DNS best practices

Best practices

Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server. This field is used by applications to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. While most Internet e-mail addresses contain the at sign (@) when used in e-mail applications, this symbol must be replaced with a period (.) when entering an e-mail address for this field. For example, instead of "administrator@microsoft.com", you would use "administrator.microsoft.com".

Be conservative in adding alias records to zones. Avoid using CNAME resource records (RRs) where they are not needed to alias a host name used in a host (A) resource record. Also, ensure that any alias names you use are not used in other RRs. DNS allows an owner name of a CNAME resource record to be used as the owner name of the other types of resource records, such as NS, MX, and TXT resource records.

When designing your DNS network use standard guidelines and, wherever possible, follow preferred practices for managing your DNS infrastructure. DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.

If you are using Active Directory, use directory-integrated storage for your DNS zones for increased security, fault tolerance, simplified deployment and management. By integrating zones, you can simplify network planning. For example, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. This can simplify planning and troubleshooting DNS and Active Directory replication problems because the same server computers are used in both topologies. If you are using directory-integrated storage for your zones, you may select from the different replication scopes that replicate your DNS zone data throughout the directory. If your DNS infrastructure must support Windows 2000 DNS servers, you will use the directoryPage 1 of 165

integrated storage method that replicates DNS zone data to all domain controllers in a domain. If your DNS infrastructure is composed of DNS servers running Windows Server 2003 only, you may also select from replication scopes that replicate your DNS zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified Active Directory domain, or all domain controllers specified in a custom replication scope. Any DNS server hosting a directory-integrated zone is a primary DNS server for that zone. This enables a multimaster model where multiple DNS servers may update the same zone data. A multimaster model eliminates a single point of failure associated with a conventional single-master DNS topology, where updates may only be done to a single DNS server for a given zone. One of the important benefits of directory integration is the support for secure dynamic update of the names within a zone. For more information, see Dynamic update.

Consider the use of secondary zones to assist in off-loading DNS query traffic wherever it makes sense. Secondary servers can be used as backups for DNS clients. This allows you to use secondary servers as a means to load balance DNS query traffic on your network and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs.

If you are planning a large DNS design, such as for a large Internet service provider (ISP) that supports the use of DNS, review the following Request for Comments (RFC) documents published by the Internet Engineering Task Force (IETF). RFC Title 191 Common DNS Operational and 2 Configuration Errors 218 Selection and Operation of Secondary 2 DNS Servers 221 Use of DNS Aliases for Network Services 9

You can obtain these RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.

How to...
Page 2 of 165

• • • • • • • • • •

Install and Configure Servers Install and Configure Clients Manage Servers Optimize Servers Monitor Servers Add and Remove Zones Configure Zone Properties Manage Zones Manage Resource Records Use Aging and Scavenging

Install and configure servers
• • •

Install a DNS server Configure a DNS server for use with Active Directory Verify DNS registration for domain controllers using the nslookup command Configure a new DNS server Modify security for the DNS Server service on a domain controller Add a secondary server for an existing zone Install a caching-only DNS server Restrict a DNS server to listen only on selected addresses Configure a DNS server to use forwarders Create the default DNS application directory partitions Create a DNS application directory partition Enlist a DNS server in a DNS application directory partition Remove a DNS server from a DNS application directory partition

• • • • • • • • • •

To install a DNS server
Page 3 of 165

If prompted. Certain Windows components require configuration before they can be used. when you click Add/Remove Windows Components. type the full path to the distribution files. After you install a DNS server. simplify maintenance of these files and should be used whenever possible. To open the Windows Components Wizard. you can decide how to administer it and its zones. and then click Details. To start the Windows Components Wizard. Although you can use a text editor to make changes to server boot and zone files. double-click Add or Remove programs. If the computer is joined to a domain. see Related Topics. consider using Run as to perform this procedure. click Components. you must be a member of the Administrators group on the local computer. select the Networking Services check box. In Components. and then click Next. this method is not recommended.1. Notes • To perform this procedure. and then click Add/Remove Windows Components. click OK. If the DNS server is configured to use DHCPassigned dynamic addresses. • • • • Page 4 of 165 . As a security best practice. the DNS clients configured to use that DNS server's previous IP address will be unable to resolve the previous IP address and locate the DNS server. click Control Panel. dnscmd. 4. manually editing them is not recommended. It is recommended that you manually configure the computer to use a static IP address. a list of components that need to be configured is displayed. select the Domain Name System (DNS) check box. or you must have been delegated the appropriate authority. when the DHCP server assigns a new IP address to the DNS server. click Start. The DNS console and the DNS command-line tool. If you installed one or more of these components but did not configure them. 2. in Copy files from. Once you begin using console-based or command-line management of these files. Open Windows Components Wizard. Required files are copied to your hard disk. and then click OK. For more information. In Subcomponents of Networking Services. members of the Domain Admins group might be able to perform this procedure. 3.

