DNS Best Practices

DNS best practices
Best practices
Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server. This field is used by applications to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. While most Internet e-mail addresses contain the at sign (@) when used in e-mail applications, this symbol must be replaced with a period (.) when entering an e-mail address for this field. For example, instead of "administrator@microsoft.com", you would use "administrator.microsoft.com".
Be conservative in adding alias records to zones. Avoid using CNAME resource records (RRs) where they are not needed to alias a host name used in a host (A) resource record. Also, ensure that any alias names you use are not used in other RRs. DNS allows an owner name of a CNAME resource record to be used as the owner name of the other types of resource records, such as NS, MX, and TXT resource records.
When designing your DNS network use standard guidelines and, wherever possible, follow preferred practices for managing your DNS infrastructure. DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.
If you are using Active Directory, use directory-integrated storage for your DNS zones for increased security, fault tolerance, simplified deployment and management. By integrating zones, you can simplify network planning. For example, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. This can simplify planning and troubleshooting DNS and Active Directory replication problems because the same server computers are used in both topologies. If you are using directory-integrated storage for your zones, you may select from the different replication scopes that replicate your DNS zone data throughout the directory. If your DNS infrastructure must support Windows 2000 DNS servers, you will use the directoryPage 1 of 165
integrated storage method that replicates DNS zone data to all domain controllers in a domain. If your DNS infrastructure is composed of DNS servers running Windows Server 2003 only, you may also select from replication scopes that replicate your DNS zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified Active Directory domain, or all domain controllers specified in a custom replication scope. Any DNS server hosting a directory-integrated zone is a primary DNS server for that zone. This enables a multimaster model where multiple DNS servers may update the same zone data. A multimaster model eliminates a single point of failure associated with a conventional single-master DNS topology, where updates may only be done to a single DNS server for a given zone. One of the important benefits of directory integration is the support for secure dynamic update of the names within a zone. For more information, see Dynamic update.
Consider the use of secondary zones to assist in off-loading DNS query traffic wherever it makes sense. Secondary servers can be used as backups for DNS clients. This allows you to use secondary servers as a means to load balance DNS query traffic on your network and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs.
If you are planning a large DNS design, such as for a large Internet service provider (ISP) that supports the use of DNS, review the following Request for Comments (RFC) documents published by the Internet Engineering Task Force (IETF). RFC Title 191 Common DNS Operational and 2 Configuration Errors 218 Selection and Operation of Secondary 2 DNS Servers 221 Use of DNS Aliases for Network Services 9
You can obtain these RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.
How to...
Page 2 of 165
Install and Configure Servers Install and Configure Clients Manage Servers Optimize Servers Monitor Servers Add and Remove Zones Configure Zone Properties Manage Zones Manage Resource Records Use Aging and Scavenging
Install and configure servers

Install a DNS server Configure a DNS server for use with Active Directory Verify DNS registration for domain controllers using the nslookup command Configure a new DNS server Modify security for the DNS Server service on a domain controller Add a secondary server for an existing zone Install a caching-only DNS server Restrict a DNS server to listen only on selected addresses Configure a DNS server to use forwarders Create the default DNS application directory partitions Create a DNS application directory partition Enlist a DNS server in a DNS application directory partition Remove a DNS server from a DNS application directory partition
To install a DNS server

Page 3 of 165
1. Open Windows Components Wizard.

2. In Components, select the Networking Services check box, and
then click Details.

3. In Subcomponents of Networking Services, select the Domain
Name System (DNS) check box, click OK, and then click Next.
4. If prompted, in Copy files from, type the full path to the
distribution files, and then click OK. Required files are copied to your hard disk. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open the Windows Components Wizard, click Start, click Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components. Certain Windows components require configuration before they can be used. If you installed one or more of these components but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components Wizard, click Components. It is recommended that you manually configure the computer to use a static IP address. If the DNS server is configured to use DHCPassigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients configured to use that DNS server's previous IP address will be unable to resolve the previous IP address and locate the DNS server. After you install a DNS server, you can decide how to administer it and its zones. Although you can use a text editor to make changes to server boot and zone files, this method is not recommended. The DNS console and the DNS command-line tool, dnscmd, simplify maintenance of these files and should be used whenever possible. Once you begin using console-based or command-line management of these files, manually editing them is not recommended. For more information, see Related Topics.
Page 4 of 165
DNS zones stored in Active Directory can be administered using the DNS console or the dnscmd command-line tool only. These zones cannot be administered using a text editor. If you uninstall a DNS server hosting Active Directory-integrated zones, these zones will be saved or deleted according to their storage type. For all storage types, the zone data is stored on other domain controllers or DNS servers and will not be deleted unless the DNS server that you uninstall in the last DNS server hosting that zone. If you uninstall a DNS server hosting standard DNS zones, the zone files will remain in the systemroot\system32\Dns directory, but they will not be reloaded if the DNS server is reinstalled. If you create a new zone with the same name as an old zone, the old zone file is replaced with the new zone file. When writing DNS server boot and zone data to text files, DNS servers use the Berkeley Internet Name Domain (BIND) file format recognized by legacy BIND 4 servers, not the more recent BIND 8 format.
Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
To configure a DNS server for use with Active Directory
When Active Directory is installed using the Active Directory Installation Wizard, the option to automatically install and configure a local DNS server for use is provided. To install Active Directory on this computer, use the Active Directory Installation Wizard. For more information, see Related Topics.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
Page 5 of 165
This procedure only applies to server computers used as domain controllers. If member servers are used as DNS servers, they are not integrated with Active Directory. If you choose the Active Directory Installation Wizard option to automatically install and configure a local DNS server, the DNS server is installed on the computer where you are running the wizard and the computer's preferred DNS server setting is configured to use the new local DNS server. You will also want to configure any other computers that will join this domain to use this DNS server's IP address as their preferred DNS server. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
To verify DNS registration for domain controllers using the nslookup command
1. Open Command Prompt.
2. Type:
nslookup
3. After the previous command completes, at the nslookup (">")
prompt type: set q=rr_type

4. After the previous command completes, type:
_ldap._tcp.dc._msdcs.Active_Directory_domain_name 5. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed:
o
If the query succeeded, review the registered SRV RRs returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses. If the query failed, continue troubleshooting dynamic update or DNS server related issues to determine the exact cause of the problem.
Page 6 of 165
Value nslookup
Description The name of the command-line program. The DNS name configured for use with your Active Directory domain and any of its associated domain controllers.
_ldap._tcp.dc._msdcs. For example, if the DNS domain name of your Active_Directory_domain_n Active Directory domain is ame example.microsoft.com, type: _ldap._tcp.dc._msdcs.example.microsoft.c om. The command to send the query to the root server. The resource record (RR) type to apply as a filter for subsequent lookups. For example, in this instance, because you want to limit subsequent name queries to filter and return only service location (SRV) RRs that use a specified name, type: set q=srv Notes
set q=
rr_type
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. To view the complete syntax for this command, at a command prompt, type: nslookup, press Enter and then type help
In some cases, when performing the above procedure, you might see several time-outs reported. This happens when reverse lookup is not configured for DNS servers servicing the same DNS domain as your Active Directory domain. The following is an example of command-line output for an Nslookup session, used to verify service location (SRV) resource records that are registered by domain controllers. In this example, the two domain controllers are dc1 and dc2 and are registered for the "example.microsoft.com" domain.
Page 7 of 165
C:\nslookup Default Server: dc1.example.microsoft.com Address: 10.0.0.14 set type=srv _ldap._tcp.dc._msdcs.example.microsoft.com Server: dc1.example.microsoft.com Address: 10.0.0.14 _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc1.example.microsoft.com _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc2.example.microsoft.com dc1.example.microsoft.com internet address = 10.0.0.14 dc2.example.microsoft.com internet address = 10.0.0.15
The nslookup command is a standard command-line tool provided in most DNS service implementations. It offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output. This information is useful in troubleshooting name resolution problems, verifying that resource records (RRs) are added or updated correctly in a zone, and debugging other server-related problems. Verify that resource records used to register services and critical hosts, such as domain controllers, are correctly added to zones. In some cases, you might need to manually add or verify registration of the service location (SRV) resource records used to support Windows Server 2003 domain controllers. To add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory Installation wizard when a server computer is promoted to a domain controller. It can be found at: systemroot\System32\Config\Netlogon.dns
The resource records used in this file are listed in RFC-compliant text-file format. When verifying these records, look for the following records: _ldap._tcp.Active_Directory_domain_name IN SRV 0 0 389 ldap_server_name _ldap._tcp.dc._msdcs.Active_Directory_domain_name IN SRV 0 0 389 domain_controller_name
Page 8 of 165
In some cases, you might need to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a non-domain controller as an LDAP server for your network.
The Net Logon service on each domain controller registers, as appropriate, a number of different DNS resource records with DNS servers. To learn more about these records and how Net Logon updates DNS, obtain additional technical information on DNS available from the Microsoft Web site. For more information, see Related Topics.
To configure a new DNS server

Using the Windows interface Using a command line
Using the Windows interface 1. Open DNS. 2. If needed, add and connect to the applicable server in the console. 3. In the console tree, click the applicable DNS server. Where?
o
DNS/Applicable DNS server
4. On the Action menu, click Configure a DNS Server. 5. Follow the instructions in the Configure a DNS Server Wizard.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. If the DNS server is running locally, you do not need to perform step 2. As a best practice, use the checklist for installing a new DNS server. For more information, see Related Topics. When you finish configuring the server, you might need to complete additional tasks, such as enabling dynamic updates for its zones or adding resource records to its zones. Page 9 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {ZoneName|..AllZones} Property {1|0}
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.). /Config Specifies the configuration command. Specifies the name of the zone to be configured. To {ZoneName|..AllZ apply the configuration for all zones hosted by the ones} specified DNS server, type ..AllZones. Specifies the server property or zone property to be configured. There are different properties available for Property servers and zones. For a list of the available properties, at the command prompt, type: dnscmd /Config /help. Sets configuration options to either 1 (on) or 0 (off). {1|0} Note that some server and zone properties must be reset as part of a more complex operation.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/Config/help
Page 10 of 165
As a best practice, use the checklist for installing a new DNS server provided in the online Help. For more information, see Related Topics. When you finish configuring the server, you might need to complete additional tasks, such as enabling dynamic updates for its zones or adding resource records to its zones.
To modify security for the DNS Server service on a domain controller

1. Open DNS.
2. In the console tree, right-click the applicable server, and then click
Properties.
3. On the Security tab, modify the list of member users or groups that
are allowed to administer the applicable server. Notes
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Active Directory access control lists (ACLs) are only supported for the DNS Server service when it is running on a domain controller. The security settings determine who can administer the server, but do not affect the ACLs for the zones and resource records hosted on the server. To apply security settings for DNS zones and resource records, see Related Topics. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
To add a secondary server for an existing zone

Using the Windows interface Using a command line Page 11 of 165
Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable DNS server. Where?
o
3. On the Action menu, click New Zone. 4. Follow the instructions in the New Zone Wizard. When adding the zone, select Secondary zone as the zone type.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. If the DNS server is running locally, you do not need to perform step 2. In order to add a secondary server for an existing zone, you need to have network access to the server acting as the master server for this server and its use of the zone. The master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName /ZoneAdd ZoneName /Secondary MasterIPaddress...[/file FileName]
Value
Description
dnscmd ServerName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
Page 12 of 165
/ZoneAdd
Required. Adds a zone. Required. Specifies the fully qualified domain name (FQDN) of the secondary zone you are adding. The zone name ZoneName must be the same as the primary zone from which the secondary zone is created. /Secondary Required. Adds a secondary zone type. Required. Specifies one or more IP addresses for the MasterIPaddre master servers of the secondary zone, from which it copies ss... zone data. /file Specifies the command to use a file. Specifies the name of the file to use for creating the FileName secondary zone. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneAdd /help
To add a secondary server for an existing zone, you need to have network access to the server acting as the master server for this server and its use of the zone. The master server acts as the source for zone data. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed.
To install a caching-only DNS server

1. To install a caching-only DNS server, install a DNS server on the server computer. 2. Do not configure the DNS server (as you might normally) to load any zones. 3. Verify server root hints are configured or updated correctly. For more information, see Related Topics. Notes
Page 13 of 165
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. Caching-only DNS servers do not host any zones and are not authoritative for a particular domain. They are DNS servers that build a local server cache of names learned while performing recursive queries on behalf of their clients. This information is then available from its cache when answering subsequent client queries. A caching-only DNS server can be valuable at a site where DNS functionality is needed locally but it is not administratively desirable to create a separate domain or zone for that location. It is strongly recommended that, when operating the computer as a DNS server, you manually configure TCP/IP and use a static IP address.
To restrict a DNS server to listen only on selected addresses

o
DNS/applicable DNS server
3. On the Action menu, click Properties. 4. On the Interfaces tab, click Only the following IP addresses. 5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add. 6. As needed, repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server. If you need to remove an IP address from the list, click it and then click Remove. Page 14 of 165
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly. After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /ResetListenAddresses [ListenAddress ...]
Value
Description
dnscmd ServerName
/ Required. Resets the IP addresses of the interfaces on ResetListenAddr which the DNS server listens. esses Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the ListenAddress... DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.
Page 15 of 165
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd ServerName /ResetListenAddresses /help
Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly. After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.
To configure a DNS server to use forwarders

