FQDNs by appending any connection-specific DNS suffix that is configured for
network connections.
If no connection-specific suffixes are configured or if queries for these resultant connection-specific FQDNs fail, the client can then begin to retry queries based on
systematic reduction of the primary suffix (also known as devolution).
For example, if the primary suffix is sales.wingtiptoys.com, the devolution process is able to retry queries for the short name by searching for it in the wingtiptoys.com and
com domains.
When the suffix search list is not empty and it has at least one DNS suffix specified, attempts to qualify and resolve short DNS names are limited to searching only those
FQDNs that are made possible by the specified suffix list. If queries for any FQDNs form as a result of appending and trying each suffix in the list, the query process fails,
producing a "Name not found" result.
Note
If the domain suffix list is used, clients continue to send additional alternate queries based on different DNS domain names when a query is not answered or resolved.
After a name is resolved using an entry in the suffix list, unused list entries are not tried. For this reason, it is most efficient to order the list with the most used domain
suffixes first.
Configuring Multiple Names

Computers running Windows XP and servers running Windows Server 2003 are given DNS names by default. Each computer can have its DNS names configured using one
of two possible methods:
A primary DNS domain name, which applies as the default, fully qualified, DNS name for the computer and all its configured network connections.
A connection-specific, DNS domain name, which can be configured as an alternate DNS domain name that applies only for a single network adapter that is installed
and configured on the computer.
Although most computers do not need to support or use more than one name in DNS, support for configuring multiple, connection-specific DNS names is sometimes
useful. For example, by using multiple names, a user can specify which network connection to use when connecting to a multihomed computer.
To complete these tasks, perform the following procedure:

Note

You can use the ipconfig command to troubleshoot Domain Name System (DNS) problems or to verify DNS settings. To complete this task for troubleshooting or
verification, perform the following procedures:


Entries that you add with this procedure are always answered first from the local resolver cache. They are not sent to the Domain Name System (DNS) query when queries
are made locally to resolve these names to host address (A) resource records.
Every line in the Hosts file contains an Internet Protocol (IP) address, followed by one or more host names. For example, you can add a line, such as the following line, with
an IP address (10.0.0.1) that maps to more than one DNS host name:
10.0.0.1
host-a
host-b.example2.microsoft.com
Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you can add
lines for the following multihomed or multiaddressable DNS host computer:
10.0.0.1
10.0.0.2
10.0.0.3
When multiple names or IP addresses are used in the Hosts file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the
DNS Client service is not running, only the first entry in the file is used to resolve the query.
To preload the DNS client resolver cache
notepad %systemroot%\system32\drivers\etc\hosts
2. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-to-address mappings on separate
lines to be preloaded into the resolver cache of the client. For example, you might add:
10.0.0.1 host-a host-a.example.microsoft.com
3. On the File menu, click Save, and then Exit.
4. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents.

You can use the ipconfig /displaydns command to view the contents of the Domain Name System (DNS) client resolver cache, which includes entries that are preloaded
from the local Hosts file, as well as any recently obtained resource records for name queries that were resolved by the system. This information is used by the DNS Client
service to quickly resolve frequently queried names before it queries its configured DNS servers.
When you use the ipconfig /displaydns command to display current resolver cache contents, the resultant output generally includes the local host and loopback Internet
Protocol (IP) address (127.0.0.1) mappings. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file.
To view a DNS client resolver cache
ipconfig /displaydns

You can use the ipconfig /flushdns command to flush and reset the contents of the Domain Name System (DNS) client resolver cache. During DNS troubleshooting, if
necessary, you can use this procedure to discard negative cache entries from the cache, as well as any other dynamically added entries.
Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. To eliminate those entries from the cache, remove them from this file.
To flush and reset a client resolver cache
ipconfig /flushdns

You can use the ipconfig /registerdns command to initiate dynamic registration manually for the Domain Name System (DNS) names and Internet Protocol (IP) addresses
that are configured at a computer. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and
the DNS server without restarting the client.
By default, the ipconfig /registerdns command refreshes all Dynamic Host Configuration Protocol (DHCP) address leases and registers all related DNS names that are
configured and used by the client computer.
To renew DNS client registration

The following tasks for managing Domain Name System (DNS) zones are described in this objective:
Delegating a Zone

A zone starts as a storage database for a single Domain Name System (DNS) domain name. If other domains are added below the domain that is used to create the zone,
these domains can either be part of the same zone or belong to another zone. After a subdomain is added, it can then either be:
Managed and included as part of the original zone records.

Delegated away to another zone that is created to support the subdomain.
You can use this task after you determine that you need to add or remove a DNS zone from your environment. For more information about planning DNS zones, see
Task requirements
To begin this task, perform the following requirement:
Install Dnscmd.
Delete a DNS zone

Add a new zone
See Also
Other Resources
Delete a DNS zone

Although it can also be used to delete a primary zone, the following procedure is most often used to delete a secondary copy of a zone. You can perform this procedure
by using the DNS snap-in or by using the Dnscmd command-line tool.
Deleting a standard primary zone is usually unnecessary, unless you are redesigning your Domain Name System (DNS) namespace and the zone is no longer needed or
used. In most cases, you can change the zone type if you only want to modify the zone.
Caution
Deleting an Active Directoryintegrated zone effectively deletes the zone and eliminates its use at all other DNS servers that use the same directory store of zone data.
Deleting a DNS zone

To delete a DNS zone using the Windows interface

Where?
3. On the Action menu, click Delete.
4. When you are asked to confirm that you want to delete the zone, click OK.
Note
To delete a DNS zone using the command line
dnscmd ServerName /ZoneDelete ZoneName [/DsDel] [/f]
Value
Description
ServerName
/ZoneDelete
Required. Specifies the command to delete the zone that is specified by ZoneName.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are deleting.
/DsDel
Deletes the zone from Active Directory.
/f
Performs the command without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource
record.
Add a new zone

You can use this procedure to create a new primary, secondary, stub, or reverse lookup zone. You can perform this procedure by using the DNS snap-in or by using the
Adding a new zone

To add a new zone using the Windows interface

2. In the console tree, right-click a DNS server, and then click New Zone to start the New Zone Wizard.
3. Follow the instructions in the wizard to create a new primary, secondary, stub, or reverse lookup zone.
Note
To add a new zone using the command line
dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
ServerName
/ZoneAdd
Required. Adds a zone.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone, for example, 20.1.168.192.inaddr.arpa.
/Primary|/DsPrimary
Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type.
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type.
/load
Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter
does not apply to /DsPrimary.
/a
Adds an administrator e-mail address for the zone.
AdminEmail
Specifies the administrator e-mail name for the zone.
/DP
Adds the zone to an application directory partition. You may also use one of the following:
/DP /domain for a domain directory partition (replicates to all DNS servers in the domain).
/DP /forest for a forest directory partition (replicates to all DNS server in the forest).
/DP /legacy for a legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains
using legacy Windows 2000 Server domain controllers.
FQDN
Specifies the FQDN of the directory partition.

You can use this procedure to start or pause a zone. By default, zones are started when they are created or loaded at the server. Only zones that have previously been
paused need to be restarted.
Starting or pausing a zone

To start or pause a zone using the Windows interface

Where?
4. On the General tab, click Start or Pause, and then click OK.
Note
To start or pause a zone using the command line
1. Open a command prompt. To start a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZoneResume ZoneName
2. To pause a zone, type the following command, and then press ENTER:
dnscmd ServerName /ZonePause ZoneName
Value
Description
ServerName
/ZoneResume
Required. Resumes the hosting of the zone by the DNS server.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.

This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resource record in the primary
zone. If the SOA resource records are synchronized, there is no zone transfer. If the SOA resource records are not synchronized, there is a zone transfer.
By default, the Domain Name System (DNS) server only allows a zone transfer to authoritative DNS servers that are listed in the name server (NS) resource records for the
zone.
Starting a zone transfer at a secondary server

To start a zone transfer at a secondary server using the Windows interface

2. In the console tree, right-click the applicable zone, and then click Transfer from master.
Note
To start a zone transfer at a secondary server using the command line
dnscmd ServerName /ZoneRefresh ZoneName
Value
Description
ServerName
/ZoneRefresh
Required. Updates the secondary zone.
ZoneName
Required. Specifies the name of the secondary zone to update.

You might decide to modify certain Domain Name System (DNS) zone properties based on a design or performance evaluation of your network. These settings affect zone
transfers and zone types. For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site
Task requirements
Install Dnscmd.
1. Change the DNS zone type

2. Change a DNS zone file name
3. Change the zone replication scope
4. Modify the SOA record for a zone
6. Specify DNS servers as authoritative for a zone
7. Change the master server for a secondary zone
8. Create a notify list for a zone
9. Adjust the refresh, retry, or expire intervals for a zone
See Also
Other Resources
Change the DNS zone type

You can use the following procedure to change the Domain Name System (DNS) zone type. You can select a primary, secondary, or stub zone. When you select the
secondary or stub zone type, you must specify the Internet Protocol (IP) address of another DNS server to be used as the source for obtaining updated information for the
zone.
If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-Integrated is available. When you select this zone
type, zone data is stored and replicated as part of the Active Directory database.
Changing a zone from secondary to primary can affect other zone activities, including the management of dynamic updates and zone transfers and the use of DNS notify
lists to notify other servers about changes in the zone. Changing a zone from stub to primary (or the reverse) is not recommended because of the purpose of stub zones.
Changing the zone type

To change the zone type using the Windows interface

3. On the General tab, note the current zone type, and then click Change.
4. In the Change Zone Type dialog box, click a zone type other than the current one, and then click OK.
Note
To change the zone type using the command line
dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also
type a period (.)
ZoneName
Property
Required. One of the following zone types:

/Primary
Standard primary zone. The FileName must be required.
/DsPrimary
Active Directory-integrated primary zone.
/Secondary
Secondary zone. You must specify at least one MasterIPaddress...
/Stub
Stub zone. You must specify at least one MasterIPaddress....
/DsStub
Active Directory-integrated stub zone. You must specify at least one MasterIPaddress....
MasterIPaddress...
Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses for the master
servers of the secondary or stub zone, from which it copies zone data.
/file
Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the
FileName
Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the
/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartitionFQDN
/OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory.
/OverWrite_Ds overwrites Active Directory data with data in DNS.
/DirectoryPartition stores the new zone in the application directory partition that is specified by
FQDN, such as DomainDnsZones.corp.sales.wingtiptoys.com.
See Also
Other Resources
Change a DNS zone file name

When you use the following procedure, the name of the zone file changes, not the name of the zone. You can use Windows Explorer to view or verify the new zone file
name.
The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database, not a text file on the DNS
server computer.
To change a zone file name
Where?
4. On the General tab, in the Zone file name text box, type the new file name for this zone, and then click OK.
Caution
If the zone file name is changed, be sure to update the zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and
updates might fail. This can occur in the following situations:
The zone type is primary on this server.
The zone type is secondary on this server, and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of
this zone.
Note
Change the zone replication scope

You can use the following procedure to change the replication scope for a zone. Only Active Directory-integrated primary and stub forward lookup zones can change their
replication scope. Secondary forward lookup zones cannot change their replication scope.
Changing zone replication scope

To change zone replication scope using the Windows interface

3. On the General tab, note the current zone replication type, and then click Change.
4. Select a replication scope for the zone.
Note
To change zone replication scope using the command line
dnscmd ServerName /ZoneChangeDirectoryPartition ZoneName NewPartitionName
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol
(IP) address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ZoneChangeDirectoryPartition
Required. Changes a zone's replication scope.
ZoneName
NewPartitionName
Required. The FQDN of the DNS application directory partition where the zone will be stored.


Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
/Aging
Ttl
SOA
/OpenAcl
PrimSvr
Admin
Serial#\
Refresh
Retry
Expire
MinTTL
Note



DNS servers.
Note
Value
Description
ServerName
ZoneName
/NoXfr
/NonSecure
/SecureNs
/SecureList
SecondaryIPAddress
Specify DNS servers as authoritative for a zone

Domain Name System (DNS) servers that you specify with the following procedure are added to those server Internet Protocol (IP) addresses that are already present for
the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when you add DNS servers to act
as secondary servers and also to specify that these servers are known to be authoritative when they answer queries for zone data.
DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone that is added to the server.
Specifying DNS servers as authoritative for a zone

To specify DNS servers as authoritative for a zone using the Windows interface
3. Click the Name Servers tab.
4. Click Add.
5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.
Note
Note
To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When you enter a name, click
Resolve to resolve the name to its IP address before adding it to the list.
To specify DNS servers as authoritative for a zone using the command line
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}
Value
Description
ServerName
/RecordAdd
Required. Specifies the command to add a resource record.
ZoneName
NodeName
Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node
name relative to the ZoneName or @, which specifies the zone's root node.
/Aging
If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record
remains in the DNS database unless it is updated or removed manually.
/OpenAcl
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. (The default TTL is defined in the start-of-authority (SOA) resource
record).
NS
HostName|DomainName
Change the master server for a secondary zone

You can use the following procedure to specify a new master server for a secondary zone. You can perform this procedure by using the DNS snap-in or by using the
Changing the master server for a secondary zone

To change the master server for a secondary zone using the Windows interface
2. In the console tree, right-click the applicable secondary zone, and then click Properties.
3. On the General tab, in IP address, specify the Internet Protocol (IP) address for a new master server, and then click Add to update the list.
Note
To change the master server for a secondary zone using the command line
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] MasterIPaddress...
Value
Description
ServerName
/ZoneResetMasters
Required. Updates the master servers for a secondary zone.
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone that you are updating.
/Local
Specifies the local master list for Active Directory-integrated zones.
MasterIPaddress...
Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If
you do not specify ServerIPs, you are requesting the DNS server to reset the value to an empty list. The request may be denied because a
zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone.
Create a notify list for a zone

You can use the following procedure to create or change a notify list for a zone. Changes to the notify list properties are available only on primary zones. For secondary
zones, these properties are read only.
By default, the DNS server allows a zone transfer only to authoritative DNS servers that are listed in the name server (NS) resource records for the zone.
To create or change a notify list for a zone
Where?
4. Click the Zone Transfers tab.
5. Click Notify.
6. Verify that the Automatically notify check box is selected.
7. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. Your options are as follows:
Use the default, Servers listed on the Name Servers tab, to permit only those servers that appear by Internet Protocol (IP) address on the Name Servers tab
to be included in the notify list.
Select The following servers if you want to specify a different notify list to be used instead.
8. If you selected The following servers in the previous step, add or remove server IP addresses to form the notify list as needed:
To add a server to the notify list, type its IP address in the IP address box, and then click Add.
To remove a server from the notify list, click the server IP address in the list box, and then click Remove.
Note
Adjust the refresh, retry, or expire intervals for a zone

You can use the following procedure to change the following intervals for a Domain Name System (DNS) zone:
Refresh interval. Used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Retry interval. Used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time that the refresh
interval occurs.
Expire interval. Used by other DNS servers that are configured to load and host the zone to determine when zone data expires if it is not renewed.
The default values for each interval are as follows:
Refresh interval: 15 minutes.

Retry interval: 10 minutes.
Expire interval: one day.
Adjusting the refresh, retry, or expire interval for a zone

To adjust the refresh, retry, or expire interval for a zone using the Windows interface
3. On the General tab, verify that the zone type is either Primary or Active Directory-Integrated.
5. In Refresh interval, Retry interval, or Expires after, click a time period in minutes, hours, or days, and type a number in the text box.
6. Click OK to save the adjusted interval.
Note
To adjust the refresh, retry, or expire interval for a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
ServerName
local computer, you can also type a period (.)
/RecordAdd
ZoneName
NodeName
/Aging
database unless it is updated or removed manually.
/OpenAcl
Ttl
SOA
PrimSvr
Admin
Required. Specifies the name of the DNS administrator for the zone, for example, postmaster.nameserver.place.sales.wingtiptoys.com.
Serial#\
Refresh
Retry
Expire
MinTTL
Note
To modify any specific SOA resource record's values using Dnscmd, you must specify all the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).

Dynamic update enables Domain Name System (DNS) client computers to register and dynamically update their resource records with a DNS server whenever changes
occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host
Configuration Protocol (DHCP) to obtain an Internet Protocol (IP) address.
The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load either a standard primary or
directory-integrated zone. By default, the DNS Client service dynamically updates host address (A) resource records in DNS when it is configured for TCP/IP.
Secure dynamic update is available only for zones that are integrated into Active Directory. After you directory-integrate a zone, access control list (ACL) editing features
are available in the DNS snap-in. You can use these features to add or remove users or groups from the ACL for a specified zone or resource record.
For more information about planning DNS zones and dynamic updates, see Deploying Domain Name System (DNS) on the Microsoft Web site
You can use this task to enable or disable dynamic updates or to allow only secure dynamic updates.
Task requirements
Install Dnscmd.

See Also
Other Resources

You can use the following procedure to enable dynamic updates for a zone. You can perform this procedure by using the DNS snap-in or by using the Dnscmd commandline tool.
Enabling dynamic updates

To enable dynamic updates using the Windows interface

3. On the General tab, verify that the zone Type is either Primary or Active Directory-Integrated.
4. In Dynamic updates, click Nonsecure and secure.
Note
To enable dynamic updates using the command line
dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
Value
Description
ServerName
Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of
the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
ZoneName|..AllZones
1|0
Configures dynamic update. To allow dynamic updates, type a value of 1. To not allow dynamic updates, type a value of 0.



Note
Value
Description
ServerName
ZoneName|..AllZones
updates only.
Delegating a Zone
Task requirements
Install Dnscmd.
Install Nslookup.

See Also
Other Resources



Note
Value
Description
ServerName
ZoneName
NodeName
/Aging
/OpenAcl
Ttl
NS
HostName|FQDN

credentials.
nslookup
set norecurse
set q=NS
Value
Description
RootServerIpAddress
set norecursion
set q=NS

You can use stub zones to:
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the Domain Name System (DNS) server that hosts both the
parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion by using the stub zone's list of name servers, without needing to query the
Internet or the internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without
using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not a valid alternative to secondary zones with
regard to redundancy and load sharing.
When a DNS server loads a stub zone, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for
the zone. The list of master servers may contain a single server or multiple servers, and the list can be changed anytime.
Task requirements
Install Dnscmd.

See Also
Other Resources

You can use the following procedure to reload or transfer stub zones. You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line
tool.
Reloading or transferring stub zones

To reload or transfer stub zones using the Windows interface

2. In the console tree, right-click the applicable stub zone, and do one of the following:
To reload the stub zone from storage, click Reload.
To have the DNS server determine if the serial number in the stub zone's start-of-authority (SOA) resource record has expired and then perform a zone
transfer from the stub zone's master server, click Transfer from Master.
To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record, click Reload from
Master.
Note
To reload or transfer stub zones using the command line
dnscmd ServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName
Value
Description
ServerName
/ZoneReload
Reloads the stub zone.
/ZoneUpdateFromDs
Reloads the stub zone from Active Directory.
/ZoneRefresh
Refreshes the stub zone. The DNS server determines if the serial number in the stub zone's SOA resource record has expired. If the
serial number has expired, the DNS server performs a zone transfer from the stub zone's master server.
ZoneName
Required. Specifies the name of the stub zone that you want to reload or refresh.
Note
There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows
interface procedure.

You can use this procedure to specify local master servers that you want the Domain Name System (DNS) server to use when loading and updating the stub zone.
When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in
Active Directory. If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is
deleted.
The DNS server keeps the master servers list from Active Directory stored in memory.
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate
authority. As a security best practice, consider using the Run as command to perform this procedure.
Configuring a stub zone to use local master servers

To configure a stub zone to use local master servers using the Windows interface
1. Open DNS.
2. In the console tree, right-click the stub zone, and then click Properties.
3. On the General tab, under IP address, modify the list to display the Internet Protocol (IP) addresses of the local master servers that you want the DNS server to use
when loading and updating the stub zone.
Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone
on this server.
4. Select the Use the list above as a local list of masters check box, and then click OK.
Note
To configure a stub zone to use local master servers using the command line
dnscmd ServerName /ZoneResetMasters ZoneName [/Local] [MasterIPaddress...]
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on
the local computer, you can also type a period (.)
ZoneName
/Local
Configures the local master list for Active Directoryintegrated zones.
MasterIPaddress...
List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers
hosting other secondary copies for the zone. To clear the local list of masters, type the command without entering any IP addresses. Ensure
that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of
the stub zone on this server.

The DNS Server service provides the ability to use Windows Internet Name Service (WINS) servers to look up names that are not found in the Domain Name System (DNS)
domain namespace by checking the network basic input/output system (NetBIOS) namespace that is managed by WINS.
For WINS lookup integration, two special resource record types the WINS and WINS-R resource records are enabled and added to a zone. When the WINS resource
record is used, DNS queries that fail to find a matched host address (A) resource record in the zone are forwarded to WINS servers that are configured in the WINS
resource record. For reverse lookup zones, the WINS-R resource record can be enabled and used to provide a similar benefit for further resolving a reverse query that is
not answerable in the reverse in-addr.arpa domain.
For example, you can use WINS lookup when you are using a mixed-mode client environment consisting of UNIX clients that use only DNS name resolution and earlierversion Microsoft clients that require NetBIOS naming. In these environments, WINS lookup provides a method for permitting UNIX DNS clients to locate your WINS clients
by extending DNS host name resolution into the WINS-managed NetBIOS namespace.
The WINS lookup integration feature is supported only by Windows DNS servers. If you use a mixture of Windows and other DNS servers to host a zone, you should select
the Do not replicate this record check box option for any primary zones when you use the WINS lookup record. This prevents the WINS lookup record from being
included in zone transfers to other DNS servers that do not support or recognize this record. If you do not enable the WINS lookup record to be used only on the local
server, it can cause data errors or failed zone transfers at servers running other DNS server implementations that replicate the zone:
How the caching Time to Live (TTL) and lookup time-out values are configured for use with the WINS and WINS-R records
The format of the WINS and WINS-R resource records as they are used in zone files that are created by the DNS Server service
WINS Lookup Interoperability

Typically, WINS lookup provides the best and most predictable results if only Windows DNS servers are used, and it is only available directly for use at Windows DNS
servers. There are ways, however, that you can use and benefit from WINS lookup as an interoperable solution when other DNS servers are deployed.
For example, consider adding a Windows DNS server that hosts a new WINS lookup-enabled zone. When you create and name the zone, use a subdomain that is added to
your existing DNS namespace that is used just for WINS-specific referrals that are added to your DNS domain namespace.
For instance, in sales.wingtiptoys.com, call the zone wins.sales.wingtiptoys.com when you create it. You can then use this new WINS referral zone as the root zone for any of
your WINS-aware computers that have names that are not found in your other traditional DNS zones.
To use the WINS referral zone, you must specify its domain name (wins.sales.wingtiptoys.com) in a DNS suffix search list for your clients. The suffix list is configurable as
part of the TCP/IP properties for a client connection, and it can be updated either manually, by using Dynamic Host Configuration Protocol (DHCP) or by using
Group Policy. As long as the name of the WINS referral zone is included in the domain suffix list, any DNS names that are not resolved in traditional zones can be resolved
by using the WINS referral subdomain.
Under normal conditions, this should result in recursion from your other DNS servers to the Windows DNS servers that host the WINS-enabled zone. If the queried host
names match NetBIOS computer names that are found in the WINS database, the names are resolved to the Internet Protocol (IP) addresses that are mapped in WINS data
there.
In our example, the WINS-enabled zone is used only for WINS lookup; therefore, no additional resource records need to be added to it. In general, WINS records can be
added to any forward lookup zone.
By using a specific subdomain just for WINS lookup and specifying a static DNS suffix list to be used in resolving and searching for names, you can prevent unusual
situations in which DNS queries for different fully qualified domain names (FQDNs) resolve to the same WINS client name and IP address. This might easily occur if you add
and configure many zones at each level of your namespace and enable each of them to use WINS lookup integration.
For example, suppose you have two zones, both configured to use WINS lookup. The zones are rooted and originate at the following DNS domain names:
With this configuration, a WINS client named HOST-A can be unintentionally resolved by using either of the following FQDNs:
Advanced Parameters for WINS Lookups

The two following advanced timing parameters are used with the WINS and WINS-R records:
The Cache timeout value, which indicates to a DNS server how long it should cache any of the information that is returned in a WINS lookup. By default, this value is
set to 15 minutes.
The Lookup timeout value, which specifies how long to wait before timing out and expiring a WINS lookup that is performed by the DNS Server service. By default,
this value is set to two seconds.
You can configure these parameters by using the Advanced button in the zone properties dialog box when you configure the zone. This button appears on either the
WINS or WINS-R tab, depending on whether the zone that you are configuring is being used for forward lookup or reverse lookup.
If you are using either the WINS or WINS-R resource record, be aware that the minimum TTL that is set in the start-of-authority (SOA) record for the zone is not the default
TTL that is used with these records. Instead, when either an IP address or a host name is resolved with WINS lookup, the information is cached on the DNS server for the
amount of time that is configured for the WINS cache time-out value. If this address is then ever forwarded to another DNS server, the WINS cache time-out value TTL is
what is sent. If your WINS data rarely changes, you can increase the default TTL of 15 minutes.
Notes
If you have a zone that is configured for WINS lookup, all DNS servers that are authoritative for that zone need to be capable of WINS lookup or you will have
intermittent behavior.
Because you can specify that the WINS and WINS-R resource records not be replicated to other DNS servers, you can selectively enable and configure WINS lookup
at each of your secondary servers for zones where this feature is used. This is not a standard practice for other types of resource records, which are only to be
configured at the primary server for the zone.
Task requirements
Install Dnscmd.
1. Allow DNS to use WINS resolution