Using the Windows interface 1. Open the DNS snap-in. 2. In the console tree, click the applicable Domain Name System (DNS) server. Where?
o
3. On the Action menu, click Properties. 4. On the Forwarders tab, click Edit. 5. Type the IP address for the fully qualified domain name (FQDN) of a forwarder, and then click OK. Page 16 of 165
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, the DNS server will wait 5 seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds before forward queries time out, you can change the number of seconds the DNS server will wait. When the server has exhausted all forwarders, it will attempt standard recursion. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the Do not use recursion for this domain check box. You can disable recursion for the DNS server so that it will not perform recursion on any query. If you disable recursion on the DNS server, you will not be able to use forwarders on the same server. For more information about disabling recursion on the DNS server, see Related Links.
Do not enter a forwarder's IP address more than once in a DNS server's forwarders list because it is a more reliable or geographically closer server. If one of the forwarders is preferred, that forwarder should be ordered first in the series of forwarder IP addresses. Problems associated with forwarders often result from inefficient configurations and overuse.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneAddZoneName/ForwarderMasterIPaddress ... [/TimeOut Time] [/Slave]
Value
Description
dnscmd ServerName /ZoneAdd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Adds a zone.
Page 17 of 165
ZoneName
Required. Specifies the FQDN of the zone. Required. Specifies the command to configure a forwarder. When configuring forwarders on DNS servers running on Active Directory domain controllers, you must use /Forwarder /DsForwarder in place of /Forwarder. /DsForwarder will replicate the forwarder setting to all DNS servers running on domain controllers in an Active Directory domain. Required. Specifies a space-separated list of one or more IP MasterIPaddre addresses of the DNS servers where queries for ZoneName ss... are forwarded. You may specify a list of space-separated IP addresses. Specifies the timeout setting. The timeout setting is the /TimeOut number of seconds before unsuccessful forward queries time out. Specifies the value for the /TimeOut parameter. The value Time is in seconds. The default timeout is 5 seconds. Determines whether or not the DNS server uses recursion /Slave when querying for the domain name specified by ZoneName. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Links. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneAdd/help
To view a zone added for use as only a conditional forwarder, use the following command: dnscmdServerName/ZoneInfoZoneName
To reset the forwarder IP addresses for a conditional forwarder domain name, type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [ServerIPs] The /Local parameter sets the local master list for Active Directory integrated forwarders, and the ServerIPs parameter is the list of one or more IP addresses of master servers for the zone. Master servers may Page 18 of 165
include DNS servers that host primary or secondary copies of the zone, but they should not include DNS server IP addresses in such a way that two DNS servers hosting copies of a zone use each other as master servers. Such a configuration would make the forwardering path cyclical.
To reset the standard, nonconditional forwarder for a DNS server, type: dnscmdServerName/ResetForwarders [IPAddress ...] [ /[No]Slave ] [/TimeOut Time] The parameter IPAddress is the IP address where the DNS server will forward unsolvable DNS queries. The /Slave parameter sets the DNS server as a subordinate server. The /NoSlave parameter (default setting) sets the DNS server as a nonsubordinate server, meaning that it will perform recursion. The /Timeout and Time parameters are described in the table above.
You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary, secondary, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name example.microsoft.com (hosts the primary zone for that domain name), you cannot configure that DNS server with a conditional forwarder for example.microsoft.com. Problems associated with forwarders often result from inefficient configurations and overuse.
To create the default DNS application directory partitions

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable DNS server.
o o
Where? DNS/applicable DNS server
3. Click Create Default Application Directory Partitions. 4. Follow the instructions to create the DNS application directory partitions.
Notes
By default, only members of the Enterprise Admins group can create a DNS application directory partition. Page 19 of 165
To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. If the DNS Server service is unable to do this, the administrator can manually create the application directory partitions using this procedure. If the default DNS application directory partitions are currently available in Active Directory, the option to create the default application directory partitions in the DNS console will not be available. The following table describes the options available when creating the DNS default application directory partitions.
Option
Partition name
Description
Create a single application DNS application directory directory partition for each domain in partition that the forest. DNS zones stores DNS zone DomainDnsZones.DnsDomai stored in this application data and nName directory partition are replicates that replicated to all DNS data to all DNS servers running on domain servers in the controllers in the domain. domain DNS application directory Create a single partition for the entire application forest. It contains all the directory DNS servers running on the partition that domain controllers in the stores DNS zone ForestDnsZones.DnsForestN forest. DNS zones stored in data and ame this application directory replicates that partition are replicated to data to all DNS all DNS servers running on servers in the domain controllers in the forest forest. Notes
By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. Once the default DNS application directory partitions are created, Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain controller hosting the default DNS application directory partitions. Page 20 of 165
For more information about creating and deleting an application directory partition, see Related Topics.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /CreateBuiltinDirectoryPartitions {/Domain|/Forest|/AllDomains}
Value
Description
dnscmd ServerName / CreateBuiltinDirectoryP artitions {/Domain|/Forest|/AllDo mains}
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Creates a default application directory partition. Required. Specifies which default application directory partition to create. Do one of the following: To create a default domain-wide DNS application directory partition for the Active Directory domain where the specified DNS server is located, type /Domain. To create a default forest-wide DNS application directory partition for the Active Directory forest where the specified DNS server is located, type /Forest. To create a default domain-wide DNS application directory partitions on a DNS server in each domain in the Active Directory forest where the user running this command is logged on, type /AllDomains. The ServerName parameter is ignored for /AllDomains. The computer on which this command is run must be joined to a domain in the forest where you want to create all of the default domain-wide application directory
Page 21 of 165
partitions. Notes

By default, only members of the Enterprise Admins group can create a DNS application directory partition. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /CreateDirectoryPartition /? By default, the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. If the DNS Server service is unable to do this, the administrator can manually create the application directory partitions using this procedure. If the default DNS application directory partitions are currently available in Active Directory, the option to create the default application directory partitions in the DNS console will not be available. The following table describes the options available when creating the DNS default application directory partitions.
Option
Partition name
Description
Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the domain Create a single application directory partition that stores DNS zone data and replicates that
DNS application directory partition for each domain in the forest. DNS zones DomainDnsZones.DnsDomai stored in this application nName directory partition are replicated to all DNS servers running on domain controllers in the domain. ForestDnsZones.DnsForestN DNS application directory ame partition for the entire forest. It contains all the DNS servers running on the domain controllers in the forest. DNS zones stored in this application directory
Page 22 of 165
data to all DNS servers in the forest Notes
partition are replicated to all DNS servers running on domain controllers in the forest.
By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. Once the default DNS application directory partitions are created, Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain hosting the default DNS application directory partitions. For more information about creating and deleting an application directory partition, see Related Topics.
To create a DNS application directory partition

2. Type:
dnscmd ServerName /CreateDirectoryPartitionFQDN
Value dnscmd ServerName
Description Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ Required. Creates a DNS application directory CreateDirectoryPa partition. rtition Required. Specifies the name of the new DNS FQDN application directory partition. You must use a DNS fully qualified domain name (FQDN). Notes
Page 23 of 165
By default, only members of the Enterprise Admins group can create a DNS application directory partition. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /CreateDirectoryPartition /?
To enlist a DNS server in a DNS application directory partition

2. Type:
dnscmdServerName/EnlistDirectoryPartitionFQDN
Description Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ Required. Enlists a DNS server in a DNS application EnlistDirectoryPar directory partition. tition Required. Specifies the fully qualified domain name FQDN (FQDN) of the DNS application directory partition. Notes
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. Page 24 of 165
This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /EnlistDirectoryPartition /?
To remove a DNS server from a DNS application directory partition

2. Type:
dnscmdServerName/UnenlistDirectoryPartitionFQDN
Description Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ Required. Removes a DNS server from a DNS UnenlistDirectoryPa application directory partition. rtition Required. Specifies the fully qualified domain name (FQDN) of the DNS application directory partition FQDN from which you are removing the DNS server specified by ServerName. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
Page 25 of 165
This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /UnenlistDirectoryPartition /?
Install and configure clients

Configure DNS for static clients Enable DNS for DHCP-enabled clients Configure the primary DNS suffix for a client computer Preload the client resolver cache Display and view a client resolver cache using the ipconfig command Flush and reset a client resolver cache using the ipconfig command Renew DNS client registration using the ipconfig command
To configure DNS for static clients
To configure DNS for clients with statically configured IP addresses, you likely need to configure the following: 1. DNS host name (or names) for the client computer. 2. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names. 3. A list of DNS suffixes to be appended for use in completing unqualified DNS names, which are used for searching and submitting DNS queries at the client for resolution. 4. Connection-specific dynamic update and registration behavior, such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server.
Notes
Page 26 of 165
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. For more information about how to configure DNS for static clients not running Windows XP, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for these clients. By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Related Topics. By default, the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, mycompany. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.
To enable DNS for DHCP-enabled clients
To configure DNS for clients with dynamically configured IP addresses provided by a DHCP server, you generally need to configure the following at either the DHCP server or applicable clients:
1. DNS host name (or names) for the client computer.
For DHCP clients, this must be set at the client computer or assigned during unattended setup.
2. Primary and alternate DNS servers that the client uses
to assist in resolving DNS domain names. For DHCP clients, this can be set by assigning the DNS server option (option 6) and providing a configured list of ordered IP addresses for the DNS servers that the client is configured to use.
3. A list of DNS suffixes to be appended for use in
completing unqualified DNS names used for searching and submitting DNS queries at the client for resolution. For DHCP clients, this can be set by assigning the DNS domain name option (option 15) and providing single DNS suffix for the client to append and use in searches. To configure additional DNS suffixes, configure TCP/IP manually for DNS configuration.
Page 27 of 165
4. Connection-specific dynamic update and registration
behavior, such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server. For DHCP clients, the default is for client connections to register their configured IP addresses with a DNS server. To modify this behavior at the client, configure TCP/IP manually for DNS configuration. Notes
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. For more information on how to configure other DNS for DHCP clients, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor. By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Related Topics. By default, the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, mycompany. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.
To configure the primary DNS suffix for a client computer

1. Open System in Control Panel.
2. Click the Computer Name tab.
This tab displays the computer name, the workgroup or domain to which it belongs, and a brief description of the computer.
3. Click Change, and then click More. 4. In DNS Suffix and NetBIOS Computer Name, do the following:
For Primary DNS suffix of this computer, specify the DNS suffix
Page 28 of 165
to be appended to the name of this computer when completing its fully qualified domain name (FQDN). 5. After applying these changes, restart the computer to initialize it with its new DNS domain name. 6. If the computer has been previously installed and configured as a DNS server, verify that zone authority records are updated. These include the start of authority (SOA) and name server (NS) resource records, substituting the new FQDN to replace the single label name previously in use. For more information, see Related Topics. Notes
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open System, click Start, point to Settings, and then click Control Panel. In Control Panel, double-click System. For more information about how to configure the primary DNS suffix for other clients and servers, see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for your other clients. By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. To allow different primary DNS suffixes, a domain administrator can create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).
To preload the client resolver cache

1. At the client computer, open Command Prompt.
2. At the command prompt, type the following command:
notepad %systemroot%\system32\drivers\etc\hosts 3. Using the default entry in the file (a mapping for the local host to the loopback IP address, 127.0.0.1), add additional host name-toaddress mappings on separate lines to be preloaded into the resolver cache of the client. For example, you might add:
Page 29 of 165
10.0.0.1 host-a host-a.example.microsoft.com

4. On the File menu, click Save, and then Exit.
5. As an option, you can verify that your changes have been updated in the resolver cache by viewing its contents. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. To open Notepad, click Start, point to All programs, point to Accessories, and then click Notepad. Entries you add are always answered first from the local resolver cache and not sent to the DNS query when queries are made locally to resolve these names to host (A) resource records. Every line in the Hosts file should contain an IP address followed by one or more host names. For example, you could add a line such as the following with an IP address (10.0.0.1) that maps to more than one DNS host name: 10.0.0.1 host-a host-a.example.microsoft.com hostb.example2.microsoft.com Likewise, a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines. For example, you could add lines for the following multi-homed or multi-addressable DNS host computer: 10.0.0.1 host-a.example.microsoft.com 10.0.0.2 host-a.example.microsoft.com 10.0.0.3 host-a.example.microsoft.com
When multiple names or IP addresses are used in the file, the DNS Client service must be running for all entries to be returned or used in answering queries. If the DNS Client service is not running, only the first entry in the file is used to resolve the query.
Page 30 of 165
To display and view a client resolver cache using the ipconfig command
2. Type:
ipconfig /displaydns
Description The name of the command-line ipconfig program. / The command to display a client displayd resolver cache. ns Notes
Value
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. To view the complete syntax for this command, at a command prompt, type: ipconfig /help
To pause the display of the command output to one screen at time, type ipconfig /displaydns|more. The ipconfig /displaydns command provides you with a means to view the contents of the DNS client resolver cache, which includes entries preloaded from the local Hosts file, as well as any recently obtained resource records for name queries resolved by the system. This information is used by the DNS Client service to quickly resolve frequently queried names before it queries its configured DNS servers. When the ipconfig /displaydns command is used to display current resolver cache contents, the resultant output generally includes the local host and loopback IP address (127.0.0.1) mappings. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file.
Page 31 of 165
After you can add host mapping entries to the local Hosts file and save the file, these entries are added to the displayed output of this command. For more information, see Related Topics. The resolver cache can also support negative caching of unresolved or non-valid DNS names. These entries are added by the DNS Client service when it receives a negative answer from a DNS server for a queried name. The negative result is cached for a short period of time so that it is not again queried, which could cause query performance problems. During DNS troubleshooting, you can flush and reset the cache to discard negative entries from the cache and any other dynamically added entries that were not preloaded. For more information, see Related Topics.
Although the ipconfig command is provided for earlier versions of Windows, the /displaydns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems.
To flush and reset a client resolver cache using the ipconfig command
2. Type:
ipconfig /flushdns
Value Description ipconfi The name of the command-line program. g / The command to flush and reset a client flushd resolver cache. ns Notes
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
Page 32 of 165
To view the complete syntax for this command, at a command prompt, type: ipconfig /help
The ipconfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. During DNS troubleshooting, if necessary, you can use this procedure to discard negative cache entries from the cache, as well as, any other dynamically added entries. Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. To eliminate those entries from the cache, remove them from this file. For more information, see Related Topics. Although the ipconfig command is provided for earlier versions of Windows, the /flushdns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems.
To renew DNS client registration using the ipconfig command

2. Type:
ipconfig /registerdns
Description The name of the command-line ipconfig program. / The command to renew DNS client registerd registration. ns Notes
Value
Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
Page 33 of 165
To view the complete syntax for this command, at a command prompt, type: ipconfig /help
An additional command to /registerdns is to type: ipconfig /registerdns [adapter] Where adapter is the name of a specific network adapter installed on the computer for which you want to renew or update registrations.
The ipconfig /registerdns command provides you with a means to manually initiate dynamic registration for the DNS names and IP addresses configured at a computer. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and the DNS server without restarting the client. By default, the ipconfig /registerdns command refreshes all DHCP address leases and registers all related DNS names configured and used by the client computer. To learn the names of adapters that you can optionally specify with this command, first type the ipconfig command by itself (that is, do not specify any additional parameters). The command output displays all adapters by name that are available for use at the computer. Although the ipconfig command is provided for earlier versions of Windows, the /registerdns option is only available for use on computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems. On computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems, the DHCP Client service is used to perform dynamic registrations and updates, regardless of whether the computer uses a DHCP server or static configuration to obtain its IP address. If you are troubleshooting a failed DNS dynamic registration for a client computer and its DNS names, it might help to verify that the cause is not related to one of the following commonly known causes for such failures: 1. The zone where the client requires update or registration is not able to accept dynamic updates. 2. The DNS servers that the client is configured to use do not support or recognize the DNS dynamic update protocol.
Page 34 of 165
3. The primary (or directory-integrated) DNS server for the zone refused the update request. This can most likely occur because the client is not permitted under current zone or resource records security sufficient access rights to update its own name. 4. The server or zone is not available because of other problems, such as a network or server failure.
Manage servers

Open the DNS console Start or stop a DNS server Add a server to the DNS console Remove a server from the DNS console Manually update server data files Change the boot method used by the DNS server Change the name-checking method used by the DNS server Restrict NS resource record registration Allow NS record creation for specific domain controllers Restrict DNS resource records updated by Netlogon
To open the DNS console
Open DNS.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.
Page 35 of 165
The DNS console is an administrative tool for managing DNS servers running Windows Server 2003 family operating systems only. For more information, see Related Topics.
To start or stop a DNS server

1. Open DNS.
2. In the console tree, click the applicable DNS server.
Where?
o
3. On the Action menu, point to All Tasks and then click one of the
following:
o o o o
To start the service, click Start. To stop the service, click Stop. To interrupt the service, click Pause. To stop and then automatically restart the service, click Restart.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. After you pause or stop the service, on the Action menu, in All Tasks, you can click Resume to immediately resume service. When using registry-based configuration, changes are applied to DNS servers only when the DNS Server service is re-initialized. In these cases, if a DNS value is manually changed directly in the
Page 36 of 165
registry, the DNS Server service must always be restarted for the new value to be used.
To add a server to the DNS console

1. Open DNS.
2. On the Action menu, click Connect To DNS Server. 3. In Connect to DNS Server, click either:
o
This computer, if the server you want to connect to and manage is located on the same computer you are using to manage it. The following computer, if the server you want to connect to and manage is located on a remote computer.
If you choose to connect to a remote server, specify either its DNS computer name or its IP address.
4. Select the Connect to the specified computer now check box,
and then click OK. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The DNS console is a Microsoft Management Console (MMC) administrative tool for managing DNS servers running Windows Server 2003 operating systems only. For more information, see Related Topics. If you use the Windows Server 2003 DNS console to administer a Windows 2000 DNS server, any new features will not be available when viewing the Windows 2000 DNS server.
To remove a server from the DNS console

1. Open DNS.
Page 37 of 165
Where?
o
3. On the Action menu, click Delete. 4. When prompted to confirm you want to delete this server from the
list, click OK. Notes
To manually update server data files

o
3. On the Action menu, click Update Server Data Files.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Page 38 of 165
For standard primary zones, this procedure causes the DNS server to immediately write its in-memory changes out to disk for storage with the zone file. Normally these changes are only written at predefined update intervals and when the DNS server is shut down. For Active Directory-integrated zones, this procedure does not apply. To update Active Directory-integrated zones, see the command-line procedure below.
Using a command line 1. Open Command Prompt. 2. Type: Dnscmd ServerName /ZoneUpdateFromDs ZoneName
Value
Description
dnscmd ServerName
/ Required. Updates the zone file with data from Active ZoneUpdateFro Directory. mDs Required. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneUpdateFromDs/help
Page 39 of 165
The command-line procedure updates Active Directory-integrated zones only. For standard zones, see the Windows interface procedure above.
To change the boot method used by the DNS server

1. Open DNS.
2. In the console tree, right-click the applicable DNS server, then click
Properties.
3. Click the Advanced tab. 4. In the Load zone data on startup list, select From registry,
From file, or From Active Directory and registry. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, DNS servers use information stored in the registry to initialize for service and load any zone data for use at the server. As added options, you can configure the DNS server to boot from a file or, in Active Directory environments, you can supplement local registry data with zone data retrieved for directory-integrated zones stored in the Active Directory database. If you use the file method, the file used must be a text file named Boot, located on this computer in the systemroot\Windows\System32\Dns folder.
To change the name-checking method used by the DNS server

1. Open DNS.
Properties.
3. Click the Advanced tab. 4. In the Name checking list, select Strict RFC (ANSI), Non RFC
(ANSI), Multibyte (UTF8), or All names. Page 40 of 165
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The DNS Server service supports different possible methods for checking the names it receives and processes during normal operations:
o
Strict RFC (ANSI) This method strictly enforces RFCcompliant naming rules for all DNS names that the server processes. Names that are not RFC-compliant are treated as erred data by the server. Non RFC (ANSI) This method allows names that are not RFCcompliant to be used with the DNS server, such as names that use ASCII characters but are not compliant with RFC host naming requirements. Multibyte (UTF8) This method allows names that use the Unicode 8-bit translation encoding scheme, which is a proposed RFC draft, to be used with the DNS server. By default, the server uses Multibyte (UTF8) to check names.
All names Allows Non RFC (ANSI), Strict RFC (ANSI), and Multibyte (UTF8) naming conventions.
To restrict NS resource record registration

Using the Windows interface 1. Open Registry Editor. Caution

o
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Page 41 of 165
Configuration startup option if you encounter problems after manual changes have been applied. 2. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. Add the following REG_DWORD value: DisableNSRecordsAutoCreation 4. Assign a value of 0x1. The REG_DWORD value is a local DNS server setting and applies to DNS zones for which this DNS server is authoritative.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. This procedure restricts NS resource records registered for Active Directory domain controllers only. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry. If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted. Regardless of the settings of these registry entries, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server. The registry key entry described here does not exist by default and must be created and configured according to this procedure.
Using a command line 1. Open Command Prompt. Caution Page 42 of 165
In this procedure you will be editing the registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
2. Type: dnscmdServerName/Config/DisableNSRecordsAutoCreation 0x1
Value
Description
dnscmd
Specifies the name of the command-line tool. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.). /Config Specifies the configuration command. / Determines the local DNS server configuration DisableNSRecordsAutoC for registering NS resource records for reation authoritative zones. Specifies that the DNS server specified in ServerName should not add NS resource records for authoritative zones. 0x1 To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. This procedure restricts NS resource records registered for Active Directory domain controllers only. To view the complete syntax for this command, at a command prompt, type: Page 43 of 165
dnscmd /config /?

The DWORD value is a local DNS server setting and applies to authoritative DNS zones hosted on this DNS server. Regardless of the settings above, query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry. If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted. Regardless of a NS resource record registration setting, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are authoritative. The registry key entries described here do not exist by default and must be created and configured using this procedure.
To allow NS resource record creation for specific domain controllers

1. Open Command Prompt. Important
o
This procedure applies to domain controller name server (NS) resource records in Active Directory-integrated DNS zones that are hosted on DNS servers configured to not add these resource records for their authoritative zones. For more information, see Related Topics.
2. Type: dnscmdServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses...
Page 44 of 165
Value
Description
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP ServerName address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Specifies the configuration /Config command. Required. Specifies the fully qualified ZoneName domain name (FQDN) of the zone. Required. Specifies that domain controllers entered for Value will add their names to / NS resource records for the zone specified AllowNSRecordsAutoC in ZoneName. NS resource records that reation were previously registered for this zone are not affected. Therefore, you must remove them manually if you do not want them. Required. Specifies the IP addresses of the domain controllers that will add their names in NS resource records for the zone IpAddresses... specified in ZoneName. Type a spaceseparated list of the IP addresses of the DNS servers. For example, 10.0.0.0 172.16.0.0 192.168.0.0. dnscmd
Additional considerations
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /?
If any domain controllers in the specified zone are not listed for IpAddresses..., their names will be deleted from the NS resource records for the zone specified in ZoneName. To specify that all domain controllers are allowed to add their names to NS resource records for the zone, or to clear the list of allowed DNS server IP Page 45 of 165
addresses, type the command and omit IpAddresses...: dnscmdServerName/ConfigZoneName/AllowNSRecordsAutoCreation
Regardless of the settings above, query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.
To restrict the DNS resource records updated by the Net Logon service
1. Open Registry Editor.
Caution
o
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N etlogon\Parameters
3. Add the following multi-string value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
4. In this value, specify the list of data corresponding to the DNS
resource records that should not be registered for this domain controller by the Net Logon service. The list of data include:
Resou rce Data Value Recor DNS Resource Record d Type LdapIpAddre A <DnsDomainName> ss Ldap SRV _ldap._tcp.<DnsDomainName> _ldap._tcp.<SiteName>._sites.<DnsDomainNa LdapAtSite SRV me> Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName> Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsF
Page 46 of 165
DcByGuid
SRV
GcIpAddress A CNAM DsaCname <DsaGuid>._msdcs.<DnsForestName> E Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> _kerberos._tcp.<SiteName>._sites.dc._msdcs.< KdcAtSite SRV DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> _ldap._tcp.<SiteName>._sites.dc._msdcs.<Dns DcAtSite SRV DomainName> Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510KdcA _kerberos._tcp.<SiteName>._sites.<DnsDomain SRV tSite Name> GenericGc SRV _gc._tcp.<DnsForestName> GenericGcAt SRV _gc._tcp.<SiteName>._sites.<DnsForestName> Site Rfc1510Udp SRV _kerberos._udp.<DnsDomainName> Kdc Rfc1510Kpw SRV _kpasswd._tcp.<DnsDomainName> d Rfc1510Udp SRV _kpasswd._udp.<DnsDomainName> Kpwd Important
orestName> _ldap._tcp.<DomainGuid>.domains._msdcs.<D nsForestName> gc._msdcs.<DnsForestName>
This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, then appropriate DNS updates may take place with a short delay; however, the delay is no later than 15 minutes after the Net Logon service starts.
Page 47 of 165
Optimize servers

Enable or disable fast transfer format during zone transfers Prevent loading of a zone when bad data is found Disable round-robin rotation for multihomed names Disable local subnet prioritization for multihomed names Restore server default preferences Disable recursion on the DNS server Update root hints on the DNS server Secure server cache against names pollution Clear the server names cache Modify DNSSEC configuration Modify EDNS0 configuration Modify UDP message size
To enable or disable fast transfer format during zone transfers

Using the Windows interface
You can enable or disable fast transfer format during zone transfers using the Windows interface.
To enable or disable fast transfer format during zone transfers using the Windows interface
1. Open DNS. 2. In the console tree, click the applicable DNS server. Where?
o
3. On the Action menu, click Properties. 4. Click the Advanced tab.

Page 48 of 165
5. Do one of the following:

o
To enable the fast transfer format (the default), in the Server options list, clear the BIND secondaries check box, and then click OK. To disable the fast transfer format, in the Server options list, select the BIND secondaries check box, and then click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations, and it is enabled by default. Zone transfers between Windows-based DNS servers always use the fast transfer format. DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation prior to version 4.9.4 do not support the fast transfer format. You should enable the Bind secondaries option if you are transferring zones to BIND servers running versions earlier than 4.9.4.
Using a command line
You can enable or disable fast transfer format during zone transfers using a command line.
The procedure title
1. Open Command Prompt. 2. Type: dnscmd ServerName /Config /BindSecondaries {1|0}
Value
Description
dnscmd ServerName /Config /
Specifies the name of the command-line tool. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Specifies the configuration command. Specifies use of fast transfer format used by legacy Page 49 of 165
BindSeconda Berkeley Internet Name Domain (BIND) servers. ries To disable fast transfer format when transferring a zone to {1|0} legacy BIND DNS servers, type 1 (on). To enable fast transfer format, type 0 (off). Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmdServerName/Config/help
The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations, and it is enabled by default. Zone transfers between Windows-based DNS servers always use the fast transfer format. DNS servers running versions of the BIND server implementation earlier than version 4.9.4 do not support the fast transfer format. You should set BindSecondaries to 1 if you are transferring zones to BIND servers running versions earlier than 4.9.4.
To prevent loading of a zone when bad data is found

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. Click the Advanced tab.
Page 50 of 165
5. In Server options, select the Fail on load if bad zone data check
box, and then click OK. Notes
To disable round-robin rotation for multihomed names

o
3. On the Action menu, click Properties. 4. Click the Advanced tab. 5. In Server options, clear the Enable round robin check box, and then click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.
Page 51 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config/RoundRobin {1|0}
Value
Description
dnscmd
Specifies the name of the command-line tool. Specifies the DNS host name of the DNS server. You can also ServerNam type the IP address of the DNS server. To specify the DNS e server on the local computer, you can also type a period (.). /Config Specifies the configuration command. / RoundRo Configures round robin rotation. bin To enable round robin, type 1 (on). To disable round robin, type {1|0} 0 (off). Notes
Page 52 of 165
To disable local subnet prioritization for multihomed names

o
3. On the Action menu, click Properties. 4. Click the Advanced tab. 5. In Server options, clear the Enable netmask ordering check box, and then click OK.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config/LocalNetPriority {1|0}
Value
Description
dnscmd ServerName
Specifies the name of the command-line tool. Specifies the DNS host name of the DNS server. You can
Page 53 of 165
/Config / LocalNetPrio Configures netmask ordering. rity To enable netmask ordering, type 1 (on). To disable {1|0} netmask ordering, type 0 (off). Notes
also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Specifies the configuration command.
To restore server default preferences

1. Open DNS.
2. In the console tree, right-click the applicable DNS server, and then
click Properties.
3. Click the Advanced tab. 4. Click Reset to Default, and then click OK.
Notes
Clicking Reset to Default configures the DNS server with the initial configuration it had following installation. These setting are displayed in the table below.
Property Disable recursion BIND secondaries Fail on load if bad zone data Enable round robin Enable netmask ordering Secure cache against pollution Name checking Load zone data on startup Enable automatic scavenging of stale records
Setting Off On Off On On On Multibyte (UTF8) From Active Directory and registry Off
To disable recursion on the DNS server

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable DNS server, then click Properties. 3. Click the Advanced tab. 4. In Server options, select the Disable recursion check box, and then click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. If you disable recursion on the DNS server, you will not be able to use forwarders on the same server. Page 55 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config/NoRecursion {1|0}
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You ServerNam can also type the IP address of the DNS server. To specify the e DNS server on the local computer, you can also type a period (.). /Config Required. Specifies the configuration command. / NoRecursi Required. Specifies the command to disable recursion. on Required. To disable recursion, type 1 (off). To enable {1|0} recursion, type 0 (on). By default, recursion is enabled. Notes
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
To update root hints on the DNS server