2. Verify that WINS is answering a DNS query
See Also
Other Resources
Allow DNS to use WINS resolution

You can use the following procedure to enable Domain Name System (DNS) to use Windows Internet Name Service (WINS) name resolution. The specified WINS servers
that are configured in this procedure are used for final referral of names that are not found in the applicable zone.
To allow DNS to use WINS resolution
If the applicable zone is a forward lookup zone, on the WINS tab, select the Use WINS forward lookup check box. In IP address, type the Internet Protocol
(IP) address of a WINS server to be used for resolution of names not found in DNS, and then click Add.
If the applicable zone is a reverse lookup zone, on the WINS-R tab, select the Use WINS-R lookup check box. In Domain to append to returned name, type
a name.
4. Select the Do not replicate this record check box for this WINS record, if applicable.
If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, select this check box. This prevents these records
from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option
because Berkeley Internet Name Domain (BIND) does not recognize WINS records.
Note
Verify that WINS is answering a DNS query

You can use the following procedure to verify that Windows Internet Name Service (WINS) is resolving a Domain Name System (DNS) query.
Normally, when a DNS server answers a query from its authoritative zone data, it uses the set minimum or default Time to Live (TTL) for the zone or the record-specific TTL
value (if one is configured). In so doing, TTLs are decreased in answers that the server returns if they are based on nonauthoritative data, such as a cached record at the
server.
WINS lookups present an exceptional case, in which an answer that is received back from a WINS server is cached by the DNS server but is also considered to be
authoritative data. In this case, the WINS sourced data is returned to clients as authoritative, but it ages while it is in the DNS server names cache, which causes the TTL that
is used by the server to decrease over time.
You do not need administrative credentials to perform this procedure. Therefore, as a security best practice, consider performing this procedure as a user without
administrative credentials.
To verify that WINS is answering a DNS query
nslookup
2. At the nslookup ("") prompt, type the following command, and then press ENTER:
set debug
3. Next, either type:
set querytype=a
if you are testing for a WINS forward lookup, or:
set querytype=ptr
if you are testing for a WINS-R reverse lookup, and then press ENTER.
Respectively, these two commands can be used to set the query type to filter either by host address (A) or pointer (PTR) resource records as appropriate for
researching either a forward lookup or a reverse lookup.
4. Based on whether you are verifying possible WINS sourcing for either a forward lookup or a reverse lookup, type the appropriate fully qualified domain name
(FQDN).
For example, if the forward lookup that you are tracing is for a domain name host-a.sales.wingtiptoys.com, type:
host-a.sales.wingtiptoys.com.
If the reverse lookup that you are tracing is for an Internet Protocol (IP) address 10.0.0.1, type:
1.0.0.10.in-addr.arpa.
5. In the response, note whether the server answered authoritatively or nonauthoritatively, and note the TTL value.
6. If the server answered authoritatively, repeat the same query that you performed in step 4.
7. In the response, note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value that was specified in the first
query answer.
If the TTL value decreased for an authoritatively answered query, the source of the query answer is a WINS server.
8. To leave debug mode and return to the command prompt, type exit, and then press ENTER.
Value
Description
set debug
Enables the nslookup command to operate in debug mode, providing extended information in the command output.
This mode is required to view query response information about whether the source for a query answer is:
Authoritative (from a DNS zone or a WINS server database)
Nonauthoritative (cached data from previous queries made by the DNS server or loaded from root hints)
set querytype
Changes the type of information query. More information about types can be found in Request for Comments (RFC) 1035.

The following tasks for managing Domain Name System (DNS) resource records are described in this objective:
Restrict the DNS resource records that are updated by Netlogon

After you create a zone, additional resource records must be added to it. The most common resource records include the following:
Host address (A). Maps a Domain Name System (DNS) domain name to an Internet Protocol (IP) address that is used by a computer.
Alias canonical (CNAME). Maps an alias DNS domain name to another primary name or canonical name.
Mail Exchanger (MX). Maps a DNS domain name to the name of a computer that exchanges or forwards mail.
Pointer (PTR). Maps a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
Service (SRV). Maps a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
Other resource records, as needed.
Host A Resource Records

Host A resource records are used in a zone to associate DNS domain names of computers (or "hosts") to their IP addresses. These resource records can be added to a
zone in several ways:
You can create an A resource record for a static TCP/IP client computer manually by using the DNS snap-in.
Windows clients and servers use the DHCP Client service to dynamically register and update their own A resource records in DNS when an IP configuration change
occurs.
Dynamic Host Configuration Protocol DHCPenabled client computers running earlier versions of Microsoft operating systems can have their A resource records
registered and updated by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000 and Windows Server 2003 DHCP Server service
currently supports this feature.)
The host A resource record is not required for all computers, but it is required by computers that share resources on a network. Any computer that shares resources and
needs to be identified by its DNS domain name must use A resource records to provide DNS name resolution to the IP address for the computer.
Most A resource records that are required in a zone can include other workstations or servers that share resources, other DNS servers, mail servers, and Web servers.
These resource records make up the majority of resource records in a zone database.
Alias CNAME Resource Records

Alias CNAME resource records are also sometimes called canonical name resource records. With these records, you can use more than one name to point to a single host,
making it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. For example, the well-known server names
ftp, www are registered by using CNAME resource records that map to the DNS host name for example, server1 for the server computer that hosts these services.
CNAME resource records are recommended for use in the following scenarios:
When a host that is specified in an A resource record in the same zone needs to be renamed
When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide
the same service, for example, a group of redundant Web servers
When you rename a computer with an existing A resource record in the zone, you can use a CNAME resource record temporarily to allow a grace period for users and
programs to switch from specifying the old computer name to using the new one. To do this, you need the following:
For the new DNS domain name of the computer, a new A resource record is added to the zone.
For the old DNS domain name, a CNAME resource record is added that points to the new A resource record.
The original A resource record for the old DNS domain name (and its associated PTR resource record, if applicable) is removed from the zone.
When you use a CNAME resource record for aliasing or renaming a computer, set a temporary limit on how long the record is used in the zone before it is removed from
DNS. If you forget to delete the CNAME resource record and later its associated A resource record is deleted, the CNAME resource record can waste server resources by
trying to resolve queries for a name that is no longer used on the network.
The most common or popular use of a CNAME resource record is to provide a permanent, DNS-aliased domain name for generic name resolution of a service-based
name, such as www.sales.wingtiptoys.com, to more than one computer or one IP address that is used in a Web server. For example, the following shows the basic syntax of
how a CNAME resource record is used:
alias_name IN CNAME primary_canonical_name
In this example, a computer named host-a.sales.wingtiptoys.com must function as both a Web server named www.sales.wingtiptoys.com. and an FTP server named
ftp.sales.wingtiptoys.com. To achieve the intended use for naming this computer, you can add and use the following CNAME entries in the sales.wingtiptoys.com zone:
host-a
ftp
www
IN
IN
IN
A
CNAME
CNAME
10.0.0.20
host-a
host-a
If you later decide to move the FTP server to another computer, separate from the Web server on host-a, simply change the CNAME resource record in the zone for
ftp.sales.wingtiptoys.com and add an additional A resource record to the zone for the new computer hosting the FTP server.
Based on the earlier example, if the new computer is named hostb.sales.wingtiptoys.com, the new and revised A and CNAME resource records are as follows:
host-a
host-b
ftp
www
IN
IN
IN
IN
A
A
CNAME
CNAME
10.0.0.20
10.0.0.21
host-b
host-a
MX Resource Records
The MX resource record is used by e-mail applications to locate a mail server based on a DNS domain name that is used in the destination address for the e-mail
recipient of a message. For example, a DNS query for the name sales.wingtiptoys.com can be used to find an MX resource record, which enables an e-mail application to
forward or exchange mail to a user with the e-mail address user@wingtiptoys.com.
The MX resource record shows the DNS domain name for the computer or computers that process e-mail for a domain. If multiple MX resource records exist, the DNS
Client service attempts to contact e-mail servers in the order of preference from lowest value (highest priority) to highest value (lowest priority). The following shows the
basic syntax for use of an MX resource record:
mail_domain_name IN MX preference mailserver_host
By using the MX resource records shown below in the sales.wingtiptoys.com zone, e-mail that is addressed to user@sales.wingtiptoys.com is delivered to
user@mailserver0.sales.wingtiptoys.com first, if possible. If this server is unavailable, the resolver client can then use user@mailserver1.sales.wingtiptoys.com instead.
@
@
IN
IN
MX
MX
1
2
mailserver0
mailserver1
Note that the use of the "at" symbol (@) in the records indicates that the mailer DNS domain name is the same as the name of origin (sales.wingtiptoys.com) for the zone.
PTR Resource Records

PTR resource records are used to support the reverse lookup process, based on zones that are created and rooted in the in-addr.arpa domain. These records are used to
locate a computer by its IP address and to resolve this information to the DNS domain name for that computer.
PTR resource records can be added to a zone in several ways:
You can create a PTR resource record for a static TCP/IP client computer manually by using DNS, either as a separate procedure or as part of the procedure for
creating an A resource record.
Computers use the DHCP Client service to dynamically register and update their PTR resource record in DNS when an IP configuration change occurs.
All other DHCP-enabled client computers can have their PTR resource records registered and updated by the DHCP server if they obtain their IP lease from a
qualified server. The Windows 2000 and Windows Server 2003 DHCP Server service provides this capability.
The PTR resource record is used only in reverse lookup zones to support reverse lookup.
SRV Resource Records

To locate Active Directory domain controllers, SRV resource records are required. Typically, you can avoid manual administration of the SRV resource record when you
install Active Directory.
By default, the Active Directory Installation Wizard attempts to locate a DNS server based on the list of preferred or alternate DNS servers, which are configured in any of
its TCP/IP client properties, for any of its active network connections. If a DNS server that can accept dynamic update of the SRV resource record (and other resource
records that are related to registering Active Directory as a service in DNS) is contacted, the configuration process is complete.
If, during the installation, a DNS server that can accept updates for the DNS domain name that is used to name your Active Directory domain is not found, the wizard can
install a DNS server locally and automatically configure it with a zone to support the Active Directory domain.
For example, if the Active Directory domain that you choose for your first domain in the forest is sales.wingtiptoys.com, a zone that is rooted at the DNS domain name of
sales.wingtiptoys.com is added and configured to use with the DNS server that is running on the new domain controller.
Whether or not you install the DNS Server service locally, a file (Netlogon.dns) is written and created during the Active Directory installation process that contains the SRV
resource records and other resource records that are necessary to support the use of Active Directory. This file is created in the systemroot\System32\Config folder.
If you are using a DNS server that fits one of the following scenarios, use the records in Netlogon.dns to manually configure the primary zone on that server to support
Active Directory:
1. The computer that operates your DNS server is running on another platform, such as UNIX, and it cannot accept or recognize dynamic updates.
2. A DNS server at this computer that does not use the DNS Server service that is provided with Windows Server 2003 is authoritative for the primary zone that
corresponds to the DNS domain name for your Active Directory domain.
3. The DNS server supports the SRV resource record, as defined in the Internet draft "A DNS RR specifying the location of services (DNS SRV)," but the DNS server
does not support dynamic updates.
For example, the DNS Server service that is provided with Windows NT Server 4.0, when it is updated to Service Pack 4 or later, fits this description.
In the future, the SRV resource record might also be used to register and look up other well-known TCP/IP services on your network if applications implement and support
DNS name queries that specify this record type.
Other Resource Records

Other additional resource records are supported by Windows Server 2003 DNS, and they are used less frequently in most zones. You can add these additional types of
resource records as needed by using the DNS snap-in.
Task requirements
Install Dnscmd.


You can use the following procedure to add a host address (A) resource record to a zone. Pointer (PTR) resource records that are created automatically when you add an
A resource record to a zone are deleted automatically if the corresponding A resource record is deleted.
Adding an A resource record to a zone

To add an A resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A).
3. In Name, type the Domain Name System (DNS) computer name for the new host.
4. In IP address, type the Internet Protocol (IP) address for the new host.
5. As an option, select the Create associated pointer (PTR) record check box to create an additional PTR resource record in a reverse zone for this host, based on
the information that you enter in Name and IP address.
6. Click Add Host to add the new host (A) resource record to the zone.
Note
To add an A resource record to a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress
Value
Description
ServerName
local computer, you can also type a period (.).
/RecordAdd
ZoneName
NodeName
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS
/OpenAcl
Ttl
IPAddress
Required. The IP address for the host.

You can use the following procedure to add a mail exchanger (MX) resource record to a zone. You can perform this procedure by using the DNS snap-in or by using the
Adding an MX resource record to a zone

To add an MX resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click NewMail Exchanger (MX).
3. In Host or child domain, type the domain name for which this record is to be used to deliver mail.
4. In Mail server, type the Domain Name System (DNS) host computer name of the mail exchanger or mail server host that delivers mail for the specified domain
name.
As an option, you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined.
5. Adjust the value in Mail server priority as needed for this zone.
Note
To add an MX resource record to a zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName
Value
Description
ServerName
/RecordAdd
ZoneName
Required. Specifies the fully qualified domain name (FQDN) of the zone in which you will add the new MX resource record.
NodeName
/Aging
scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed.
Ttl
MX
Required. Specifies the MX resource record type for the record that you are adding.
Preference
Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect to the other mail
exchange servers. Lower numbers are given greater preference.
MXServerName
Required. Specifies the FQDN for a mail exchanger. The value entered here must resolve to a corresponding host A resource record in this
zone.

You can use the following procedure to add an alias canonical (CNAME) resource record to a zone. You can perform this procedure by using the DNS snap-in or by using
Adding a CNAME resource record to a zone

To add a CNAME resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable forward lookup zone, and then click New Alias (CNAME).
3. In Alias name, type the alias name.
4. In Fully qualified domain name (FQDN) for target host, type the FQDN of the Domain Name System (DNS) host computer for which this alias is to be used.
As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host address (A) records already defined.
Note
To add a CNAME resource record to a zone using the command line
dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName
Value
Description
ServerName
/RecordAdd
ZoneName
Required. Specifies the name of the zone where this CNAME resource record will be added.
NodeName
/Aging
Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS
/OpenAcl
record.
Ttl
Specifies the Time to Live (TTL) setting for the resource record. The default TTL is defined in the start-of-authority (SOA) resource
record.
CNAME
HostName|DomainName
Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDNs, a trailing period (.) is used to fully
qualify the name.

You can use the following procedure to add a pointer (PTR) resource record to a reverse zone. When you create a new address (A) resource record, there is an option to
create an associated PTR resource record automatically. PTR resource records that are created automatically during the addition of an A resource record to a zone are
deleted automatically if the corresponding A resource record is deleted.
Adding a PTR resource record to a reverse zone

To add a PTR resource record to a reverse zone using the Windows interface
2. In the console tree, right-click the applicable reverse lookup zone.
3. On the Action menu, click New Pointer (PTR).
4. In the Host IP number text box, type the host Internet Protocol (IP) address octet number.
5. In Host name, type the fully qualified domain name (FQDN) for the DNS host computer for which this pointer record is to be used to provide reverse lookup
(address-to-name resolution).
As an option, you can click Browse to search the Domain Name System (DNS) namespace for hosts in this domain that have host address (A) records already
defined.
Note
To add a PTR resource record to a reverse zone using the command line
dnscmd ServerName/RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName
Value
Description
ServerName
/RecordAdd
ZoneName
Required. Specifies the FQDN of the zone where this new PTR resource record will be added.
NodeName
/Aging
Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged
and scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed
manually.
/OpenAcl
record.
Ttl
PTR
Required. Specifies the resource record type for the record that you are adding.
HostName|DomainName
Required. Specifies the FQDN of a resource record that is located in the DNS namespace. The host that you specify is used as the data
for answering reverse lookups based on the address information that is specified by this PTR resource record.

You can use the following procedure to add a resource record to a zone. You can perform this procedure by using the DNS snap-in or by using the Dnscmd commandline tool.
Adding a resource record to a zone

To add a resource record to a zone using the Windows interface

2. In the console tree, right-click the applicable zone, and then click Other New Records.
3. In Select a resource record type, select the type of resource record that you want to add.
4. Click Create Record.
5. In New Resource Record, enter the information necessary to complete the resource record.
6. After you specify all the necessary information for the resource record, click OK to add the new record to the zone.
Note
To add a resource record to a zone using the command line
dnscmd ServerName /RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
ServerName
DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/RecordAdd
ZoneName
NodeName
/Aging
scavenged. If this command is not used, the resource record remains in the DNS database unless it is updated or removed manually.
/OpenAcl
Ttl
RRTypeRRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
PriorityWeightPortHostName
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName

You can use the following procedure to add a new domain to a zone.
To add a domain to a zone
Where?
3. On the Action menu, click New Domain, and then type the name of the new domain without using periods.
4. Click OK to add the new domain to the zone.
Note

command-line tool.


Advanced.
Note
Note
Value
Description
ServerName
/RecordAdd
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName



Note
Value
Description
ServerName
/RecordDelete
ZoneName
NodeName
RRType
RRData
IPAddress
HostName|DomainName
MX,RT,AFSDB
SRV
SOA
AAAA
Ipv6Address
TXT,X25,HINFO,ISDN
String [String]
MINFO,RP
WKS
WINS
WINSR
Value
Description
IPAddress
ipv6Address
Protocol
Service
HostName|DomainName
/f

You can use the following procedure to view unsupported resource records in a zone.
To view unsupported resource records
3. In the details pane, right-click the record that you want to view, and then click Properties.
4. In Properties, view properties that are specific to this record.
5. When you have finished viewing the record, click OK.
Note

The following procedure restricts name server (NS) resource records that are registered for Active Directory domain controllers only. You can perform this procedure by
using the Registry Editor or by using the Dnscmd command-line tool.
To configure the Domain Name System (DNS) server to automatically add NS resource records corresponding to itself when loading a zone, you can assign a value of 0x0
to the registry key or enter no value (the default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.
If you configure the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative
zones that are located on the DNS server are deleted automatically.
Regardless of the settings of these registry entries, query responses that are sent to DNS clients from the authoritative DNS server will indicate that the responses are from
an authoritative DNS server.
The registry key entry that is described in this procedure does not exist by default. It must be created and configured according to this procedure.
Caution
Disabling NS resource record registration

To disable NS resource record registration using the Windows interface

3. Add the following REG_DWORD value:
DisableNSRecordsAutoCreation
4. Assign a value of 0x1.
The REG_DWORD value is a local DNS server setting, and it applies to DNS zones for which this DNS server is authoritative.
Note
To disable NS resource record registration using the command line
dnscmd ServerName /Config /DisableNSRecordsAutoCreation0x1
Value
Description
ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To
/DisableNSRecordsAutoCreation
Determines the local DNS server configuration for registering NS resource records for authoritative zones.
0x1
Specifies that the DNS server that is specified in ServerName should not add NS resource records for authoritative zones.
To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.

You can use the following procedure to allow name server (NS) resource record creation for specific domain controllers. This procedure applies to domain controller NS
resource records in Active Directoryintegrated Domain Name System DNS zones that are hosted on DNS servers that are configured to not add these resource records
for their authoritative zones.
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using the
Run as command to perform this procedure.
To allow NS resource record creation for specific domain controllers
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses...
Value
Description
ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS
ZoneName
/AllowNSRecordsAutoCreation
Required. Specifies that domain controllers that are entered for Value add their names to NS resource records for the zone
that is specified in ZoneName. NS resource records that were previously registered for this zone are not affected. Therefore,
you must remove them manually if you do not want them.
IpAddresses...
Required. Specifies the IP addresses of the domain controllers that add their names in NS resource records for the zone that
is specified in ZoneName. Type a space-separated list of the IP addresses of the DNS servers, for example, 10.0.0.0 172.16.0.0
192.168.0.0.
If any domain controllers in the specified zone are not listed for IpAddresses..., their names are deleted from the NS resource records for the zone that is specified in
ZoneName.
To specify that all domain controllers are allowed to add their names to NS resource records for the zone or to clear the list of allowed DNS server IP addresses, type the
command and omit IpAddresses...:
dnscmd ServerName /Config ZoneName /AllowNSRecordsAutoCreation
Regardless of the settings that are specified in this command, query responses that are sent to DNS clients from authoritative DNS servers and selected domain controllers
will indicate that the responses are from authoritative DNS servers.
Restrict the DNS resource records that are updated by

Netlogon
The following procedure restricts Domain Name System (DNS) resource records that are registered by the Net Logon service for Active Directory domain controllers only.
Caution
To restrict the DNS resource records that are updated by NetlLogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Add the following multistring value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service.
The following table contains the list of data.
Data Value
Resource Record Type
DNS Resource Record
LdapIpAddress
DnsDomainName
Ldap
SRV
_ldap._tcp.DnsDomainName
LdapAtSite
SRV
_ldap._tcp.SiteNam._sites.DnsDomainName
Pdc
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
Gc
SRV
_ldap._tcp.gc._msdcs.DnsForestName
GcAtSite
SRV
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
DcByGuid
SRV
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
GcIpAddress
_gc._msdcs.DnsForestName
DsaCname
CNAME
DsaGuid._msdcs.DnsForestName
Kdc
SRV
_kerberos._tcp.dc._msdcs.DnsDomainName
KdcAtSite
SRV
_kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName
Dc
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
DcAtSite
SRV
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
Rfc1510Kdc
SRV
_kerberos._tcp.DnsDomainName
Rfc1510KdcAtSite
SRV
_kerberos._tcp.SiteName._sites.DnsDomainName
GenericGc
SRV
_gc._tcp.DnsForestName
GenericGcAtSite
SRV
_gc._tcp.SiteName._sites.DnsForestName
Rfc1510UdpKdc
SRV
_kerberos._udp.DnsDomainName
Rfc1510Kpwd
SRV
_kpasswd._tcp.DnsDomainName
Rfc1510UdpKpwd
SRV
_kpasswd._udp.DnsDomainName
Notes
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified
while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the
delay is no later than 15 minutes after the Net Logon service starts.
Monitoring DNS
Monitoring your Domain Name System (DNS) infrastructure on a regular basis and resolving any issues that you find will help to keep your network accessible to your
users.
The following tasks for monitoring DNS are described in this objective:
Check DNS event log

Verify DNS server responsiveness with Nslookup
Verify dynamic DNS record updates
Verify zone transfers
Check the DNS server debug log file
Test a query on the DNS server
Check DNS event log

Published: September 19, 2007
You can use the following procedure to check for errors in the Domain Name System (DNS) event long for troubleshooting or monitoring purposes.
Checking the DNS event log