1. Open DNS.
Page 56 of 165
Where?
o
3. On the Action menu, click Properties. 4. Click the Root Hints tab.
5. Modify server root hints as follows:

o
To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list. To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list. To remove a root server from the list, select it in the list, and then click Remove. To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.
Notes
To secure server cache against names pollution

1. Open DNS.
Where?
o

Page 57 of 165
3. On the Action menu, click Properties. 4. Click the Advanced tab. 5. In Server options, select the Secure cache against pollution
check box, and then click OK. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The Secure cache against pollution option is enabled by default.
To clear the server names cache

o
3. On the Action menu, click Clear Cache.
Notes
Page 58 of 165
Using a command line 1. Open Command Prompt. 2. Type the following command and then press ENTER: Dnscmd ServerName /clearcache
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.). / clearcac Required. Specifies the command to clear the DNS server cache. he Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.
To modify DNSSEC configuration

Caution
o
2. In Registry Editor, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters

Page 59 of 165
3. Add the following DWORD entry:
EnableDnsSec 4. Do one of the following:

o
To exclude DNSSEC resource records in query responses other than responses to requests for SIG, KEY or NXT resource records, assign a value of 0x0. Appropriate resource records will be included in responses to requests for SIG, KEY, or NXT resource records only. To include the DNSSEC resource records in all query responses (according to RFC 2535), assign a value of 0x2. To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671), assign a value of 0x1 or do not create the value at all. The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. The value of the registry entry EnableDnsSec determines whether the DNS server will include or exclude DNSSEC resource records when it receives queries.
To modify EDNS0 configuration

Using the Windows interface 1. Open Registry Editor. Caution

o
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any Page 60 of 165
valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. 2. In Registry Editor, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. Add the following DWORD entry: EDNSCacheTimeout 4. To change the cache timeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days). 5. In the same registry subkey (Parameters), add the following DWORD entry: EnableEDNSProbes 6. To configure the DNS server to include an OPT resource record only in response to EDNS0 requests containing OPT resource records, type 0x1 (DWORD). 7. Restart DNS server.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. The value of the registry key EDNSCacheTimeout determines how long the DNS server will keep information about the EDNS versions supported by other DNS servers that have responded to a query with a OPT resource record.

Open Command Prompt. Type one of the following:

o o
dnscmdServerName/Config/EDNSCacheTimeoutValue dnscmdServerName/Config/EnableEDNSProbesValue
Page 61 of 165
Value
Description
dnscmd ServerName /Config / EDNSCacheTim eout / EnableEdnsPro bes
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Specifies the command to configure the DNS server. Required. Specifies the length of time the DNS server remembers the EDNS parameters remote servers report. Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS. Required. For /EDNSCacheTimeout, type a value in between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes, type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.
Value
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config help
For information about the current registry setting, type one of the following:
o o
dnscmd /Info /EDNSCacheTimeout dnscmd /Info /EnableEDNSProbes
To modify UDP message size

Page 62 of 165
Caution
o
2. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters

3. Add the following DWORD entry:
MaximumUdpPacketSize 4. Type a maximum UDP packet size value in bytes. The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format). 5. Restart DNS server.
Caution
When configuring the UDP packet size to be larger than 512 bytes, remember UDP packets must travel through devices other than UDP hosts, such as routers, and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices, and the path's MTU, if possible, and configure your UDP hosts according to this maximum.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Page 63 of 165
For information on discovering the maximum transmission unit (MTU) of an arbitrary Internet path, see Request for Comment (RFC) 1191, "Path MTU Discovery."
Monitor servers

Select and enable debug logging options on the DNS server Disable debug logging options on the DNS server Test a simple query on the DNS server Test a recursive query on the DNS server Enable automatic query testing on the DNS server View the DNS server system event log View a DNS server debug log file Verify DNS server responsiveness using the nslookup command
To select and enable debug logging options on the DNS server

1. Open DNS.
Properties.
3. Click the Debug Logging tab. 4. Select Log packets for debugging, and then select the events
that you want the DNS server to record for debug logging. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. To set the debug logging options, you must first select Log packets for debugging.
Page 64 of 165
To get useful debug logging output you need to select a Packet direction, a Transport protocol and at least one more option. In addition to selecting events for the DNS debug log file, you can specify the file name, location, and maximum file size for the file. Using debug logging options slows DNS server performance. For this reason, all debug logging options are disabled by default.
To disable debug logging options on the DNS server

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. Click the Debug Logging tab. 5. Clear the Log packets for debugging check box, and then click
OK. Notes
To test a simple query on the DNS server

1. Open DNS.
Where?
o

Page 65 of 165
3. On the Action menu, click Properties. 4. Click the Monitoring tab. 5. Select the A simple query against this DNS server check box. 6. Click Test Now.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Results of the query test appear in Test results.
To test a recursive query on the DNS server

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. Click the Monitoring tab. 5. Select the A recursive query to other DNS servers check box. 6. Click Test Now.
Notes
Results of the query test appear in the Test results list box.
To enable automatic query testing on the DNS server

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. Click the Monitoring tab.
5. Select the type of testing to be used during automatic query testing. You can select one of both of the following:
o o
A simple query against this DNS server A recursive query to other DNS servers
6. Select the Perform automatic testing at the following interval
check box.
7. Set the Test interval to be used.
The query tests that you select are performed at regular intervals based on the value of the interval you specify. The default polling interval is 1 minute. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Results of automated query tests appear in Test results and are updated after each test interval.
To view the DNS server system event log

Page 67 of 165
1. Open DNS.
2. In the console tree, click DNS Events.
Where?
o
DNS/applicable DNS server/Event Viewer/DNS Events
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. If the DNS server for which you want to view the log is located on another computer, in the console tree, click DNS, and then on the Action menu, click Connect to DNS Server. Click The following computer, and then specify the name or IP address of the remote computer.
To view a DNS server debug log file

1. Stop the DNS Server service. 2. Open WordPad.
3. On the File menu, click Open. 4. In Open, for File name, specify the path to the DNS server debug
log file. By default, if the applicable DNS server is running locally, the file and path are as follows: systemroot\System32\Dns\Dns.log
5. After you specify the correct path and file, click Open to view the
log file. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a
Page 68 of 165
domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
To open WordPad, click Start, point to All programs, point to Accessories, and then click WordPad. To stop the DNS Server service, see Related Topics. The location of the DNS.log file is managed using the DNS console. To specify the name and location of the DNS.log file, see Related Topics. By default, the Dns.log file is empty if you have not previously enabled debug logging options. Debug logging slows DNS server performance and should only be enabled for temporary use.
To verify DNS server responsiveness using the nslookup command

2. Type:
nslookupserver_ip_address127.0.0.1 3. If the server is responding, the name "localhost" is returned. If the server does not respond, continue troubleshooting the DNS server. For more information, see Related Topics. Value nslookup Description The name of the command-line program. The IP address of the DNS server at which you are verifying its responsiveness.
server_ip_addr For example, if the IP address of your DNS server is ess 10.0.0.1, you would type: nslookup 10.0.0.1 127.0.0.1 Notes
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
Page 69 of 165
To view the complete syntax for this command, at a command prompt, type: nslookup, press Enter and then type help
Add and remove zones

Add a forward lookup zone Add a reverse lookup zone Add a stub zone Delete a zone Pause a zone Start a zone
To add a forward lookup zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard. 3. Follow the instructions to create a new primary, secondary, or stub zone.
Notes
Using a command line 1. Open Command Prompt. 2. Type: Page 70 of 165
dnscmdServerName/ZoneAddZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the ServerName DNS server. To specify the DNS server on the local computer, you can also type a period (.) /ZoneAdd Required. Adds a zone. Required. Specifies the fully ZoneName qualified domain name (FQDN) of the zone. Required. Specifies the type of / zone. /DsPrimary and /DsStub Primary|/DsPrimary|/Secondary|/Stu specify an Active Directoryb|/DsStub integrated zone type. Required for /Primary. Specifies a file for the new zone. This /file parameter is invalid for the /DsPrimary zone type. Required for /Primary. Specifies the name of the zone file. This FileName parameter is invalid for the /DsPrimary zone type. Loads an existing file for the zone. Loads an existing file for the zone. If this parameter is not /load specified, default zone records are created automatically. This parameter does not apply to /DsPrimary. Adds an administrator e-mail /a address for the zone. Specifies the administrator email AdminEmail name for the zone. /DP Adds the zone to an application directory partition. You may also use one of the following: dsncmd
/DP /domain For domain directory partition (replicates
Page 71 of 165
to all DNS servers in the domain).
/DP /forest For forest directory partition (replicates to all DNS server in the forest). /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy Windows 2000 Server domain controllers.
FQDN Notes
Specifies the fully qualified domain name of the directory partition.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneAdd/help
To add a reverse lookup zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard. Page 72 of 165
3. Follow the instructions to create a new reverse lookup zone.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN]
Value
Description
dnscmd ServerName /ZoneAdd ZoneName / Primary|/DsPri mary /file FileName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Required. Adds a zone. Required. Specifies the fully qualified domain name (FQDN) of the in-addr.arpa domain for the zone. For example, 20.1.168.192.in-addr.arpa.. Required. Specifies the type of zone. To specify an Active Directory-integrated zone, type /DsPrimary. Required for /Primary. Specifies a file for the new zone. This parameter is invalid for the /DsPrimary zone type. Required for /Primary. Specifies the name of the zone file. This parameter is invalid for the /DsPrimary zone type. Loads an existing file for the zone. Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. This parameter does not apply to /DsPrimary. Adds an administrator e-mail address for the zone. Specifies the administrator e-mail name for the zone. Adds the zone to an application directory partition. You
Page 73 of 165
/load /a AdminEmail /DP
may also use one of the following:

/DP /domain For domain directory partition (replicates to all DNS servers in the domain). /DP /forest For forest directory partition (replicates to all DNS server in the forest). /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy Windows 2000 Server domain controllers.
FQDN Notes
Specifies the fully qualified domain name of the directory partition.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneAdd /help
To add a stub zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click a DNS server, and then click New Zone to open the New Zone Wizard. 3. Follow the instructions to create a new stub zone.
Notes
Page 74 of 165
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The stub zone cannot be hosted on a DNS server that is authoritative for the same zone. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method), you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records, rather than have the DNS server use the master servers list stored in Active Directory. If you want to use a local master servers list, you will need the IP addresses of the local master servers. If you want the DNS server hosting a stub zone to use a local list of master servers, see Related Topics.

1. Open Command Prompt. 2. Type: dnscmdServerName /ZoneAdd ZoneName {/Stub|/DsStub} MasterIPaddress... [/file FileName] [/load] [/DP FQDN]
ValueDescription dnscmd Specifies the name of the command-line tool. ServerName Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) /ZoneAdd Required. Adds a zone. ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone. /Stub|/DsStubRequired. Specifies the type of zone. To specify an Active Directory-integrated stub zone, type /DsStub. MasterIPaddress... Required. Specifies one or more IP addresses for the master servers of the stub zone, from which it copies zone data. /file Adds a file for the new zone.
Page 75 of 165
FileName Specifies the name of the zone file. /load Loads an existing file for the zone. If this parameter is not specified, default zone records are created automatically. /DP Adds the zone to an application directory partition. You may also use one of the following:

/DP /domain For domain directory partition (replicates to all DNS servers in the domain). /DP /forest For forest directory partition (replicates to all DNS server in the forest). /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). This setting supports domains using legacy domain controllers running Windows 2000 Server.
FQDN Specifies the fully qualified domain name of the directory partition. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneAdd /help
The stub zone cannot be hosted on a DNS server that is authoritative for the same zone. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method), you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records, rather than have the DNS server use the master servers list stored in Active Directory. If you want to use a local master servers list, you will need the IP addresses of the local master servers. If you want the DNS server hosting a stub zone to use a local list of master servers, see Related Topics. Page 76 of 165
To delete a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. Where?
o
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Delete. 4. When asked to confirm that you want to delete the zone, click OK.
Caution
Deleting an Active Directory-integrated zone effectively deletes the zone and eliminates its use at all other DNS servers using the same directory store of zone data.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. This procedure is most often used to delete a secondary copy of a zone, although it can also be used to delete a primary zone. Deleting a standard primary zone is usually unnecessary, unless you are redesigning your DNS namespace and the zone is no longer needed or used. In most cases, you can change the zone type if you only want to modify the zone. For more information, see Related Topics.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneDeleteZoneName [/DsDel] [/f] Page 77 of 165
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / Required. Specifies the command to delete the zone specified ZoneDele by ZoneName. te ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone you are deleting. /DsDel Deletes a the zone from Active Directory. Performs the command without asking for confirmation. If you /f omit this parameter, you are prompted to confirm the deletion of the resource record. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneDelete /help
To pause a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. Where? Page 78 of 165
3. On the Action menu, click Properties. 4. On the General tab, click Pause, and then click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, zones are started when created or loaded at the server. Once you use this procedure to pause a zone, you must restart the zone before it is available for servicing clients or zone updates.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZonePauseZoneName
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / ZonePau Required. Pauses the zone. se ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of Page 79 of 165
the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.
To start a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. Where?
o
3. On the Action menu, click Properties. 4. On the General tab, click Start, and then click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, zones are started when created or loaded at the server. Only zones that have previously been paused need to be restarted.
Using a command line 1. Open Command Prompt.
Page 80 of 165
2. Type: dnscmdServerName/ZoneResumeZoneName
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You ServerNam can also type the IP address of the DNS server. To specify the e DNS server on the local computer, you can also type a period (.) / ZoneResu Required. Resumes the hosting of the zone by the DNS server. me Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone resuming operation. Notes

To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. By default, zones are started when created or loaded at the server. Only zones that have previously been paused need to be restarted.
Configure zone properties

Change the zone type Change a zone file name Change zone replication scope Modify the start of authority (SOA) record for a zone Modify zone transfer settings Create and manage a notify list for a zone Create a zone delegation Verify a zone delegation using the nslookup command Configure a stub zone for local master servers Specify other DNS servers as authoritative for a zone
Page 81 of 165
Update the master server for a secondary zone Enable DNS to use WINS resolution Verify WINS as the source for answering a DNS query
To change the zone type