To check the DNS event log
1. Open the DNS console.
2. In the console tree, open Event Viewer and then click DNS Events.
3. Review the list of events that is displayed. The following table provides examples some critical DNS events and procedures you can use to resolve them.
Event ID
Description
140
The DNS server could not initialize the Remote Procedure Call (RPC) service. If it is not running, start the RPC service or reboot the computer. For
specific error code, see the Record Data page on the Event Viewer.
In order for DNS to run, the Remote Procedure Call (RPC) service must be running on the DNS server.
a. Verify that the Remote Procedure Call (RPC) service has been started.
b. Open Administrative Tools, and double-click Services.
c. If the service has been started, try restarting the server.
d. If the error continues, remove and reinstall the Client for Microsoft Networks service on the network connection. This will reinstall the
Netlogon and RPC locator services.
403
The DNS server could not create a Transmission Control Protocol (TCP) socket. Restart the DNS server or reboot the computer. For the specific
error code, see the Record Data page.
The Wsock32.dll might be incompatible with a third-party TCP/IP stack. This problem can also occur if the TCP/IP protocol is not bound to the
network adapter.
If you are using a third-party TCP/IP protocol, verify that the protocol is compatible with the Wsock32.dll.
Check the bindings of the protocol stack. It is a good idea to have TCP/IP bound at the top of the stack. If the error continues, remove and reinstall
the TCP/IP protocol, and then try again.
a. Open Control Panel, and then double-click Network and Dial-up Connections.
b. Right-click the connection, and then click Properties.
c. Verify that the bindings for all protocols to network adapters are enabled and that no broken connections exist in the stack.
407
DNS server could not bind the main datagram socket. The data is the error.
This error can occur if there is a mismatch between the configured IP address in the Advanced IP Addressing dialog box and the addresses listed in
the Server Properties dialog box for the DNS server. This problem can also occur if the TCP/IP protocol is not bound to the network adapter.
Verify that the TCP/IP addresses configured in the Advanced IP Addressing dialog box match those configured in the Server Properties dialog box
in DNS Manager:
a. Open Control Panel, and double-click Network.
b. Click the Protocols tab, and click TCP/IP Protocol in the Network Protocols list.
c. Click Properties, and then click Advanced.
Match the IP addresses to those displayed in the DNS server Properties dialog box:
a. In DNS Manager, right-click the DNS server name, and then click Properties.
b. Compare the IP addresses with those from the Advanced IP Addressing dialog box. If there are no IP addresses configured in the Advanced
IP Addressing dialog box or on the Interfaces tab of the Server Properties dialog box, enter the IP address of your network adapter. Use the
ipconfig -all command to obtain your IP address.
Check the binding of the TCP/IP protocol to the network adapter:
a. Open Control Panel, and double-click Network.
b. Click the Bindings tab.
c. Verify that the bindings for all protocols to network adapters are enabled and that no broken connections exist in the stack.
408
DNS server could not open socket for address [IP address of server].
The DNS server could not open a socket with the current TCP/IP and DNS service configurations.
Verify that this is a valid IP address on this computer.
If the IP is not valid:
a. Use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces.
b. Stop and restart the DNS server. (If this was the only IP interface on this computer, the DNS server may not have started as a result of this
error. In that case, remove the DNS\Parameters\ListenAddress value in the services section of the registry and restart.)
If the IP is valid:
Verify that no other application (for example, another DNS server) is running that would attempt to use the DNS port.
4000,
4004,
4007,
4014, 4015
The DNS Server service relies on Active Directory to store and retrieve information for Active Directoryintegrated zones. This error indicates that
Active Directory is not responding to requests from the DNS Server service. Ensure that Active Directory is functioning properly, troubleshoot any
problems, and then restart the DNS Server service.
For information about troubleshooting Active Directory, see Active Directory Troubleshooting Topics (http://go.microsoft.com/fwlink/?LinkId=95789).
To restart the DNS Server service:
a. Open the Services console. To open Services, click Start, click Control Panel, double-click Administrative Tools, and then click Services.
b. Right-click DNS Server, and then click Restart.
If the problem continues, restart the computer, and then use the Services console to verify that the DNS Server service has started.
4001
problems, and then reload the zone.
To reload a zone:
a. Open the DNS console.
b. In the console tree, right-click the applicable zone, and then click Reload.
4016
problems, and then retry the operation that failed.
Add a zone
If the event message indicates that an attempt to add a zone failed, you must create the zone after resolving any problems with Active Directory.
To add a zone:
b. In the console tree, expand the DNS server, right-click the zone folder for the type of zone that you want to add, and then click New Zone to
open the New Zone Wizard.
c. Follow the instructions in the wizard to create the zone.
Delete a zone
If the event message indicates that an attempt to remove a zone failed, you must delete the zone after resolving any problems with Active Directory.
To delete a zone:
b. In the console tree, expand the DNS server, right-click the zone folder for the type of zone that you want to delete.
c. Right-click the zone, and then click Delete.
Note
To open the DNS console, click Start, point to Administrative Tools, and then click DNS.
Note
If the DNS server for which you want to view the log is located on another computer, in the console tree, click DNS, and then on the Action menu, click Connect to DNS
Server. Click The following computer, and then specify the name or Internet Protocol (IP) address of the remote computer.
Verify DNS server responsiveness with Nslookup

You can use this procedure to verify name resolution on a Domain Name System (DNS) server for monitoring or troubleshooting purposes.
Verifying DNS server responsiveness

To verify DNS server responsiveness
1. Open a command prompt, type the following command, and then press ENTER:
nslookup 127.0.0.1 server_ip_address
2. If the server is responding, the name "localhost" is returned.
Value
Description
server_ip_address
The Internet Protocol (IP) address of the DNS server. For example, if the IP address of your DNS server is 10.0.0.1, type:
nslookup 127.0.0.1 10.0.0.1
Note
In the previous procedure, the syntax for the nslookup command is: nslookup[-option] host server . This command can be entered from any computer that is
running a Microsoft Windows operating system and has network connectivity to the DNS server you wish to query. Only the host entry is required for the
command. However, if an IP address or hostname for the server is not supplied, then the default DNS server specified in TCP/IP properties will be queried.
When you enter 127.0.0.1 as the host, this IP address will automatically resolve to the name localhost if the DNS Server service is running at the IP address that
you specify as the server.
Verify dynamic DNS record updates

It is possible to view dynamic update activity of clients by using the DNS server log (dns.log). This log includes server-side information; client-side information is intuitive
only.
Verifying dynamic DNS record updates

To verify dynamic DNS record updates
1. Click Start, click Run, type dnsmgmt.msc, and then click OK.
2. In the console tree, click the DNS server for which you want to view dynamic record updates.
4. Click the Debug Logging tab.
5. Select the Log packets for debugging check box.
6. Under Packet direction, select the Outgoing and Incoming check boxes.
7. Under Transport protocol, select the UDP and TCP check boxes.
8. Under Packet contents, select the Updates check box.
9. Under Packet type, select the Request and Response check boxes.
10. Under Other options, select the Details check box.
11. Click OK to begin debug logging.
12. Review the dns.log file.
Verify zone transfers

With Active Directoryintegrated Domain Name System DNS, all DNS servers in the domain can modify the zone and then replicate the changes to other domain
controllers. Therefore, the procedures for verifying zone transfers of an Active Directoryintegrated DNS server are equivalent to Active Directory replication verification
procedures.
Although Active Directory-integrated zones are transferred by using Active Directory replication, you can also perform standard zone transfers to secondary servers in a
manner similar to standard DNS zone transfers. You can use the following procedure to verify zone transfers.
Verifying zone transfers

To verify zone transfers
2. In the console tree, double-click Event Viewer, and then click DNS Events.
3. Check for the following critical events:
Event
ID
6527
Description
Zone expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut
down.
This event ID might appear when the DNS server is configured to host a secondary copy of the zone from another DNS server acting as its source or
master server. Verify that this server has network connectivity to its configured master server.
If the problem continues, consider one or more of the following options:
a. Delete the zone and recreate it, specifying either a different master server, or an updated and corrected IP address for the same master server.
b. If zone expiration continues, consider adjusting the expire interval.
6004
The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative %2.
Note
Check the DNS server debug log file

Checking the DNS server debug log file

To check the DNS server debug log file
1. Stop the DNS Server service.
2. Open WordPad.
3. On the File menu, click Open.
4. In Open, for File name, specify the path to the Domain Name System (DNS) server debug log file.
By default, if the applicable DNS server is running locally, the file and path are as follows:
systemroot\System32\Dns\Dns.log
5. After you specify the correct path and file, click Open to view the log file.
Test a query on the DNS server

To insure that Domain Name System (DNS) name resolution is functioning according to specifications, you can perform periodic testing with the following procedure.
Testing a query on the DNS server

To test a query on the DNS server
4. Click the Monitoring tab.
5. To test a simple query, under Select a test type, select the A simple query against this DNS server check box.
Or
To test a recursive query, under Select a test type, select the A recursive query to other DNS servers check box.
6. Click Test Now.
Note
Optimizing DNS
When Domain Name System (DNS) servers are initialized for service, they use server configuration settings that are taken from the parameters that are stated in a boot
information file, the registry, and (possibly) zone information that is provided through Active Directory integration.
In most situations, the installation defaults are acceptable and should not require modification. However, when necessary, you can tune various parameters to
accommodate special deployment needs and situations.
The following table describes advanced parameters that you can change to optimize the performance of DNS servers.
Parameter
Description
Disable
recursion
Determines whether or not the DNS server uses recursion. By default, the DNS Server service is enabled to use recursion.
BIND
secondaries
Determines whether to use fast transfer format for transfer of a zone to DNS servers running legacy Berkeley Internet Name Domain (BIND)
implementations.
By default, all Windows-based DNS servers use a fast zone transfer format. This format uses compression, and it can include multiple records per TCP
message during a connected transfer. This format is also compatible with more recent BIND-based DNS servers that run versions 4.9.4 and later.
Fail on load
if bad zone
data
Sets the DNS server to parse files strictly.

By default, the DNS Server service logs data errors, ignores any erred data in zone files, and continues to load a zone. You can reconfigure this option by
using the DNS snap-in so that the DNS Server service logs errors and fails to load a zone file containing records data that is found to contain errors.
Enable
round robin
Determines whether the DNS server uses the round robin mechanism to rotate and reorder a list of resource records if multiple resource records exist of
the same type that exist for a query answer.
By default, the DNS Server service uses round robin.
Enable
netmask
ordering
Determines whether the DNS server reorders address (A) resource records within the same resource record that is set in the server's response to a query
based on the Internet Protocol (IP) address of the source of the query.
By default, the DNS Server service uses local subnet priority to reorder A resource records.
Secure
cache
against
pollution
Determines whether the DNS server attempts to clean up responses to avoid cache pollution. This setting is enabled by default.
By default, DNS servers use a secure response option that eliminates adding unrelated resource records that are included in a referral answer to their
cache. In most cases, any names that are added in referral answers are typically cached, and they help expedite the resolution of subsequent DNS
queries.
With this feature, however, the server can determine that referred names are potentially polluting or insecure and then discard them. The server
determines whether to cache the name that is offered in a referral on the basis of whether or not it is part of the exact, related, DNS domain name tree
for which the original queried name was made.
For example, if a query is made originally for sales.wingtiptoys.com and a referral answer provides a record for a name outside the wingtiptoys.com
domain name tree, such as tailspintoys.com, that name is not cached where this feature is enabled for use.
For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
To optimize DNS, complete the following procedures:
Enable or disable fast DNS zone transfers

Prevent loading of a zone with bad data
Disable DNS round robin
Restore Domain Name System server default preferences
Disable recursion
Disable local subnet prioritization
Update root hints
Secure the server cache against names pollution
Clear server names cache
Configure DNSSEC
Configure EDNS0
Change UDP message size
See Also
Other Resources
Enable or disable fast DNS zone transfers

You can use the following procedure for optimizing zone transfers only between Windows-based Domain Name System (DNS) servers and other DNS server
implementations. Zone transfers between Windows-based DNS servers always use the fast transfer format.
DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation earlier than version 4.9.4 do not support the fast transfer format. Enable
this option only if you are transferring zones to BIND servers running version 4.9.4 or later.
Enabling or disabling fast DNS zone transfers

To enable or disable fast DNS zone transfers using the Windows interface
Where?
DNS/applicable DNS server
5. In Server options, select the BIND secondaries check box, and then click OK.
Note
To enable or disable fast DNS zone transfers using the command line
dnscmd ServerName /Config /BindSecondaries {1|0}
Value
Description
ServerName
/BindSecondaries
Specifies use of the fast transfer format that is used by legacy BIND servers.
{1|0}
To enable fast transfer format when transferring a zone to legacy BIND DNS servers, type 1 (on). To disable fast transfer format, type 0
(off).
Prevent loading of a zone with bad data

You can use the following procedure to prevent loading of a zone when bad data is found.
To prevent loading of a zone with bad data
Where?
5. In Server options, select the Fail on load if bad zone data check box, and then click OK.
Note
Disable DNS round robin

You can use the following procedure to disable round-robin rotation for multihomed names. You can perform this procedure by using the DNS snap-in or by using the
Disabling DNS round robin

To disable DNS round robin using the Windows interface

Where?
5. In Server options, clear the Enable round robin check box, and then click OK.
Note
To disable DNS round robin using the command line
dnscmd ServerName /Config /RoundRobin {1|0}
Value
Description
ServerName
Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server.
To specify the DNS server on the local computer, you can also type a period (.).
/RoundRobin
Configures round-robin rotation.
{1|0}
To enable round robin, type 1 (on). To disable round robin, type 0 (off).
Restore Domain Name System server default preferences

You can use the following procedure to restore Domain Name System (DNS) server default preferences. The DNS server default preferences are listed in the following
table.
Property
Setting
Disable recursion
Off
BIND secondaries
On
Off
Enable round robin
On
On
On
Name checking
Multibyte (UTF8)
Off
Note
Disable recursion
You can use the following procedure to disable recursion on the Domain Name System (DNS) server.
Note
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
Disabling recursion
To disable recursion using the Windows interface

4. In Server options, select the Disable recursion (also disables forwarders) check box, and then click OK.
Note
To open the DNS snap-in, click Start, , point to Administrative Tools, and then click DNS.
To disable recursion using the command line
dnscmd ServerName /Config /NoRecursion {1|0}
Value
Description
ServerName
/NoRecursion
Required. Disables recursion.
{1|0}
Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.
Disable local subnet prioritization

You can use the following procedure to disable local subnet prioritization for multihomed names. You can perform this procedure by using the DNS snap-in or by using
Disabling local subnet prioritization

To disable local subnet prioritization using the Windows interface

Where?
5. In Server options, clear the Enable netmask ordering check box, and then click OK.
Note
To disable local subnet prioritization using the command line
dnscmd ServerName /Config /LocalNetPriority {1|0}
Value
Description
ServerName
/LocalNetPriority
Configures netmask ordering.
{1|0}
To enable netmask ordering, type 1 (on). To disable netmask ordering, type 0 (off).
Update root hints

You can use the following procedure to update root hints on the Domain Name System (DNS) server.
Updating root hints

To update root hints
Where?
4. Click the Root Hints tab.
5. Modify server root hints as follows:
To add a root server to the list, click Add, and then specify the name and Internet Protocol (IP) address of the server to be added to the list.
To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.
To remove a root server from the list, select it in the list, and then click Remove.
To copy root hints from a DNS server, click Copy from Server, and then specify the IP address of the DNS server from which you want to copy a list of root
servers to use in resolving queries. These root hints will not overwrite any existing root hints.
Note

You can use the following procedure to secure the server cache against names pollution. This setting is enabled by default.

To secure the server cache against names pollution
Where?
5. In Server options, select the Secure cache against pollution check box, and then click OK.
Note
Clear server names cache

You can use the following procedure to clear the server names cache. You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line
tool.
Clearing the server names cache

To clear the server names cache using the Windows interface

Where?
Note
To clear the server names cache using the command line
Value
Description
ServerName
/clearcache
Clears the DNS server cache.
Configure DNSSEC
You can use the following procedure to modify the configuration of Domain Name System (DNS) Security Extensions (DNSSEC). The value of the registry entry
EnableDnsSec determines whether the DNS server includes or excludes DNSSEC resource records when it receives queries.
Caution
To configure DNSSEC
2. In Registry Editor, navigate to the following registry subkey:
3. Add the following DWORD entry:
EnableDnsSec
To exclude DNSSEC resource records in query responses other than responses to requests for SIG, KEY or NXT resource records, assign a value of 0x0.
Appropriate resource records will be included in responses to requests for SIG, KEY, or NXT resource records only.
To include the DNSSEC resource records in all query responses (according to RFC 2535), assign a value of 0x2.
To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671), assign a value
of 0x1, or do not create the value at all. The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry.
Note
Configure EDNS0
You can use the following procedure to modify EDNS0 configuration. The value of the registry key EDNSCacheTimeout determines how long the Domain Name System
(DNS) server keeps information about the extension mechanisms for DNS (EDNS) versions that are supported by other DNS servers that have responded to a query with
an OPT resource record.
You can perform this procedure by using Registry Editor or by using the Dnscmd command-line tool.
Caution
Configuring EDNS0
To configure EDNS0 using the Windows interface

2. In Registry Editor, navigate to the following registry subkey:
EDNSCacheTimeout
4. To change the cache timeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days).
5. In the same registry subkey (Parameters), add the following DWORD entry:
EnableEDNSProbes
6. To configure the DNS server to include an OPT resource record only in response to EDNS0 requests containing OPT resource records, type 0x1 (DWORD).
7. Restart the DNS server.
Note
To modify EDNS0 configuration using the command line
At a command prompt, type one of the following commands, and then press ENTER:
dnscmd ServerName /Config /EDNSCacheTimeout Value
dnscmd ServerName /Config /EnableEDNSProbes Value
Value
Description
ServerName
/Config
Required. Specifies the command to configure the DNS server.
/EDNSCacheTimeout
Required. Specifies the length of time that the DNS server remembers the EDNS parameters remote servers report.
/EnableEdnsProbes
Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS.
Value
Required. For /EDNSCacheTimeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes,
type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS
server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.
Change UDP message size

You can use the following procedure to modify User Datagram Protocol (UDP) message size.
Caution
When you configure the UDP packet size to be larger than 512 bytes, remember that UDP packets must travel through devices other than UDP hosts, such as routers,
and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices
and the path's maximum transmission unit MTU, if possible and configure your UDP hosts according to this maximum.
Caution
by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use
Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the
registry, use extreme caution.
To change UDP message size
MaximumUdpPacketSize
4. Type a maximum UDP packet size value in bytes.
The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format).
5. Restart the DNS server.
Note
Securing DNS
Domain Name System (DNS) was originally designed as an open protocol. Therefore, it is vulnerable to attackers. Security features in Windows Server 2003 DNS can help
you prevent an attack on your DNS infrastructure. Before considering which of the Windows Server 2003 security features to use, you should be aware of the following:
Common threats to DNS security

The level of DNS security in your organization
DNS Security Threats

The following are the typical ways in which your DNS infrastructure can be threatened by attackers:
Footprinting. The process by which DNS zone data, including DNS domain names, computer names, and Internet Protocol (IP) addresses for sensitive network
resources, is obtained by an attacker. An attacker commonly begins an attack by using this DNS data to diagram, or "footprint," a network. DNS domain names and
computer names usually indicate the function or location of a domain or computer to help users remember and identify domains and computers more easily. An
attacker takes advantage of this same DNS naming principle to learn the function or location of domains and computers in the network.
Denial-of-service attack. A scenario in which an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network
with recursive queries. As a DNS server is flooded with queries, its CPU usage eventually reaches its maximum, and the DNS Server service becomes unavailable.
Without a fully operating DNS server on the network, network services that use DNS are unavailable to network users.
Data modification. An attempt by an attacker that has footprinted a network by using DNS to use valid IP addresses in IP packets that the attacker has created. This
gives these packets the appearance of coming from a valid IP address in the network. This process is commonly called IP "spoofing." With a valid IP address that
is, an IP address within the IP address range of a subnet the attacker can gain access to the network and destroy data or conduct other attacks.
Redirection. A scenario in which an attacker is able to redirect queries for DNS names to servers that are under the control of the attacker. One method of
redirection involves an attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers that are under the
control of the attacker. For example, if a query is made originally for sales.wingtiptoys.com and a referral answer provides a record for a domain name that the
attacker has outside the wingtiptoys.com domain, the DNS server uses the cached data for the attacker's domain to resolve a query for that name. Redirection can
occur whenever an attacker has writable access to DNS data, for example, in a scenario that includes dynamic updates that are not secure.
Mitigating DNS Security Threats

The following sections explain three levels of DNS security that you can apply to your current DNS configuration. You can use these three levels of security to increase the
DNS security of your organization.
Low-Level Security
Low-level security is a standard DNS deployment without any security precautions configured. You should deploy this level of DNS security only in network environments
where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity:
The DNS infrastructure of your organization is fully exposed to the Internet.

Standard DNS resolution is performed by all DNS servers in your network.
All DNS servers are configured with root hints pointing to the root servers for the Internet.
All DNS servers permit zone transfers to any server.
All DNS servers are configured to listen on all of their IP addresses.
Cache pollution prevention is disabled on all DNS servers.
Dynamic update is allowed for all DNS zones.
User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall for your network for both source and destination addresses.
Medium-Level Security
Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory:
The DNS infrastructure of your organization has limited exposure to the Internet.
All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Dynamic update that is not secure is not allowed for any DNS zones.
Internal DNS servers communicate with external DNS servers through a firewall with a limited list of allowed source addresses and destination addresses.
External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.
All Internet name resolution is performed by using proxy servers and gateways.
High-Level Security
High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a
domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a
typical configuration, but it is recommended whenever Internet connectivity is not required:
The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
DNS servers that are configured with forwarders use internal DNS server IP addresses only.
All DNS servers limit zone transfers to specified IP addresses.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Internal DNS servers are configured with root hints that point to the internal DNS servers that host the root zone for your internal namespace.
All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific
individuals to perform administrative tasks on the DNS server.
All DNS zones are stored in Active Directory. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
Secure dynamic update is configured for DNS zones except the top-level zones and root zones, which do not allow dynamic updates at all.
Securing DNS
The following tasks for securing DNS are described in this objective:
Securing Domain Name System Zones

Securing the Domain Name System Server Service
Securing Domain Name System Clients
Securing Domain Name System Zones

To secure the Domain Name System (DNS) zones in your environment, use the following guidelines:
Configure secure dynamic updates. By default, the Dynamic updates option is not set to allow dynamic updates. This is the most secure setting because it
prevents an attacker from updating DNS zones. However, this setting prevents you from taking advantage of the benefits to administration that dynamic updates
provide. To make it possible for computers to update DNS data securely, store DNS zones in Active Directory, and use the secure dynamic update feature. Secure
dynamic update restricts DNS zone updates to only the following:
Computers that are authenticated and joined to the Active Directory domain where the DNS server is located
The specific security settings that are defined in the access control lists (ACLs) for the DNS zone
Restrict zone transfers. By default, the DNS Server service allows zone information to be transferred only to servers that are listed in the name server (NS) resource
records of a zone. This is a secure configuration. However, for increased security this configuration should be changed to enable the option to allow zone transfers
to specified Internet Protocol (IP) addresses. Changing this configuration to allow zone transfers to any server at all may expose your DNS data to an attacker who is
attempting to footprint your network.
Understand the compromise involved in zone delegation. When you decide whether to delegate DNS domain names to zones that are hosted on DNS servers that
are administered separately, it is important to consider the security implications of giving the ability to administer the DNS data for your network to multiple
individuals. DNS zone delegation involves a compromise between the security benefits of having a single authoritative DNS server for all DNS data and the
administrative benefits of distributing responsibility for your DNS namespace to separate administrators. This issue is very important when you delegate the toplevel domains of a private DNS namespace, because those domains contain very sensitive DNS data.
Task requirements
Install Dnscmd.
1. Enable secure dynamic updates

3. Managing DNS Resource Records
See Also
Other Resources



Note
Value
Description
ServerName
ZoneName|..AllZones
updates only.



DNS servers.
Note
Value
Description
ServerName
ZoneName
/NoXfr
/NonSecure
/SecureNs
/SecureList
SecondaryIPAddress
Delegating a Zone
Task requirements
Install Dnscmd.
Install Nslookup.

See Also
Other Resources



Note
Value
Description
ServerName
ZoneName
NodeName
/Aging
/OpenAcl
Ttl
NS
HostName|FQDN

credentials.
nslookup
set norecurse
set q=NS
Value
Description
RootServerIpAddress
set norecursion
set q=NS
Securing the Domain Name System Server Service

To secure the Domain Name System (DNS) servers in your network, use the following guidelines:
Limit the Internet Protocol (IP) addresses that the DNS Server service listens on to the IP address that is used by its DNS clients as their preferred DNS server. By
default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries on all its IP addresses.
Leave the Secure cache against pollution option enabled. By default, the DNS Server service is secured from cache pollution, which occurs when DNS query
responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from polluting the cache of a DNS server
with resource records that were not requested by the DNS server. Changing this default setting reduces the integrity of the responses that are provided by DNS
Server service.
Disable recursion. By default, recursion is not disabled for the DNS Server service. This enables the DNS server to perform recursive queries on behalf of its DNS
clients and the DNS servers that have forwarded DNS client queries to it. Recursion can be used by attackers to deny the DNS Server service. Therefore, if a DNS
server in your network is not intended to receive recursive queries, it should be disabled.
If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root
domain, not to the DNS servers that host the Internet root domain. This prevents your internal DNS servers from sending private information over the Internet when
they resolve names.
Task requirements
Install Dnscmd.
1. Restrict the DNS server to listen on selected IP addresses

2. Secure the server cache against names pollution.
3. Disable recursion
4. Update root hints
See Also
Other Resources
Restrict the DNS server to listen on selected IP addresses

You can use the following procedure to restrict the DNS Server service to listen only on selected Internet Protocol (IP) addresses. By default, the DNS Server service listens
for Domain Name System (DNS) message communications on all configured IP addresses for the server computer. Restricting the DNS Server service to listen only on
specific IP addresses is an effective security measure because only hosts on the same network subnet or hosts with a router that connects them to that same segment
have access to the server.
Note
Server IP addresses that you add with this procedure must be managed statically. If you later change or remove addresses specified here from TCP/IP configurations
that are maintained at this server, update this list accordingly.
After you update or revise the list of restricted interfaces, stop and restart the DNS server to apply the new list.
Restricting the DNS server to listen on selected IP addresses

To restrict the DNS server to listen on selected IP addresses using the Windows interface
Where?
4. On the Interfaces tab, click Only the following IP addresses.
5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.
6. Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.
If you want to remove an IP address from the list, click the IP address, and then click Remove.
Note
To restrict the DNS server to listen on selected IP addresses using the command line
dnscmd ServerName /ResetListenAddresses [ListenAddress...]
Value
Description
ServerName
/ResetListenAddresses
Required. Resets the IP addresses of the interfaces on which the DNS server listens.
ListenAddress...
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service
listens for DNS message communications on all configured IP addresses for the server computer.