To change the zone type using the Windows interface
1. Open DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, note the current zone type, and then click Change. 4. In Change Zone Type, select a zone type other than the current one, and then click OK.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. You can select from Primary zone, Secondary zone, or Stub zone. When selecting the secondary or stub zone types, you must specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-integrated is available. This option is not otherwise available. When this zone type is selected for use, zone data is stored and replicated as part of the Active Directory database. Page 82 of 165
Note You cannot change the zone type (primary, secondary, or stub) and the method for storing the zone at the same time. You must perform the two operations separately.
Changing a zone from secondary to primary type can affect other zone activities, including management of dynamic updates and zone transfers and the use of DNS notify lists to notify other servers about changes in the zone. For more information, see Related Topics. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones. Changing DNS zone type or storage can be time-consuming for large zones.
To change the zone type using a command line
1. Open Command Prompt. 2. Type the following command, and then press ENTER: dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress...] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN}
Value
Description
dnscmd ServerName
ZoneName Property
Specifies the name of the command-line tool. Required. Specifies the Domain Name System (DNS) host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Required. Specifies the fully qualified domain name (FQDN) of zone. Required. One of the following zone types:
/Primary Standard primary zone. The /fileFileName option is required.
/DsPrimary Active Directory Domain Services (AD DS) integrated primary zone. If the zone is not
Page 83 of 165
already a primary zone, you must convert it to a primary zone (using /Primary) before you use this option to integrate the zone with AD DS.
/Secondary Secondary zone. You must specify at least one MasterIPaddress.
/Stub Stub zone. You must specify at least one MasterIPaddress. If the zone is an AD DS integrated primary zone, you must use /DsStub to convert it to an AD DS integrated stub zone before using this option.
/DsStub Active Directory-integrated stub zone. You must specify at least one MasterIPaddress. If the zone is not already a stub zone, you must convert it to a stub zone (using /Stub) before using this option to integrate the zone with AD DS.
Required for /Primary. Specifies the name of a file for the new zone. This parameter is not valid for the /DsPrimary zone type. Required for /Secondary, /Stub and /DsStub. Specifies one or more IP addresses MasterIPaddress... for the master servers of the secondary or stub zone, from which it copies zone data. /OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory. / /OverWrite_Ds overwrites Active Directory OverWrite_Mem|/OverWrit data with data in DNS. /DirectoryPartition e_Ds| stores the new zone in the application directory partition specified by FQDN, such /DirectoryPartition FQDN as DomainDnsZones.corp.example.microsoft.co m. /file FileName
Page 84 of 165
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneResetType/help
You can select from primary, secondary or stub zone. When selecting the secondary or stub zone type, you need to specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. If the DNS server computer is operating as a domain controller, the option to change the zone type to Active Directory-integrated is available. This option is not otherwise available. When this zone type is selected for use, zone data is stored and replicated as part of the Active Directory database. Changing a zone from secondary to primary type can affect other zone activities, including management of dynamic updates and zone transfers, and the use of DNS notify lists to notify other servers about changes in the zone. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones.
To change a zone file name

1. Open DNS.
2. In the console tree, click the applicable zone.
Where?
o
Page 85 of 165
3. On the Action menu, click Properties. 4. On the General tab, in the Zone file name text box, type the new
file name for this zone.

5. Click OK when you have finished entering the new zone file name.
Caution
If the zone file name is changed, be sure to update Zone file name on other DNS servers that maintain this zone. Otherwise, subsequent zone transfers and updates might fail. This can occur in the following situations:
o o
The zone type is primary on this server. The zone type is secondary on this server and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of this zone.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The name of the zone file changes, not the name of the zone. You can use Windows Explorer to view or verify the new zone file name. The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database and not a text file on the DNS server computer.
To change zone replication scope

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. Page 86 of 165
3. On the General tab, note the current zone replication type, and then click Change. 4. Select a replication scope for the zone.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Only Active Directory-integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneChangeDirectoryPartitionZoneNameNewPar titionName
Value
Description
dnscmd
ServerName
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ ZoneChangeDirectoryP Required. Changes a zone's replication scope. artition Required. Specifies the fully qualified domain ZoneName name (FQDN) of the zone. Required. The FQDN of the DNS application NewPartitionName directory partition where the zone will be stored.
Page 87 of 165
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneChangeDirectoryPartition /?
Only Active Directory-integrated primary forward lookup zones and Active Directory-integrated stub zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
To modify the start of authority (SOA) record for a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Start of Authority (SOA) tab. 4. As needed, modify properties for the start of authority (SOA) record.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. Page 88 of 165
To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The settings applied for the start of authority (SOA) record affect how zone transfers are made between servers. For more information, see Related Topics.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / RecordA Required. Adds or modifies a resource record. dd ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Required. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You can also type the node e name relative to the ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record /Aging remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. /OpenAcl Without this parameter, only administrators may modify the new record. Specifies the Time to Live (TTL) setting for the resource record. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the type of resource record you are SOA modifying. Required. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. For example, nameserver.place.example.microsoft.com. Required. Specifies the name of the DNS administrator for the Admin zone. For example, postmaster.nameserver.place.example.microsoft.com. Page 89 of 165
Serial#\ Refresh Retry Expire
MinTTL
Required. Specifies the version information for the zone. Required. Specifies the refresh interval for the zone. The standard setting is 3600 (one hour). Required. Specifies the retry interval for the zone. The standard setting is 600 (ten minutes). Required. Specifies the expire interval for the zone. The standard setting is 86400 (one day). Required. Specifies the minimum Time to Live (TTL) value. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour).
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
To modify any specific SOA resource record's values using dnscmd, you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).
To modify DNS zone transfer settings

Using the Windows interface 1. Open DNS. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following:
o
To disable zone transfers, clear the Allow zone transfers check box. Page 90 of 165
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:

o o
To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress...]}
Value
Description
dnscmd ServerName ZoneName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Specifies the fully qualified domain name (FQDN) of zone.
Page 91 of 165
/NoXfr /NonSecure
Disables zone transfers for the zone. Permits zone transfers to any DNS server. Permits zone transfers only to DNS servers listed in the /SecureNs zone using name server (NS) resource records. Permits zone transfers only to DNS servers specified by /SecureList SecondaryIPAddress. Required, if /SecureList is specified. A list of one or more SecondaryIPAdd IP addresses for DNS servers that are permitted to obtain ress zone transfers. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneResetSecondaries /?
To improve the security of your DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the NS resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.
To create and manage a notify list for a zone

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. Click the Zone Transfers tab. Page 92 of 165
5. Click Notify. 6. Verify that the Automatically notify check box is checked.
7. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. Your options are:
o
Use the default, Servers listed on the Name Servers tab, to permit only those servers that appear by IP address on the Name Servers tab to be included in the notify list. Select The following servers if you want to specify a different notify list to be used instead.
8. If you selected The following servers in the previous step, add or
remove server IP addresses to form the notify list as needed:

o
To add a server to the notify list, type its IP address in the IP address field and click Add. To remove a server from the notify list, click the server IP address in the list box and click Remove.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Changes to the notify list properties are only available on primary zones. For secondary zones, these properties are read-only. DNS Notify is an RFC-compliant extension of the DNS standard defined in RFC 1996, "A Mechanism for Prompt Notification of Zone Changes." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone.
Page 93 of 165
To create a zone delegation

Using the Windows interface 1. Open the DNS console. 2. In the console tree, right-click the applicable subdomain, and then click New Delegation. 3. Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation as described here. As necessary, use the DNS console to first add domains to the zone before completing this procedure. For more information, see Related Topics.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Value
Description
dnscmd ServerName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To
Page 94 of 165
specify the DNS server on the local computer, you can also type a period (.) /RecordAdd Required. Specifies the command to add a resource record. Required. Specifies the fully qualified domain name (FQDN) ZoneName of the zone. Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also NodeName type the node name relative to the ZoneName or @, which specifies the zone's root node. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the /Aging resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any /OpenAcl user. Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource Ttl record. (The default TTL is defined in SOA resource record). Required. Specifies that you are adding a name server (NS) NS resource record to the zone specified in ZoneName. HostName| Required. Specifies the host name or FQDN of the new FQDN authoritative server. See the following examples: dnscmd dnssvr1.contoso.com /recordadd test A 10.0.0.5 dnscmd /recordadd test.contoso.com test MX 10 mailserver.test.contoso.com For more information, see Dnscmd Syntax. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help Page 95 of 165
To verify a zone delegation using the nslookup command

2. Type:
nslookupRootServerIpAddress
3. Then type:
nslookup
4. At the next prompt, type:
set norecurse
5. At the next prompt, type:
set q=NS
6. Type the fully qualified domain name (FQDN) for the failed name.
Use the trailing period (.) when entering the name. If zone delegations are set correctly, a list of name server (NS) resource records for delegated servers should be returned in the response.
7. If the NS query response contains no names or IP addresses for
delegated servers, type q=ns and query again using the FQDN for the parent zone of the failed name. For example, if the failed name you used in the previous step was example.microsoft.com, query for microsoft.com.
8. If the response contains NS resource records, but no host (A)
resource records, type set recurse and query individually for any of the A resource records of servers listed in the NS resource records. If, for each NS resource record you encounter in a zone, you do not find at least one valid IP address in an A resource record, you have a broken delegation.
Page 96 of 165
9. Either fix the broken delegation or retry the delegation test described in the previous step using a different IP address. If more than one A resource record or IP address is found, use it to repeat the delegation test described in the previous step. To fix a delegation, add or update an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.
Value Description nslookup The name of the command-line tool. root_server_ip_add The IP address of a valid root server for your network. ress A command to instruct the root server to not perform set norecursion recursion on your query. The command to send the query for NS resource set q=NS records to the root server. Notes
To configure a stub zone to use local master servers

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the stub zone, and then click Properties. 3. On the General tab, under IP address, modify the list to display the IP addresses of the local master servers that you want the DNS server to use Page 97 of 165
when loading and updating the stub zone. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server. 4. Select the Use the list above as a local list of masters check box, and then click OK.
Notes
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory. The DNS server will keep the master servers list from Active Directory stored in memory.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [MasterIPaddress...]
Value
Description
dnscmd ServerName ZoneName /Local
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Required. Specifies the fully qualified domain name (FQDN) of the zone. Configures the local master list for Active DirectoryPage 98 of 165
integrated zones. List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers hosting other secondary copies for MasterIPaddre the zone. To clear the local list of masters, type the ss... command without entering any IP addresses. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server. Notes
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneResetMasters/help
If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory. The DNS server will keep the master servers list from Active Directory stored in memory.
To specify other DNS servers as authoritative for a zone

Using the Windows interface 1. Open DNS. Page 99 of 165
2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Name Servers tab. 4. Click Add. 5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list. DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone added to the server.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To ServerName specify the DNS server on the local computer, you can also type a period (.) /RecordAdd Required. Specifies the command to add a resource record.
Page 100 of 165
ZoneName NodeName
/Aging
/OpenAcl Ttl NS HostName| FQDN Notes
Required. Specifies the fully qualified domain name (FQDN) of the zone. Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record). Required. Specifies that you are adding a name server (NS) resource record to the zone specified in ZoneName. Required. Specifies the host name or FQDN of the new authoritative server.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/RecordAdd/help
DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary type added to the server.
Page 101 of 165
To update the master server for a secondary zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable secondary zone, and then click Properties. 3. On the General tab, in IP address, specify the IP address for a new master server, and then click Add to update the list.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] MasterIPaddress...
Value
Description
dnscmd ServerName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)
/ Required. Updates the master servers for a secondary ZoneResetMas zone. ters Required. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating. Page 102 of 165
Specifies the local master list for Active Directoryintegrated zones. Required. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. If you do not specify ServerIPs, you are MasterIPaddress requesting the DNS server to reset the value to an empty ... list. The request may be denied because a zone must always have at least one master server. MasterIPaddress... is required to clear the local master list for a zone. /Local Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneResetMasters /help
To enable DNS to use WINS resolution

1. Open DNS.
2. In the console tree, right-click the applicable zone, then click
Properties. 3. Do one of the following:

o
If the applicable zone is a forward lookup zone, on the WINS tab, select the Use WINS forward lookup check box. In IP address, type the IP address of a WINS server to be used for resolution of names not found in DNS, and then click Add. If the applicable zone is a reverse lookup zone, on the WINS-R tab, select the Use WINS-R lookup check box. In Domain to append to returned name, type a name.
4. Select the Do not replicate this record check box for this WINS
record, if applicable.
Page 103 of 165
If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, click this check box. This prevents these records from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option as BIND will not recognize WINS records. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. When this option is used, specified WINS servers configured in this procedure are used for final referral of names not found in the applicable zone. Optionally, click Advanced to adjust advanced WINS lookup parameters.
To verify WINS as the source for answering a DNS query

2. Type:
nslookup
3. After the previous command completes, at the nslookup ("") prompt
type: set debug

4. Next, either type:
set querytype=a if you are testing for a WINS forward lookup, or: set querytype=ptr if you are testing for a WINS-R reverse lookup.
Page 104 of 165
Respectively, these two commands can be used to set the query type to filter either by host (A) or pointer (PTR) resource records as appropriate for researching either a forward or reverse lookup.
5. Based on whether you are verifying possible WINS sourcing for
either a forward or reverse lookup, type the appropriate fully qualified domain name (FQDN). For example, if the forward lookup you are tracing is for a domain name host-a.example.microsoft.com, type: host-a.example.microsoft.com. If the reverse lookup you are tracing is for an IP address 10.0.0.1, type: 1.0.0.10.in-addr.arpa. 6. In the response, note whether the server answered authoritatively or non-authoritatively, and note the Time-To-Live (TTL) value. 7. If the server answered authoritatively, repeat the same query you performed in step 4. 8. In the response, note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value specified in the first query answer. If the TTL value decreased for an authoritatively answered query, the source of the query answer is a WINS server.
9. To leave debug mode and return to the command prompt, type exit.
Value Description nslookup The name of the command-line program. Enables the nslookup command to operate in debug mode, providing extended information in the command output. This mode is required to view query response information about whether the source for a query answer is:

set debug
authoritative (from a DNS zone or WINS server database) non-authoritative (cached data from previous queries made by the DNS server or loaded from root hints)
set
Changes the type of information query. More information about

Page 105 of 165
querytyp types can be found in Request For Comment (RFC) 1035. e Notes
Normally, when a DNS server answers a query from its authoritative zone data, it uses the set minimum or default TTL for the zone or the record-specific TTL value (if one is configured). In so doing, TTLs are decreased in answers the server returns if based on nonauthoritative data, such as a cached record at the server. WINS lookups present an exceptional case, where an answer received back from a WINS server is cached by the DNS server but is also considered to be authoritative data. In this case, the WINS sourced data is returned to clients as authoritative but ages while in the DNS server names cache, causing the TTL used by the server to decrease over time.
Manage zones

Allow dynamic updates Allow only secure dynamic updates Initiate a zone transfer at a secondary server Reload or transfer a stub zone Adjust the refresh interval for a zone Adjust the retry interval for a zone Adjust the expire interval for a zone Modify security for a directory-integrated zone
Allow dynamic updates Page 106 of 165
Updated: January 21, 2005 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To allow dynamic updates

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. 4. In Dynamic Updates, click Nonsecure and secure.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
Value
Description
dnscmd
Specifies the name of the command-line program.

Page 107 of 165
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command. Configures dynamic update. To allow dynamic updates, 1|0 enter a value of 1. To not allow dynamic updates, enter a value of 0. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help
Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."
To allow only secure dynamic updates

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. 3. On the General tab, verify that the zone type is Active Directoryintegrated. Page 108 of 165
4. In Dynamic Updates, click secure only.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory integrate the zone prior to securing it for DNS dynamic updates. Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {ZoneName|..AllZones} /AllowUpdate 2
Value
Description
dnscmd
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command.
Page 109 of 165
2 Notes
Required. Configures server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.
Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
To initiate a zone transfer at a secondary server

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Transfer from master.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the Page 110 of 165
appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. If the SOA resource records are synchronized, then there is no zone transfer. If the SOA resource records are not synchronized, then there is a zone transfer. By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/ZoneRefreshZoneName
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You ServerNam can also type the IP address of the DNS server. To specify the e DNS server on the local computer, you can also type a period (.) / ZoneRefr Required. Updates the secondary zone. esh ZoneName Required. Specifies the name of the secondary zone to update. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. Page 111 of 165
To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneRefresh /help
This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. If the SOA resource records are synchronized, then there is no zone transfer. If the SOA resource records are not synchronized, then there is a zone transfer. By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone.
To reload or transfer a stub zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable stub zone, and do one of the following:
o o
To reload the stub zone from storage, click Reload. To have the DNS server determine if the serial number in the stub zone's SOA resource record has expired and then perform a zone transfer from the stub zone's master server, click Transfer from Master. To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record, click Reload from Master.
Notes
Page 112 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName
Value
Description
dnscmd ServerName
/ZoneReload / ZoneUpdateFro Reloads the stub zone from Active Directory. mDs Refreshes the stub zone. The DNS server will determine if the serial number in the stub zone's SOA resource /ZoneRefresh record has expired. If the serial number has expired, the DNS server will perform a zone transfer from the stub zone's master server. Required. Specifies the name of the stub zone you want ZoneName to reload or refresh. Notes
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Reloads the stub zone.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /ZoneReload /help or dnscmd /ZoneUpdateFromDs /help or dnscmd /ZoneRefresh /help.
Page 113 of 165
There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. To perform this operation, use the Windows interface procedure.
To adjust the refresh interval for a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. 3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. 4. Click the Start of Authority (SOA) tab. 5. In Refresh interval, click a time period in minutes, hours, or days, and type a number in the text box. 6. Click OK to save the adjusted interval.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
dnscmd Specifies the name of the command-line program. Page 114 of 165
Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / RecordA Required. Adds or modifies a resource record. dd ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Required. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You can also type the node e name relative to the ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record /Aging remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. /OpenAcl Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the type of resource record you are SOA modifying. Required. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. For example, nameserver.place.example.microsoft.com. Required. Specifies the name of the DNS administrator for the Admin zone. For example, postmaster.nameserver.place.example.microsoft.com. Serial#\ Required. Specifies the version information for the zone. Required. Specifies the refresh interval for the zone. The Refresh standard setting is 900 (15 minutes). Required. Specifies the retry interval for the zone. The standard Retry setting is 600 (ten minutes). Required. Specifies the expire interval for the zone. The Expire standard setting is 86400 (one day). Required. Specifies the minimum Time-To-Live value. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour). Notes
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
To modify any specific SOA resource record's values using dnscmd, you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). By default, the refresh interval for each zone is set to 15 minutes. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.
To adjust the retry interval for a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. 3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. 4. Click the Start of Authority (SOA) tab. 5. In Retry interval, click an interval in minutes, hours, or days, and type a number in the text box. 6. Click OK to save the adjusted interval.
Notes
Page 116 of 165
By default, the retry interval for each zone is set at 10 minutes. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / RecordA Required. Adds or modifies a resource record. dd ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Required. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You can also type the node e name relative to the ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record /Aging remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. /OpenAcl Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the type of resource record you are SOA modifying. Required. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. For example, nameserver.place.example.microsoft.com. Required. Specifies the name of the DNS administrator for the Admin zone. For example, postmaster.nameserver.place.example.microsoft.com. Serial#\ Required. Specifies the version information for the zone. Required. Specifies the refresh interval for the zone. The Refresh standard setting is 3600 (one hour).
Page 117 of 165
Retry Expire MinTTL
Required. Specifies the retry interval for the zone. The standard setting is 600 (ten minutes). Required. Specifies the expire interval for the zone. The standard setting is 86400 (one day). Required. Specifies the minimum Time-To-Live value. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour).
Notes
To modify any specific SOA resource record's values using dnscmd, you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). By default, the retry interval for each zone is set at 10 minutes. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs.
To adjust the expire interval for a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. Page 118 of 165
3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated. 4. Click the Start of Authority (SOA) tab. 5. In Expires after, click an interval in either minutes, hours, or days, and then type a number in the text box. 6. Click OK to save the adjusted interval.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. By default, the expire interval for each zone is set to 1 day. The expire interval is used by other DNS servers configured to load and host the zone to determine when zone data expires if not renewed.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.) / RecordA Required. Adds or modifies a resource record. dd ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Required. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You can also type the node e name relative to the ZoneName or @, which specifies the zone's root node. /Aging Specifies that this resource record is able to be aged and scavenged. If this parameter is not used, the resource record
Page 119 of 165
remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. /OpenAcl Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the type of resource record you are SOA modifying. Required. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. For example, nameserver.place.example.microsoft.com. Required. Specifies the name of the DNS administrator for the Admin zone. For example, postmaster.nameserver.place.example.microsoft.com. Serial#\ Required. Specifies the version information for the zone. Required. Specifies the refresh interval for the zone. The Refresh standard setting is 3600 (one hour). Required. Specifies the retry interval for the zone. The standard Retry setting is 600 (ten minutes). Required. Specifies the expire interval for the zone. The Expire standard setting is 86400 (one day). Required. Specifies the minimum Time-To-Live value. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. The standard setting is 3600 (one hour). Notes
To modify any specific SOA resource record's values using dnscmd, you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). Page 120 of 165
To modify security for a directoryintegrated zone

1. Open DNS.
Where?
o
3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is Active Directory-
integrated.
5. On the Security tab, modify the list of member users or groups that
are allowed to securely update the applicable zone and reset their permissions as needed. Notes
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups and Using Run as. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Secure dynamic updates are only supported for zones stored in Active Directory. The security settings determine who can administer the zone, but do not affect dynamic updates to the zone. To apply security settings for dynamic updates, see Related Topics. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Manage resource records

Page 121 of 165
Add a host (A) resource record to a zone Add a mail exchanger (MX) resource record to a zone Add an alias (CNAME) resource record to a zone Add a new domain to a zone Add a pointer (PTR) resource record to a reverse zone Add a resource record to a zone Modify an existing resource record in a zone Delete a resource record from a zone View unsupported resource records in a zone Modify security for a resource record
To add a host (A) resource record to a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable forward lookup zone and click New Host. 3. In the Name text box, type the DNS computer name for the new host. 4. In the IP address text box, type the IP address for the new host. 5. As an option, select the Create associated pointer (PTR) record check box to create an additional pointer record in a reverse zone for this host, based on the information you entered in Name and IP address. 6. Click Add Host to add the new host record to the zone.
Notes
PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted.
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress
Value
Description
dnscmd Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You ServerNa can also type the IP address of the DNS server. To specify the me DNS server on the local computer, you can also type a period (.). / RecordA Required. Adds a new resource record. dd ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. Required. Specifies the FQDN of the node in the DNS NodeNam namespace. You can also type the node name relative to the e ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this command is not used, the resource record /Aging remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. /OpenAcl Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the resource record type of the record you A are adding. IPAddress Required. The IP address for the host. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. Page 123 of 165
This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
PTR resource records are deleted automatically if the corresponding A resource record is deleted.
To add a mail exchanger (MX) resource record to a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable forward lookup zone and click New Mail Exchanger. 3. In the Host or domain text box, type the domain name for which this record is to be used to deliver mail. 4. In the Mail server text box, type the DNS host computer name of the mail exchanger or mail server host that delivers mail for the specified domain name. As an option, you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined. 5. Adjust the Mail server priority as needed for this zone. 6. Click OK to add the new record to the zone.
Notes
Page 124 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName
Value
Description
dnscmd
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the ServerName DNS server on the local computer, you can also type a period (.). /RecordAdd Adds a new resource record. Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone in which you will add the new MX resource record. Required. Specifies the FQDN of the node in the DNS NodeName namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is /Aging able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any /OpenAcl user. Without this parameter, only administrators may modify the new record. Ttl Specifies the Time-To-Live setting for the resource record. Required. Specifies the MX resource record type for the MX record you are adding. Required. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect Preference to the other mail exchange servers. Lower numbers are given greater preference. Required. Specifies the fully qualified domain name (FQDN) MXServerNa for a mail exchanger. The value entered here must resolve to me a corresponding host (A) resource record in this zone. Notes
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
To add an alias (CNAME) resource record to a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable forward lookup zone, and then click New Alias. 3. In the Alias name text box, type the alias name. 4. In the Fully qualified domain name (FQDN) for target host text box, type the fully qualified domain name of the DNS host computer for which this alias is to be used. As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined. 5. Click OK to add the new record to the zone.
Notes
Using a command line 1. Open Command Prompt.
Page 126 of 165
2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName
Value
Description
dnscmd ServerName /RecordAdd ZoneName NodeName
/Aging
/OpenAcl Ttl CNAME HostName| DomainName Notes
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) Required. Specifies the command to add a new resource record. Required. Specifies the name of the zone where this CNAME resource record will be added. Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. Specifies that this resource record is aged and scavenged. If this parameter is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record). Required. Specifies the resource record type of the record you are adding. Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. For FQDN's, a trailing period (.) is used to fully qualify the name.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. Page 127 of 165
To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
To add a new domain to a zone

1. Open DNS.
Where?
o
3. On the Action menu, click New Domain, and then type the name of
the new domain without using periods.

4. Click OK to add the new domain to the zone.
Notes
To add a pointer (PTR) resource record to a reverse zone

Page 128 of 165
Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable reverse lookup zone. 3. On the Action menu, click New Pointer. 4. In the Host IP number text box, type the host IP address octet number. 5. In the Host name text box, type the fully qualified domain name for the DNS host computer for which this pointer record is to be used to provide reverse lookup (address-to-name resolution). As an option, you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined. 6. Click OK to add the new record to the zone.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. When creating a new A resource record, there is an option to create an associated PTR resource record automatically. PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted.