You can use the following procedure to secure the server cache against names pollution. This setting is enabled by default.

To secure the server cache against names pollution
Where?
5. In Server options, select the Secure cache against pollution check box, and then click OK.
Note
Disable recursion
You can use the following procedure to disable recursion on the Domain Name System (DNS) server.
Note
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
Disabling recursion
To disable recursion using the Windows interface

4. In Server options, select the Disable recursion (also disables forwarders) check box, and then click OK.
Note
To open the DNS snap-in, click Start, , point to Administrative Tools, and then click DNS.
To disable recursion using the command line
dnscmd ServerName /Config /NoRecursion {1|0}
Value
Description
ServerName
/NoRecursion
Required. Disables recursion.
{1|0}
Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.
Update root hints

You can use the following procedure to update root hints on the Domain Name System (DNS) server.
Updating root hints

To update root hints
Where?
4. Click the Root Hints tab.
5. Modify server root hints as follows:
To add a root server to the list, click Add, and then specify the name and Internet Protocol (IP) address of the server to be added to the list.
To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.
To remove a root server from the list, select it in the list, and then click Remove.
To copy root hints from a DNS server, click Copy from Server, and then specify the IP address of the DNS server from which you want to copy a list of root
servers to use in resolving queries. These root hints will not overwrite any existing root hints.
Note
Securing Domain Name System Clients

The following Domain Name System (DNS) client considerations have security implications for DNS clients in a DNS infrastructure:
Whenever possible, specify static Internet Protocol (IP) addresses for the preferred and alternate DNS servers that are to be used by a DNS client. If a DNS client is
configured to obtain its DNS server addresses automatically, it will obtain them from a Dynamic Host Configuration Protocol (DHCP) server. While this method of
obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate
DNS servers, you eliminate one possible avenue of attack.
Control which DNS clients have access to the DNS server. If a DNS server is configured to listen only on specific IP addresses, only DNS clients that are configured to
use these IP addresses as preferred and alternate DNS servers will contact the DNS server.
Task requirements
Install Dnscmd.
1. Configure DNS settings in Network Connections.

2. Restrict the DNS server to listen on selected IP addresses.
See Also
Other Resources

Note
Restrict the DNS server to listen on selected IP addresses

You can use the following procedure to restrict the DNS Server service to listen only on selected Internet Protocol (IP) addresses. By default, the DNS Server service listens
for Domain Name System (DNS) message communications on all configured IP addresses for the server computer. Restricting the DNS Server service to listen only on
specific IP addresses is an effective security measure because only hosts on the same network subnet or hosts with a router that connects them to that same segment
have access to the server.
Note
Server IP addresses that you add with this procedure must be managed statically. If you later change or remove addresses specified here from TCP/IP configurations
that are maintained at this server, update this list accordingly.
After you update or revise the list of restricted interfaces, stop and restart the DNS server to apply the new list.
Restricting the DNS server to listen on selected IP addresses

To restrict the DNS server to listen on selected IP addresses using the Windows interface
Where?
4. On the Interfaces tab, click Only the following IP addresses.
5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.
6. Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.
If you want to remove an IP address from the list, click the IP address, and then click Remove.
Note
To restrict the DNS server to listen on selected IP addresses using the command line
dnscmd ServerName /ResetListenAddresses [ListenAddress...]
Value
Description
ServerName
/ResetListenAddresses
Required. Resets the IP addresses of the interfaces on which the DNS server listens.
ListenAddress...
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service
listens for DNS message communications on all configured IP addresses for the server computer.
Troubleshooting Domain Name System

This guide provides troubleshooting information for Domain Name System (DNS) in Windows Server 2003 SP 1. It is designed to help you identify and resolve problems
that may be related to DNS.
In this guide
Introduction to Troubleshooting Domain Name System

Verifying Computer Settings for Domain Name System
Configuring a Computer for Troubleshooting Domain Name System
Troubleshooting Domain Name System Problems
Acknowledgments
Produced by: Microsoft Windows Server User Assistance team
Project Writer: Andrea Weiss
Project Editor: Jim Becker
Introduction to Troubleshooting Domain Name System

This guide explains how to troubleshoot Domain Name System (DNS). If you are not familiar with this guide, review the following sections of this introduction.

You have a problem that you believe is related to DNS, but you do not know how to resolve it.
You configure DNS settings, but DNS does not behave the way that you anticipate.
A program is not working properly, and you believe that DNS is causing the problem.
Do not use this guide to find out how to perform a task, such as configuring a stub zone or installing DNS. Information about how to perform tasks and configure settings
can be found in Administering DNS Operations.
This guide assumes that you have a basic understanding of what DNS is, how it works, and why your organization uses it for name resolution. You should also have a
thorough understanding of how DNS is deployed and managed in your organization. This includes an understanding of the mechanism that your organization uses to
configure and manage DNS settings.
How This Guide Is Organized

This guide is divided into four sections. Each section addresses a type of problem, ranging from less complex to more complex.
This section provides a list of prerequisites and settings that must be verified before you troubleshoot. Read this section first.
Configuring a Computer for Troubleshooting Domain Name System
This section describes how to configure your computer for troubleshooting.
This section provides step-by-step diagnostic procedures and possible solutions that help you identify and fix DNS problems.
This section provides additional resources that are related to DNS.

Before you begin troubleshooting, verify that your computer is configured properly and that Domain Name System (DNS) is set up and running properly.
Settings to Verify Before You Troubleshoot

Verify all of the following items:
Make sure you have administrative rights on the computer that you are troubleshooting
Install all critical updates and security updates for Windows Server 2003
Verify DNS client settings
Make sure you have administrative rights on the computer that you are troubleshooting.
You cannot modify DNS settings unless you are a member of the Administrators group on the computer that you are troubleshooting.
To verify that you are a member of the Administrators group that you are troubleshooting
1. Open the Computer Management snap-in.
2. In the console tree, double-click Local Users and Groups, and then click Groups.
3. In the details pane, double-click Administrators and verify that your account name or a group to which your account is a member appears in the Members list.
Install all critical updates and security updates for Windows Server 2003.
Some updates might be required for DNS to function properly.
To verify that you have all critical updates and security updates for Windows Server 2003
Click Start, click Windows Update, and then follow the instructions that appear on your screen.
Verify DNS client settings.

Verify that the DNS client does not have an external DNS server, such as a DNS server from an Internet service provider (ISP), in its TCP/IP configuration. In most cases, the
client should not use a DNS server from an ISP as either the preferred or alternate DNS server because the DNS server from the ISP is unable to resolve internal names.
Using a DNS server from an ISP in the TCP/IP configuration of a client can also cause problems with conflicting internal and external namespaces.
To verify DNS client settings
1. Log on to the computer with your Administrator account.
2. Click Start, click Control Panel, and then double-click Network Connections.
3. In Network Connections, right-click the local area connection that you want, and then click Properties.
4. In Local Area Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
5. If Obtain an IP address automatically is selected, type the following at a command prompt:
ipconfig /all
6. Review the DNS server settings and verify that they are correct.
Configuring a Computer for Troubleshooting Domain Name

System
Before you can use advanced troubleshooting techniques to identify and fix Domain Name System (DNS) problems, you need to configure your computer for
troubleshooting. In addition, you need a basic understanding of troubleshooting concepts, procedures, and tools.
Configuration Tasks for Troubleshooting

To configure your computer for troubleshooting, perform the following tasks:
Install Windows Server 2003 SP1
Install Windows Support Tools
Install Network Monitor
Enable DNS Debug Logging
Install Windows Server 2003 SP1

If possible, upgrade your DNS servers with Windows Server 2003 Service Pack 1 (SP1). To install this service pack, go to the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=9999) and follow the instructions for downloading the service pack.
Install Windows Support Tools

For improved diagnostic support, install the Windows Support Tools that ship with Windows Server 2003 SP1. The SP1 version of Windows Support Tools includes
enhanced versions of the Dcdiag.exe tool. The Dcdiag.exe command-line tool now provides new reporting on the overall health of replication with respect to
Active Directory security as well as new DNS diagnostic tests.
Make sure that the SP1 version of Windows Support Tools is installed on all DNS servers running Windows Server 2003 with SP1.
Options for Running SP1 Windows Support Tools

You can run Windows Support Tools that ship with Windows Server 2003 SP1 on computers running the following operating systems:
Windows Server 2003 with SP1

Windows Server 2003 without SP1
You can also run Dcdiag.exe on computers running Windows XP Professional, Windows XP Professional with SP1, or Windows XP Professional with Service Pack 2 (SP2).
Options for other tools vary by tool.
Options for Installing SP1 Windows Support Tools

The SP1 version of Windows Support Tools can be installed as an .msi package only on computers running Windows Server 2003 with SP1. To run Dcdiag from computers
running Windows Server 2003 without SP1 or from computers running Windows XP Professional, you must copy the respective executable files to those computers.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the Builtin Administrators group.
Operating system: Windows Server 2003 with SP1. You cannot use Suptools.msi to install the SP1 version of Windows Support Tools on a computer that is not
running Windows Server 2003 with SP1.
To install Windows Support Tools

1. Insert the Windows CD into your CD-ROM drive.
2. If you are prompted to reinstall Windows, click No.
3. When the Welcome screen appears, click Perform additional tasks, and then click Browse this CD.
4. Go to the \Support\Tools folder. For complete setup information, see the Readme.htm file in this folder.
5. Double-click suptools.msi.
6. Follow the instructions that appear on your screen.
Install Network Monitor

You can use Network Monitor to troubleshoot connectivity issues by tracing network traffic between computers. For information about installing and using Network
Monitor, see Network Monitor on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42987).
Enable DNS Debug Logging

DNS debug logging creates a Dns.log file that contains debug logging activity. By default, this file is located in the C:\Windows\System32\DNS folder. Using debug logging
options slows DNS server performance; therefore, all debug logging options are disabled by default. You can use the following procedure to enable DNS debug logging.
To enable DNS debug logging
1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
3. Click the Debug Logging tab.
4. Select Log packets for debugging, and then select the events that you want the DNS server to record for debug logging
Notes
To set the debug logging options, you must first select Log packets for debugging.
To obtain useful debug logging output, select an option under Packet direction, an option under Transport protocol, and at least one more option.
In addition to selecting events for the DNS debug log file, you can specify the file name, location, and maximum file size for the file. In most cases, the default
selections are adequate. You may want to limit the traffic that the logging captures. If you want to limit the logging traffic to traffic between your server and a
specific DNS server, select the Filter packets by IP address check box, and then click Filter to add the appropriate IP addresses.

Domain Name System (DNS) problems can prevent users from accessing the Internet or other computers on your intranet. This section addresses some of the most
common DNS-related problems that you might experience.
From the following list, choose the problem that best describes your situation, and then step through the suggested fix:
Secure dynamic updates fail

DNS server resolves some Internet names incorrectly
DNS client fails to resolve name
Zone transfers from a secondary DNS server fail
Dynamic updates for host records fail
If you suspect that domain controllers are having difficulty resolving DNS names, see Perform DNS Health Check (http://go.microsoft.com/fwlink/?LinkId=111844).
Secure dynamic updates fail

This problem occurs when attempts by hosts fail to update a Domain Name System (DNS) zone that is configured for secure dynamic updates.
Cause
The host might not be configured properly to allow secure dynamic DNS updates. It might be configured to use an external DNS server, or it might be experiencing other
DNS configuration problems.
Solution
First, try to solve this problem by using the troubleshooting information in Dynamic updates for host records fail.
Hosts that perform secure dynamic updates should be members of a Windows 2000 Server or Windows Server 2003 domain, and they should be in a domain that is in the
same forest as the DNS server.
Verify that there is no problem with the machine account of the host that is attempting the update. Determine whether other hosts successfully perform secure dynamic
updates. If the problem is occurring on only one host, try removing the host from the domain and then rejoining it to the domain.
Verify that a record does not already exist with the same name. By default, records that are created by one host cannot be modified or removed by a different host. If
there is an existing record with the same name, delete the existing record and have the host attempt to register again.
To initiate a dynamic update for host and PTR records
DNS server resolves some Internet names incorrectly

The symptom for this problem is that the Domain Name System (DNS) server stops resolving some Internet names correctly. It might give inaccurate responses or fail to
resolve Internet names completely, while other Internet names resolve accurately. This problem may get worse over time. Clearing the DNS server cache, restarting the DNS
service, or restarting the DNS server resolves the problem temporarily, but the problem may continue to occur.
Cause
The DNS server might be experiencing cache pollution. This is caused by the DNS server receiving and caching an inaccurate start of authority (SOA) record for a portion
of the Internet namespace. For example:
1. A DNS server queries a specific name server to resolve host.contoso.com.