1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName
ValueDescription dnscmd Specifies the name of the command-line tool. ServerName Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). /RecordAdd Required. Adds a new resource record.
Page 129 of 165
ZoneName Required. Specifies the fully qualified domain name (FQDN) of the zone. NodeName Required. Specifies the FQDN of the node in the DNS namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. /Aging Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. /OpenAcl Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record. Ttl Specifies the Time-To-Live setting for the resource record. PTR Required. Specifies the resource record type. HostName|DomainName Required. Specifies the FQDN of a resource record located in the DNS namespace. The host you specify is used as the data for answering reverse lookups based on the address information specified by this pointer (PTR) resource record. Notes
PTR resource records are deleted automatically if the corresponding A resource record is deleted.
To add a resource record to a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Other New Records. 3. In Select a resource record type list box, select the type of resource record you want to add. 4. Click Create Record. 5. In New Resource Record, enter the information needed to complete the resource record. 6. After you specify all of the necessary information for the resource record, click OK to add the new record to the zone.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
dnscmd ServerNa me
/ RecordAd Required. Adds a new resource record. d ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. NodeNam Required. Specifies the FQDN of the node in the DNS e namespace. You can also type the node name relative to the
Page 131 of 165
ZoneName or @, which specifies the zone's root node. Specifies that this resource record is able to be aged and scavenged. If this command is used, this resource record is able /Aging to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any /OpenAcl user. Without this parameter, only administrators may modify the new record. Ttl Specifies the Time-To-Live setting for the resource record. Required. Specifies the type of resource record to add, followed RRType by the data to be contained in the resource record. For RRData information about each resource record type see the Resource records reference.
Resource record type
Resource record data
A NS,CNAME,MB,MD,PTR,MF,M G,MR MX,RT,AFSDB SRV SOA AAAA TXT,X25,HINFO,ISDN MINFO,RP WKS WINS WINSR
IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service... MapFlag LookupTimeout CacheTimeout IPAddress... MapFlag LookupTimeout CacheTimeout RstDomainName
Value
Description
IPAddress ipv6Address Protocol Service HostName|
Specifies a standard IP address. For example, 255.255.255.255. Specifies a standard IPv6 address. For example, 1:2:3:4:5:6:7:8. Specifies the transmission protocol: UDP or TCP. Specifies a standard service. For example, domain, smtp. Specifies the FQDN of a resource record located in the
Page 132 of 165
DomainName Notes
DNS namespace.
Between brackets ([]) Between braces ({}); choices separated by pipe (|). Example: {even|odd} Courier font
Optional items Set of choices from which the user must choose only one Code or program output
IPAddress ipv6Address Protocol Service HostName| DomainName
Specifies a standard IP address. For example, 255.255.255.255. Specifies a standard IPv6 address. For example, 1:2:3:4:5:6:7:8. Specifies the transmission protocol: UDP or TCP. Specifies a standard service. For example, domain, smtp. Specifies the FQDN of a resource record located in the DNS namespace.
To modify an existing resource record in a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. Page 133 of 165
3. In the details pane, right-click the resource record you want to modify, and then click Properties. 4. In Properties, edit the properties that can be modified. If necessary, you can view and modify advanced resource record properties for the DNS console. To display advanced properties, on the View menu, click Advanced. 5. Click OK when you have finished modifying the record.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. When Advanced view options are enabled, you can modify additional settings for an existing resource record, such as its record-specific Time to Live (TTL).
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData
Value
Description
dnscmd ServerNa me
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ RecordAd Required. Adds a new resource record. d Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Required. Specifies the FQDN of the node in the DNS NodeName namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. RRType Required. Specifies the type of resource record to add, followed
Page 134 of 165
RRData
by the data to be contained in the resource record. For information about each resource record type see the Resource records reference.
Value
Description
IPAddress ipv6Address Protocol Service HostName| DomainName Notes
Specifies a standard IP address. For example, 255.255.255.255. Specifies a standard IPv6 address. For example, 1:2:3:4:5:6:7:8. Specifies the transmission protocol: UDP or TCP. Specifies a standard service. For example, domain, smtp. Specifies the FQDN of a resource record located in the DNS namespace.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. Page 135 of 165
This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordAdd /help
To delete a resource record from a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. 3. In the details pane, right-click the resource record you want to delete, and then click Delete. 4. When you are asked to confirm that you want to delete the selected resource record, click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. PTR resource records are deleted automatically if the corresponding A resource record is deleted.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/RecordDeleteZoneNameNodeNameRRTypeRRData [/f]
Value
Description Page 136 of 165
dnscmd
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the ServerName DNS server on the local computer, you can also type a period (.). / RecordDel Required. Deletes a resource record. ete Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Required. Specifies the FQDN of the node in the DNS NodeName namespace. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. Required. Specifies the type of resource record (RR) to add, RRType followed by the data to be contained in the resource record. RRData For information about each resource record type see the Resource records reference.
Value
Description
IPAddress
Specifies a standard IP address. For example, 255.255.255.255. Page 137 of 165
ipv6Address Protocol Service HostName| DomainName /f
Specifies a standard IPv6 address. For example, 1:2:3:4:5:6:7:8. Specifies the transmission protocol: UDP or TCP. Specifies a standard service. For example, domain, smtp. Specifies the FQDN of a resource record located in the DNS namespace. Specifies that the command is executed without asking for confirmation. If you omit this parameter, you are prompted to confirm the deletion of the resource record.
Important
If the parameter RRData is not specified, all resource records of the same type are deleted.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /RecordDelete /help
If the variable RRData is not specified, all resource record types matching the previous criteria are deleted. PTR resource records are deleted automatically if the corresponding A resource record is deleted.
Page 138 of 165
To view unsupported resource records in a zone

1. Open DNS. 2. In the console tree, click the applicable zone.
3. In the details pane, right-click the record you want to view, then click
Properties.
4. In Properties, view properties specific to this record. 5. When you have finished viewing the record, click OK.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The DNS console allows you to view unsupported resource records (RRs) in secondary zones that are obtained from other DNS server implementations, such as DNS servers running versions of BIND. These records are not used by DNS servers running Windows Server 2003 and cannot be managed through the DNS console. These types of records include legacy records, such as mail forwarder (MF) and mail domain (MD) resource records (RRs).
To modify security for a resource record

1. Open DNS. 2. In the console tree, click the applicable zone. 3. In the details pane, click the record you want to view.
4. On the Action menu, click Properties. 5. On the Security tab, modify the list of member users or groups that
are allowed to securely update the applicable record and reset their permissions as needed. Notes
Page 139 of 165
To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Secure dynamic updates are only supported or configurable for resource records in zones stored in Active Directory. Security settings applied to resource records only affect dynamic updates. These security settings do not affect who may administer the zone where these resource records are located. For information on the security settings that affect who may administer a zone, see Related Topics. Resource records with the same name share the same resource record security settings. The names of resource records are listed in the Name column of the DNS console. This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Use aging and scavenging

Set aging/scavenging properties for the DNS server Set aging/scavenging properties for a zone Enable automatic scavenging of stale resource records Start immediate scavenging of stale resource records View when a zone can start scavenging stale records Reset scavenging and aging properties for a specified resource record
To set aging/scavenging properties for the DNS server

Page 140 of 165
Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones. 3. Select the Scavenge stale resource records check box. 4. Modify other aging and scavenging properties as needed.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Aging and scavenging properties configured by this procedure act as server defaults that apply only toward Active Directory-integrated zones. For standard primary zones, you must set the appropriate properties at the applicable zone. Once you apply changes for server aging/scavenging settings, the DNS console prompts you to confirm. You then have the option to apply your changes to new Active Directory-integrated zones only. If needed, you can also apply your changes to existing Active Directory-integrated zones. Regardless of whether the Scavenge stale resource records check box is selected as described in step 4, for standard primary zones, this feature is disabled unless manually enabled at the applicable zone.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value}
Value
Description
dnscmd ServerName
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS
Page 141 of 165
server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Sets the frequency by which the server /ScavengingInterval will perform scavenging for all scavenging-enabled zones. Required. Sets the default aging configuration for all /DefaultAgingState zones on the server. / Required. Sets the default No-refresh interval for DefaultNoRefreshIn scavenging-enabled zones. terval / Sets the default Refresh interval for scavengingDefaultRefreshInter enabled zones. val For /ScavengingInterval, type a value in hours. The default is 168 (one week). For /DefaultAgingState, type 1 to enable aging for new zones when they are created. Type 0 to disable Value aging for new zones. For /DefaultNoRefreshInterval, type a value in hours. The default is 168 (one week). For /DefaultRefreshInterval, type a value in hours. The default is 168 (one week). Notes
To set aging/scavenging properties for a zone

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone, then click Properties. 3. On the General tab, click Aging. 4. Select the Scavenge stale resource records check box. 5. Modify other aging and scavenging properties as needed.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {ZoneName|..AllZones} {/AgingValue|/RefreshInterval Value|/NoRefreshInterval Value}
Value
Description
dnscmd
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the name of the zone to which you ZoneName|..AllZ want to set aging and scavenging. To apply the ones operation to all zones, use ..AllZones. /Aging Required. Enables aging for zones. /RefreshInterval Required. Specifies the Refresh interval for a
Page 143 of 165
scavenging-enabled zone. / Required. Specifies the No-refresh interval for a NoRefreshInter scavenging-enabled zone. val Required. For /Aging, type 1 to enable aging. Type 0 to disable aging. For /RefreshInterval, type a value in Value hours. The default setting is 168 hours (one week). For /NoRefreshInterval, type a value in seconds. The standard setting is 3600 (one hour). Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help
To enable automatic scavenging of stale resource records

1. Open DNS.
Properties.
3. Click the Advanced tab. 4. Select the Enable automatic scavenging of stale records check
box.
5. To adjust the Scavenging period, select from the drop-down list an
interval in either hours or days, and then type a number in the text box. Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to
Page 144 of 165
perform this procedure. As a security best practice, consider using Run as to perform this procedure.
To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.
To start immediate scavenging of stale resource records

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable DNS server, then click Scavenge Stale Resource Records. 3. When asked to confirm that you want to scavenge all stale resource records on the server, click OK.
Notes
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/StartScavenging
Value
Description
dnscmd ServerName
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To
Page 145 of 165
specify the DNS server on the local computer, you can also type a period (.) / StartScaven Required. Initiates resource record scavenging. ging Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /StartScavenging /help
To view when a zone can start scavenging stale records

Using the Windows interface 1. Open DNS. 2. On the View menu, click Advanced. 3. Right-click the applicable zone, then click Properties. 4. On the General tab, click Aging. 5. Under Refresh interval, view when the zone is first eligible to be scavenged for stale resource records.
Notes
Page 146 of 165
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. The start scavenging date and time stamp are used to determine when zone scavenging starts. For more information, see Related Topics. After the start scavenging date and time stamp are reached, scavenging can occur only if the Scavenge stale resource records check box is selected. If the check box is cleared, scavenging for the zone cannot be performed.
Using a command line 1. Open Command Prompt. 2. Type: dnscmdServer/ZoneInfoZoneNameRefreshInterval
Value
Description
dnscmd
Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify ServerName the DNS server on the local computer, you can also type a period (.) /ZoneInfo Required. Displays configuration information. Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Required. Specifies the configuration property that displays RefreshInt when the zone is first eligible to be scavenged for stale erval resource records. The output value is in hours. The default setting is 168 hours (one week). Notes

To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: Page 147 of 165
dnscmd /ZoneInfo /help
To reset scavenging and aging properties for a specified resource record

Using the Windows interface 1. Open DNS. 2. In the console tree, click the applicable zone. 3. In the details pane, double-click the resource record for which you want to reset scavenging and aging properties. 4. Depending on the how the resource record was originally added to the zone, do one of the following:
o
If the record was added dynamically using dynamic update, you can clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If dynamic updates to this record continue to occur, the DNS server will always reset this check box so that the dynamically updated record can be deleted. If you added the record statically, you can select Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. This procedure is only necessary for resource records that are dynamically registered. For records that you manually add to a zone, a time stamp value of zero always applies to the record, excluding it from the scavenging process. Scavenging and aging properties for NS and SOA resource records are reset in the properties for the zone, not the properties for the resource record. Page 148 of 165
Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /Config {ZoneName|..AllZones} /ScavengingInterval Value
Value
Description
dnscmd
Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. / ScavengingInte Required. Sets the scavenging interval. rval Required. The new value for the scavenging interval, Value specified in hours. The default is 168 (one week). Notes
Concepts
This section provides general background information about Domain Name System (DNS) and the DNS Server service, as well as details about
Page 149 of 165
supporting software provided for DNS clients running under Microsoft operating systems.

DNS Overview Understanding DNS Deploying DNS Administering DNS DNS Resources
DNS Overview Updated: January 21, 2005 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNS overview
This section covers:

DNS defined DNS tools Server features Client features Security information for DNS New features for DNS
DNS defined
DNS is an abbreviation for Domain Name System, a system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to other information associated with the name, such as an IP address. For example, most users prefer a friendly name such as example.microsoft.com to locate a computer such as a mail or Web server Page 150 of 165
on a network. A friendly name can be easier to learn and remember. However, computers communicate over a network by using numeric addresses. To make the use of network resources easier, name systems such as DNS provide a way to map the user-friendly name for a computer or service to its numeric address. The following figure shows a basic use of DNS, which is finding the IP address of a computer based on its name.
In this example, a client computer queries a DNS server, asking for the IP address of a computer configured to use host-a.example.microsoft.com as its DNS domain name. Because the DNS server is able to answer the query based on its local database, it replies with an answer containing the requested information, which is a host (A) resource record that contains the IP address information for host-a.example.microsoft.com. The example shows a simple DNS query between a single client and DNS server. In practice, DNS queries can be more involved than this and include additional steps not shown here. For more information, see How DNS query works. Note
For additional background information about other DNS concepts, see Understanding DNS.
DNS tools
There are a number of utilities for administering, monitoring, and troubleshooting both DNS servers and clients. These utilities include:

The DNS console, which is part of Administrative Tools. Command-line utilities, such as Nslookup, which can be used to troubleshoot DNS problems. Page 151 of 165
Logging features, such as the DNS server log, which can be viewed using the DNS console or Event Viewer. File-based logs can also be used temporarily as an advanced debugging option to log and trace selected service events. Performance monitoring utilities, such as statistical counters to measure and monitor DNS server activity with System Monitor. Windows Management Instrumentation (WMI), a standard technology for accessing management information in an enterprise environment. Platform Software Developer Kit (SDK).
The DNS console

The primary tool that you use to manage DNS servers is the DNS console, which is located in the Administrative Tools folder in the Start menu's Programs folder. The DNS console can be used on its own or as a Microsoft Management Console (MMC) , further integrating DNS administration into your total network management. The DNS console can only be used after DNS is installed on the server. You can use the DNS console to perform these basic administrative server tasks: 1. Performing initial configuration of a new DNS server. 2. Connecting to and managing a local DNS server on the same computer, or remote DNS servers on other computers. 3. Adding and removing forward and reverse lookup zones as needed. 4. Adding, removing, and updating resource records in zones. 5. Modifying how zones are stored and replicated between servers. 6. Modifying how servers process queries and handle dynamic updates. 7. Modifying security for specific zones or resource records. In addition, you can also use the DNS console to perform the following tasks:
Perform maintenance on the server. You can start, stop, pause, or resume the server, or manually update server data files. Monitor the contents of the server cache and, as needed, clear it. Tune advanced server options.
Page 152 of 165
Configure and perform aging and scavenging of stale resource records stored by the server.
Important
The DNS console can only be used to manage DNS servers running Microsoft Windows and cannot be used to manage other DNS servers, such as BIND.
Notes
The DNS console provides new ways to perform familiar DNS administrative tasks previously performed in Microsoft Windows NT Server 4.0 using DNS Manager. For more information, see New ways to do familiar DNS tasks. To use the DNS console from another non-server computer, such as one running Microsoft Windows XP Professional, you must install the Windows Server 2003 Administration Tools Pack For information on installing DNS, see Install a DNS server.
Command-line utilities
There are several command-line utilities you can use to manage and troubleshoot DNS servers and clients. The following table describes each of these utilities, which can be run either by typing them at a command prompt or by entering them in batch files for scripted use.
Comma Description nd Nslooku Used to perform query testing of the DNS domain namespace. For p more information, see Nslookup. A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS Dnscmd management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. For more information, see Server administration using Dnscmd. This command is used to view and modify IP configuration details used by the computer. Additional command-line options are included with this utility to provide help in troubleshooting and Ipconfig supporting DNS clients. For more information, see Flush and reset a client resolver cache using the ipconfig command or Renew DNS client registration using the ipconfig command.
Event monitoring utilities