2. The DNS server that is being queried gives a response. Along with the response in the authority section it gives an incorrect record for the .com namespace.
3. This record is cached and all new queries that contain the top-level domain name of com will not resolve, or they resolve to an incorrect Internet Protocol (IP)
address.
Solution
Configure the DNS server for protection against cache pollution by completing the following procedure.
To configure the DNS server for protection against cache pollution
2. In the console tree, right-click the DNS server that you want to protect against cache pollution, click Properties, and then click the Advanced tab.
3. Select the Secure cache against pollution check box, and then click OK.
DNS client fails to resolve name

This problem may occur when a user is trying to access another computer on the intranet or the Internet. A user typically receives a Domain Name System (DNS) error
from the operating system or the browser.
Cause
Several problems can cause DNS name resolution to fail. If you have reviewed the topics for other problems in Troubleshooting Domain Name System Problems and they
do not seem to be the cause of the problem, DNS settings might be configured incorrectly on the DNS client.
Solution
Verify that the client does not have an external DNS server, such as a DNS server from an Internet service provider (ISP), in its TCP/IP configuration. In most cases, the client
should not use a DNS server from an ISP as either the preferred or alternate DNS server, because the DNS server at the ISP is unable to resolve internal names. Using a
DNS server from an ISP in a client's TCP/IP configuration can also cause problems with conflicting internal and external namespaces.
To verify DNS configuration in TCP/IP settings
1. Log on to the DNS client computer with the Administrator account.
3. In Network and Dial-up Connections, right-click the local area connection that you want, and then click Properties.
4. In Local Area Network Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
5. Ensure that the appropriate DNS server IP addresses are configured in Preferred DNS server and Alternate DNS server. If Obtain an IP address automatically is
selected, click the Alternate Configuration tab, and then review all the IP settings that are configured there.
6. Type the following at a command prompt, and then press ENTER:
ipconfig /all
7. Review the DNS server settings, and verify that they are correct.
a. If the DNS server settings are not correct, ensure the appropriate settings are configured on the Dynamic Host Configuration Protocol (DHCP) server.
b. If your computer has an IP address that begins with 169.254, it is not obtaining an IP address from a DHCP server and likely does not have Alternate
Configuration enabled. In this case, diagnose the issue with the DHCP server or set an appropriate static IP address either directly or as an alternate
configuration.
Next, use the following procedure to verify that the name can be resolved by the DNS server.
To verify name resolution
nslookup host_name server_IP_address
Substitute the actual host name that you are trying to resolve for host_name and the IP address of the DNS server for server_IP_address. For example, if the host name that
you are trying to resolve has a fully qualified domain name (FQDN) of server5.contoso.com and the DNS server's IP address is 192.168.0.200, type the following command,
and then press ENTER:
nslookup server5 192.168.0.200
You can also try using the FQDN:
nslookup server5.contoso.com 192.168.0.200
If the host name alone does not resolve, but the FQDN does resolve, confirm that the primary or connection-specific DNS suffix is configured correctly. You can use the
following procedure to add a DNS suffix search list.
To add a DNS suffix search list
1. Click Start, right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Double-click Internet Protocol (TCP/IP), and then click Advanced.
4. Click the DNS tab, and then click Append these DNS suffixes (in order).
5. Click Add, type the domain suffix of the desired domain, and then click Add.
If both Nslookup commands fail to resolve the name, the problem is likely with the DNS server records or configuration, or it may be the result of a connectivity issue
between the DNS client and DNS server, such as a firewall blocking DNS queries (which are typically offered on TCP port 53). You can use the Portqry tool to test network
connectivity between two computers. For more information about downloading and using Portqry, see article 832919 in the Microsoft Knowledge Base
If the connection is not successful, look for a firewall on the DNS client, DNS server, or somewhere between the two that could cause the connection failure. If you are
diagnosing a connection failure between two computers, you can try using the Portqry tool to test it. For more information about downloading and using Portqry, see
article 832919 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=111855).
If Portqry fails, there may be a connectivity issue between the computers. You can try using the Tracert or Pathping tools to find out where the failure exists. However, these
tools are not always reliable because many hosts and servers disable the Internet Control Message Protocol (ICMP) echo functionality on which these tools depend.
However, using one of these tools may help locate the source of a problem. For more information about using Tracert, see article 314868 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=111861). For information about using Pathping, see Pathping (http://go.microsoft.com/fwlink/?LinkId=111864)
Note
If you locate and correct any issues on the DNS server, it is probable that your client computer cached the incorrect information, and your name resolution queries may
still fail. To resolve this issue, clear the DNS client resolve cache on the client computer. To clear the cache, type the following command at a command prompt, and
then press ENTER:
Ipconfig /flushdns
For additional information about troubleshooting the DNS client configuration, see Validate DNS Client Settings (http://go.microsoft.com/fwlink/?LinkId=111865).
Zone transfers from a secondary DNS server fail

In the DNS management console, the secondary zone has a red X in the right pane, along with an error message that reads as follows:
The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed.
Correct the problem then either press F5, or on the Action menu, click Refresh.
For more information about troubleshooting DNS zone problems, see Help.
Cause
The primary DNS server might not be configured properly to allow zone transfers from the secondary DNS server.
Solution
Use the following procedure to verify that the primary DNS server is configured to allow zone transfers from the secondary DNS server.
To verify that the primary DNS server is configured to allow zone transfers from the secondary DNS server
1. On the primary DNS server, click Start, point to All Programs, click Administrative Tools, and then click DNS.
2. In the console tree, double-click the DNS server.
3. In the console tree, double-click Forward Lookup Zones or Reverse Lookup Zones, as applicable.
4. Right-click the zone, click Properties, and then click the Zone Transfers tab.
5. Ensure that the Allow zone transfers check box is selected.
If zone transfer fails with Event ID 6525 Zone transfer for secondary zone <zone_name> refused by master server and the master server allows dynamic updates for the
zone, these failures are due to the zone transfer throttling mechanism, and they are expected. This mechanism limits the number of zone transfers to allow regular dynamic
updates to take place.
Dynamic updates for host records fail

Computers can fail to register the following host records:
Address (A) records, for a forward lookup zone

Pointer (PTR) records, for a reverse lookup zone
There might not be any error messages associated with these events. The only symptom of the problem might be the fact that the hosts records do not show up in the
Domain Name System (DNS) zone.
Cause
The host might not be configured properly to allow dynamic DNS updates. It might be configured to use an external DNS server, or it might be experiencing other DNS
configuration problems.
Solution
You can use the following procedure to verify that the host is configured for dynamic DNS updates.
To verify that the host is configured for dynamic DNS updates
1. Log on to the computer with the Administrator account.
3. In Network Connections, right-click Local Area Connection, and then click Properties.
5. In Internet Protocol (TCP/IP) Properties, click Advanced, and then click the DNS tab.
6. Ensure that both of the following check boxes are selected:
Register this connections addresses in DNS
Use this connections DNS suffix in DNS registration
7. Click OK.
You can use the following procedure to verify that the client does not have an external DNS server, such as a DNS server from an Internet service provider (ISP), in its
TCP/IP configuration. In most cases, the client should not use a DNS server from an ISP as either the preferred or alternate DNS server, because the DNS server at the ISP
is unable to resolve internal names. Using a DNS server from an ISP in a client's TCP/IP configuration can also cause problems with conflicting internal and external
namespaces.
To verify DNS configuration in TCP/IP settings
1. Log on to the computer with the Administrator account.
3. In Network Connections, right-click Local Area Connection, and then click Properties.
5. If Obtain an IP address automatically is selected, type the following at a command prompt:
ipconfig /all
6. Review the DNS server settings and verify that they are correct.
You can use the following procedure to verify that the start-of-authority (SOA) resource record can be resolved by the DNS servers. In this procedure, you use the
Nslookup.exe tool to test name resolution for the SOA record for the domain that the client is attempting to register in. Test this name resolution from each one of the
DNS servers that the client is configured to use.
To verify that the SOA record can be resolved by the DNS servers
nslookup
2. At the nslookup: prompt, type the following command, and then press ENTER:
set querytype=SOA
3. At the nslookup: prompt, type the full name of the DNS zone that the client should be registering in and include a terminating dot at the end of the domain
name and then press ENTER.
4. To test another DNS server, at the nslookup: prompt, type the following command, and then press ENTER:
server IP_address
Then, type the domain name to be tested, and then press ENTER.
If this query attempt fails from any of your DNS servers, you might need to remove that DNS server from the clients TCP/IP settings.
You can use the following procedure to verify that the DNS zone is enabled for dynamic updates. Open the DNS management console to verify that the zone that the
clients need to register in is configured to accept dynamic updates.
To verify that the DNS zone is enabled for dynamic updates
2. In the console tree, double-click the appropriate DNS server name, and then double-click Forward Lookup Zones.
3. Right-click the zone, and then click Properties.
4. On the General tab, view the Dynamic updates setting and make sure that it is set to Nonsecure and secure or Secure only.
5. If the setting is already set to Secure only and updates are still failing, try setting the zone to Nonsecure and secure for testing. If failures are seen only for Secure
only, see Secure dynamic updates fail.
You can use the following procedure to verify that the Dynamic Host Configuration Protocol (DHCP) Client service is started. The DHCP Client service is used to perform
dynamic updates, and it must be running.
To verify the status of DHCP or to start DHCP
1. Click Start, point to All Programs, point to Administrative Tools, and then click Services.
2. In the details pane, double-click DHCP Client and verify that the status of that service is Started. If the status is not Started, click Start to start the service.
You can use the following procedure to verify whether a single-label DNS domain name is being used.
To verify whether a single-label DNS domain name is being used
1. At a command prompt, type the following, and then press ENTER:
ipconfig /all
2. View the Primary DNS Suffix and the Connection-specific DNS Suffix to make sure that the specified domain name has at least two parts, separated by a dot, for
example, fabrikam.com. An example of a single-label domain is fabrikam.
3. If the host is using a single-label domain name, and this is correct for the environment, you have to use the registry setting of UpdateTopLevelDomainZones. For
more information about this registry setting, see article 300684, "Information about configuring Windows for domains with single-label DNS names," in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=37924).

For information about how Domain Name System (DNS) works, see the following resources:
DNS Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48145)

DNS Support for Active Directory Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48147)
For information about troubleshooting DNS problems, see Troubleshooting Domain Name System.

Infomration On DNS

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Infomration On DNS

Diunggah oleh

Hak Cipta:

Format Tersedia

My Collection

DNS Server Overview

What is the DNS server role?

New features in the DNS server role

Hardware and software considerations

Single-processor computers with 400-megahertz (MHz) Pentium II CPUs

Installing a DNS server

Managing a DNS server

For more information

2014 Microsoft. All rights reserved.

Administering DNS Operations

Introduction to Administering DNS Operations

Introduction to Administering DNS Operations

When to Use This Guide

You want to manage DNS servers.

How to Use This Guide

2014 Microsoft. All rights reserved.

Managing Domain Name System Servers

2014 Microsoft. All rights reserved.

Managing Domain Name System Servers

Adding a Primary DNS Server to an Existing Zone

2014 Microsoft. All rights reserved.

Adding a Primary DNS Server to an Existing Zone

Install a new DNS server

Install a new DNS server

Installing a new DNS server

2014 Microsoft. All rights reserved.

Configure a DNS server

Configuring a DNS server

To configure a DNS server using the Windows interface

Specifies the name of the command-line tool.

Specifies the configuration command.

2014 Microsoft. All rights reserved.

Adding a Secondary DNS Server

Add a secondary server to a zone

2014 Microsoft. All rights reserved.

Add a secondary server to a zone

Adding a secondary server to a zone

To add a secondary server to a zone using the Windows interface

To add a secondary server to a zone using the command line

2014 Microsoft. All rights reserved.

Modifying an Existing DNS Server

To complete this task, perform one of the following procedures:

Start, stop, pause, or restart a DNS server

Start, stop, pause, or restart a DNS server

2014 Microsoft. All rights reserved.

Manually update DNS server data files

Manually updating DNS server data files

2014 Microsoft. All rights reserved.

Clear the DNS server names cache

Clearing the DNS server names cache

2014 Microsoft. All rights reserved.

Change the boot method of a DNS server

2014 Microsoft. All rights reserved.

Change the name-checking method of a DNS server

2014 Microsoft. All rights reserved.

Restore DNS server default preferences

Fail on load if bad zone data

Enable round robin

Enable netmask ordering

Secure cache against pollution

Load zone data on startup

From Active Directory and registry