Page 153 of 165
The Windows Server 2003 family includes two options for monitoring DNS servers:
Default logging of DNS server event messages to the DNS server log. DNS server event messages are separated and kept in their own system event log, the DNS server log, which can be viewed using the DNS console or Event Viewer. For more information, see View the DNS server system event log. The DNS server log contains events logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, such as when the server starts but cannot locate initializing data, such as zones or boot information stored in the registry or (in some cases) Active Directory. The event types logged by DNS servers can be changed using the DNS console. For more information, see DNS server log reference. You can use Event Viewer to view and monitor client-related DNS events. These appear in the System log and are written by the DNS Client service at any computers running Windows (all versions). For more information, see Windows interface administrative tool reference A-Z: Event Viewer.
Optional debug options for trace logging to a text file on the DNS server computer. You can also use the DNS console to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file created and used for this feature, Dns.log, is stored in the systemroot\System32\Dns folder.
Performance monitoring utilities

Performance monitoring for DNS servers can be done using additional service-specific counters that measure DNS server performance. These counters are accessible through System Monitor, which is provided in the Performance console. When using System Monitor, you can create charts and graphs of server performance trends over time for any of your DNS servers. These can be further studied and analyzed to determine if additional server tuning is needed.
Page 154 of 165
By measuring and reviewing server metrics over a period of time, it is possible to determine performance benchmarks and decide if further adjustments can be made to optimize the system. For more information, see Monitoring DNS server performance.
Windows Management Instrumentation (WMI)

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components in an enterprise environment. For more information about Windows Management Instrumentation, see the Microsoft Platform SDK Web site.
Platform Software Developer Kit (SDK)

Computers running a product in the Windows Server 2003 family provide functions that enable application programmers to use DNS, such as programmatically making DNS queries, comparing records, and looking up names. Programmable DNS components are designed for use by C/C++ programmers. Familiarity with networking and with DNS is required. Programmers should be familiar with the IP protocol suite, as well as the DNS protocol and how DNS operates. Note
For more information about manageability, see Management Strategies and Tools.
Server features
The Domain Name System (DNS) Server service provides the following:
An RFC-compliant DNS server DNS is an open protocol and is standardized by a set of Request for Comments (RFCs). Microsoft supports and complies with these standard specifications. For more information, see DNS RFCs.
Interoperability with other DNS server implementations

Page 155 of 165
Because the DNS Server service is RFC-compliant and can use standard DNS data file and resource record formats, it can successfully work with most other DNS server implementations, such as those that use the Berkeley Internet Name Domain (BIND) software. For more information, see Interoperability issues.
Support for Active Directory DNS is required for support of the Active Directory directory service. If you install Active Directory on a server, you can automatically install and configure a DNS server if a DNS server that meets the Active Directory requirements cannot be located. First, in the Active Directory Installation Wizard, you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. Later in the installation process, the wizard tests for the following: 1. Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is configured for its use. 2. If a preferred DNS server is available, it queries to find the primary authoritative server for the DNS name of the Active Directory domain you specified earlier in the wizard. 3. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the dynamic update protocol (RFC 2136). 4. If, at this point in the process, a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory, you are provided with the option to install the DNS Server service locally. 5. If you choose to install the DNS Server service locally, the IP address for the current preferred DNS server is used to configure a forwarder on the local DNS server. This configuration maintains any existing resolution to an Internet Service Provider (ISP). In general, the use of the Windows Server 2003 DNS Server service is strongly recommended for the best possible integration and support of Active Directory and enhanced DNS server features. You can, however, use another type of DNS server to support Active Directory deployment. When using other types of DNS servers, consider additional issues related to DNS interoperability. For more information, see
Page 156 of 165
Interoperability issues. Note

o
This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Enhancements to DNS zone storage in Active Directory DNS zones can be stored in the domain or application directory partitions of Active Directory. A partition is a data structure within Active Directory used to distinguish data for different replication purposes. You can specify in which Active Directory partition to store the zone and, consequently, the set of domain controllers between which that zone's data will be replicated. For more information, see DNS zone replication in Active Directory. Note
o
This feature is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Conditional forwarders The DNS Server service extends a standard forwarder configuration with conditional forwarders. A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. For more information, see Understanding forwarders.
Stub zones DNS supports a new zone type called a stub zone. A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. You can use a stub zone instead of a secondary zone in situations where replicating all the zone data would be undesirable, such as over a slow network link. Note, however, that this replication efficiency is at the expense of resolution efficiency because the server hosting the stub zone is not authoritative for the zone and so must refer all queries for the zone to other servers.
Page 157 of 165
For more information, see Understanding stub zones.
Enhanced DNS security features DNS provides enhanced security administration for the DNS Server service, the DNS Client service, and DNS data. For more information, see Security information for DNS.
Integration with other Microsoft networking services The DNS Server service offers integration with other services and contains features beyond those specified in the RFCs. These include integration with Active Directory, WINS, and DHCP services. For more information, see Active Directory integration; WINS lookup integration; Dynamic update.
Improved ease of administration The DNS console offers an improved graphical user interface for managing the DNS Server service. Also, there are several configuration wizards for performing common server administration tasks. In addition to the DNS console, other tools are provided to help you better manage and support DNS servers and clients on your network. For more information, see DNS tools.
RFC-compliant dynamic update protocol support The DNS Server service allows clients to dynamically update resource records, based on the dynamic update protocol (RFC 2136). This improves DNS administration by reducing the time needed to manually manage these records. Computers running the DNS Client service can dynamically register their DNS names and IP addresses. For more information, see Dynamic update.
Support for incremental zone transfer between servers Zone transfers are used between DNS servers to replicate information about a portion of the DNS namespace. Incremental zone transfer is used to replicate only the changed portions of a zone, conserving network bandwidth. For more information, see Understanding zones and zone transfer.
Support for new resource record types

Page 158 of 165
The DNS Server service includes support for several new resource record (RR) types. These types, which include the service location (SRV) and ATM address (ATMA) RRs, expand the possibilities for using DNS as a names database service.
Client features
The Domain Name System (DNS) Client service is used to resolve DNS domain names and implements the following features:
System-wide caching Resource records (RRs) from query responses are added to the client cache as applications query DNS servers. This information is then cached for a set Time to Live (TTL) and can be used again to answer subsequent queries.
RFC-compliant negative caching support In addition to caching positive query responses from DNS servers (which contain resource record information in the answered reply), the DNS Client service also caches negative query responses. A negative response results when a resource record for the queried name does not exist. Negative caching prevents the repeating of additional queries for names that do not exist, which can adversely affect client system performance. Any query information negatively cached is kept for a shorter period of time than is used for positive query responses; by default, no more than 5 minutes. This avoids continued negative caching of stale information if the records later become available. Negative caching is a new DNS standard specification defined in RFC 2308. For more information, refer to this RFC. For more information on obtaining RFCs, see TCP/IP RFCs.
Avoidance of unresponsive DNS servers The DNS Client service uses a server search list, ordered by preference. This list includes all preferred and alternate DNS servers configured for each of the active network connections on the system. The list is arranged based on the following criteria: 1. Preferred DNS servers are given first priority. 2. If no preferred DNS servers are available, then alternate DNS servers are used.
Page 159 of 165
3. Unresponsive servers are removed temporarily from these lists. Important
The DHCP Client service initiates dynamic registration for client DNS names. For more information, see Dynamic update or Using DNS servers with DHCP.
Security information for DNS

Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure through the addition of security features. Before considering which of the security features to use, you should be aware of the common threats to DNS security and the level of DNS security in your organization.
DNS security threats

The following are the typical ways in which your DNS infrastructure can be threatened by attackers:
Footprinting is the process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network. Denial-of-service attack is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. As a DNS server is flooded with queries, its CPU usage will eventually reach its maximum and the DNS Server service will become unavailable. Without a fully operating DNS server on the network, network services that use DNS will become unavailable to network users. Data modification is an attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets the attacker has created, thereby giving these packets the appearance of coming from a valid IP address in the network. This is
Page 160 of 165
commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can gain access to the network and destroy data or conduct other attacks.
Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers under the control of the attacker. For example, if a query were originally made for example.microsoft.com and a referral answer provided a record for a name outside of the microsoft.com domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a query for that name. Redirection can be accomplished whenever an attacker has writable access to DNS data, such as with insecure dynamic updates.
Mitigating DNS security threats

DNS can be configured to mitigate the common DNS security issues discussed above. The following table lists five main areas on which to concentrate when determining your DNS security.
DNS security Description area DNS Incorporate DNS security into your DNS namespace design. For namespace more information, see Securing DNS deployment. Review the default DNS Server service security settings and DNS Server apply Active Directory security features when the DNS Server service service is running on a domain controller. For more information, see Securing the DNS Server service. Review the default DNS zone security settings and apply secure dynamic updates and Active Directory security features DNS zones when the DNS zone is hosted on a domain controller. For more information, see Securing DNS zones. Review the default DNS resource record (RR) security settings DNS and apply Active Directory security features when the DNS resource resource records are hosted on a domain controller. For more records information, see Securing DNS resource records. Control the DNS server IP addresses used by DNS clients. For DNS clients more information, see Securing DNS clients.
Three levels of DNS security

Page 161 of 165
The following three levels of DNS security will help you understand your current DNS configuration and enable you to increase the DNS security of your organization.
Low-level security
Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.
The DNS infrastructure of your organization is fully exposed to the Internet. Standard DNS resolution is performed by all DNS servers in your network. All DNS servers are configured with root hints pointing to the root servers for the Internet. All DNS servers permit zone transfers to any server. All DNS servers are configured to listen on all of their IP addresses. Cache pollution prevention is disabled on all DNS servers. Dynamic update is allowed for all DNS zones. User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.
Medium-level security
Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.
The DNS infrastructure of your organization has limited exposure to the Internet. All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally. All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones. DNS servers are configured to listen on specified IP addresses.
Page 162 of 165
Cache pollution prevention is enabled on all DNS servers. Nonsecure dynamic update is not allowed for any DNS zones. Internal DNS servers communicate with external DNS servers through the firewall with a limited list of source and destination addresses allowed. External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet. All Internet name resolution is performed using proxy servers and gateways.
High-level security
High-level security uses the same configuration as medium-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required.
The DNS infrastructure of your organization has no Internet communication by internal DNS servers. Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal. DNS servers that are configured with forwarders use internal DNS server IP addresses only. All DNS servers limit zone transfers to specified IP addresses. DNS servers are configured to listen on specified IP addresses. Cache pollution prevention is enabled on all DNS servers. Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace. All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server. All DNS zones are stored in Active Directory. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.
Page 163 of 165
DACLs are configured on DNS resource records to only allow specific individuals to create, delete, or modify DNS data. Secure dynamic update is configured for DNS zones, except the toplevel and root zones, which do not allow dynamic updates at all.
New features for DNS Updated: January 21, 2005 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
New features for DNS

The following new Domain Name System (DNS) features and feature enhancements are available with the Microsoft Windows Server 2003 family.
Improved domain controller name resolution In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and misconfiguration. For more information about DNS name resolution, see How DNS Support for Active Directory Works on the Microsoft Web site.
Conditional forwarders Forward DNS queries according to the DNS domain name in the query using conditional forwarders. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. For more information, see Using forwarders.
Stub zones Using stub zones, keep a DNS server hosting a parent zone aware of the authoritative DNS servers for its child zone and, thereby, maintain DNS name resolution efficiency. For more information, see Understanding stub zones.
DNS zone replication in Active Directory

Page 164 of 165
Choose from four default replication options for Active Directoryintegrated DNS zone data. For more information, see DNS zone replication in Active Directory.
Enhanced DNS security features DNS provides greater precision in its security administration for the DNS Server service, the DNS Client service, and DNS data. For more information, see Security information for DNS.
Round robin all resource record (RR) types By default, the DNS Server service will perform round-robin rotation for all resource record (RR) types. For more information, see Configuring round robin.
Enhanced debug logging Use the enhanced DNS Server service debug logging settings to troubleshoot DNS problems. For more information, see Using server debug logging options.
DNSSEC DNS provides basic support of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. For more information, see Using DNS Security Extensions (DNSSEC).
EDNS0 Enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 octets, the original DNS restriction for UDP packet size (RFC 1035). For more information, see Using Extension Mechanisms for DNS (EDNS0).
Control automatic NS resource record registration on a server and a zone basis
Page 165 of 165

DNS Best Practices

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNS Best Practices

Uploaded by

Copyright:

Available Formats

DNS best practices

Install and configure servers

To install a DNS server

1. Open Windows Components Wizard.

then click Details.

Information about functional differences

To configure a DNS server for use with Active Directory

prompt type: set q=rr_type

To configure a new DNS server

Using the Windows interface Using a command line

DNS/Applicable DNS server

To modify security for the DNS Server service on a domain controller

are allowed to administer the applicable server. Notes

To add a secondary server for an existing zone

Using the Windows interface Using a command line Page 11 of 165

DNS/Applicable DNS server

To install a caching-only DNS server

To restrict a DNS server to listen only on selected addresses

Using the Windows interface Using a command line

DNS/applicable DNS server

To configure a DNS server to use forwarders

Using the Windows interface Using a command line

DNS/applicable DNS server

dnscmd ServerName /ZoneAdd

To create the default DNS application directory partitions

Where? DNS/applicable DNS server

dnscmd ServerName / CreateBuiltinDirectoryP artitions {/Domain|/Forest|/AllDo mains}

data to all DNS servers in the forest Notes

To create a DNS application directory partition

dnscmd ServerName /CreateDirectoryPartitionFQDN

Value dnscmd ServerName

To enlist a DNS server in a DNS application directory partition

Value dnscmd ServerName

To remove a DNS server from a DNS application directory partition

Value dnscmd ServerName

Install and configure clients

To configure DNS for static clients

To enable DNS for DHCP-enabled clients

4. Connection-specific dynamic update and registration

To configure the primary DNS suffix for a client computer

To preload the client resolver cache

10.0.0.1 host-a host-a.example.microsoft.com

To renew DNS client registration using the ipconfig command

To open the DNS console

To start or stop a DNS server

DNS/Applicable DNS server

To add a server to the DNS console

and then click OK. Notes

To remove a server from the DNS console

2. In the console tree, click the applicable DNS server.

DNS/applicable DNS server

list, click OK. Notes

To manually update server data files

Using the Windows interface Using a command line

DNS/applicable DNS server

3. On the Action menu, click Update Server Data Files.

To change the boot method used by the DNS server

From file, or From Active Directory and registry. Notes

To change the name-checking method used by the DNS server

(ANSI), Multibyte (UTF8), or All names. Page 40 of 165

To restrict NS resource record registration

Using the Windows interface Using a command line

Using the Windows interface 1. Open Registry Editor. Caution