If you uninstall a DNS server hosting standard DNS zones. For more information. To install Active Directory on this computer.• DNS zones stored in Active Directory can be administered using the DNS console or the dnscmd command-line tool only. As a security best practice. consider using Run as to perform this procedure. the zone files will remain in the systemroot\system32\Dns directory. Page 5 of 165 . see Viewing Help on the Web. For more information. the old zone file is replaced with the new zone file. use the Active Directory Installation Wizard. DNS servers use the Berkeley Internet Name Domain (BIND) file format recognized by legacy BIND 4 servers. not the more recent BIND 8 format. your account permissions. If you create a new zone with the same name as an old zone. If you uninstall a DNS server hosting Active Directory-integrated zones. or you must have been delegated the appropriate authority. but they will not be reloaded if the DNS server is reinstalled. these zones will be saved or deleted according to their storage type. the option to automatically install and configure a local DNS server for use is provided. the zone data is stored on other domain controllers or DNS servers and will not be deleted unless the DNS server that you uninstall in the last DNS server hosting that zone. To configure a DNS server for use with Active Directory • When Active Directory is installed using the Active Directory Installation Wizard. members of the Domain Admins group might be able to perform this procedure. see Related Topics. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. Notes • To perform this procedure. When writing DNS server boot and zone data to text files. For all storage types. and your menu settings. These zones cannot be administered using a text editor. • • • Information about functional differences • Your server might function differently based on the version and edition of the operating system that is installed.

After the previous command completes. Web Edition. For more information.dc.Active_Directory_domain_name 5. continue troubleshooting dynamic update or DNS server related issues to determine the exact cause of the problem. operating system. review the registered SRV RRs returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses.• This procedure only applies to server computers used as domain controllers. If you choose the Active Directory Installation Wizard option to automatically install and configure a local DNS server. Web Edition. 2. type: _ldap. If member servers are used as DNS servers. Open Command Prompt. at the nslookup (">") prompt type: set q=rr_type 4. o Page 6 of 165 . This feature is not included on computers running the Microsoft® Windows Server® 2003._msdcs. see Overview of Windows Server 2003. Type: nslookup 3. If the query failed. the DNS server is installed on the computer where you are running the wizard and the computer's preferred DNS server setting is configured to use the new local DNS server. After the previous command completes. You will also want to configure any other computers that will join this domain to use this DNS server's IP address as their preferred DNS server. they are not integrated with Active Directory. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed: o If the query succeeded. • • To verify DNS registration for domain controllers using the nslookup command 1._tcp.

type: nslookup._msdcs. The resource record (RR) type to apply as a filter for subsequent lookups. click Start._tcp. used to verify service location (SRV) resource records that are registered by domain controllers. the two domain controllers are dc1 and dc2 and are registered for the "example.microsoft. For example. To view the complete syntax for this command.dc. if the DNS domain name of your Active_Directory_domain_n Active Directory domain is ame example. you might see several time-outs reported. point to All programs. in this instance. Page 7 of 165 • . as a security best practice. press Enter and then type help • • • In some cases.dc.Value nslookup Description The name of the command-line program. Therefore. To open a command prompt._msdcs.com" domain. This happens when reverse lookup is not configured for DNS servers servicing the same DNS domain as your Active Directory domain. because you want to limit subsequent name queries to filter and return only service location (SRV) RRs that use a specified name. In this example.microsoft. The following is an example of command-line output for an Nslookup session.example._tcp. The DNS name configured for use with your Active Directory domain and any of its associated domain controllers. when performing the above procedure.c om. type: _ldap. and then click Command prompt. at a command prompt. The command to send the query to the root server. For example. point to Accessories. _ldap.com. consider performing this task as a user without administrative credentials.microsoft. type: set q=srv Notes • set q= rr_type Performing this task does not require you to have administrative credentials.

example.14 _ldap.com Address: 10. look for the following records: _ldap.example.example.com _ldap.15 The nslookup command is a standard command-line tool provided in most DNS service implementations.microsoft.dns file. To add the SRV resource records that have been created for a domain controller. In some cases.com dc1.0. created by the Active Directory Installation wizard when a server computer is promoted to a domain controller. such as domain controllers.microsoft.example.microsoft.14 dc2. you might need to manually add or verify registration of the service location (SRV) resource records used to support Windows Server 2003 domain controllers. When verifying these records.Active_Directory_domain_name IN SRV 0 0 389 domain_controller_name Page 8 of 165 .com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc2.dc. It offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output._msdcs.com Server: dc1.dns • • The resource records used in this file are listed in RFC-compliant text-file format._tcp.14 set type=srv _ldap. It can be found at: systemroot\System32\Config\Netlogon.0.microsoft._msdcs.0.microsoft.microsoft._tcp.example.0.microsoft. are correctly added to zones.0.• • • • • • • • • • • • • • • • • • • • C:\nslookup Default Server: dc1._msdcs._tcp.dc.example. open and view the Netlogon.example.microsoft.dc. Verify that resource records used to register services and critical hosts._tcp. verifying that resource records (RRs) are added or updated correctly in a zone. This information is useful in troubleshooting name resolution problems.dc.example.microsoft. and debugging other server-related problems._tcp.0._msdcs.com Address: 10.0.com internet address = 10.example.com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc1.com internet address = 10.0.Active_Directory_domain_name IN SRV 0 0 389 ldap_server_name _ldap.

members of the Domain Admins group might be able to perform this procedure. such as enabling dynamic updates for its zones or adding resource records to its zones. double-click Administrative Tools. Follow the instructions in the Configure a DNS Server Wizard. click Configure a DNS Server.In some cases. To learn more about these records and how Net Logon updates DNS. and then double-click DNS. To configure a new DNS server • • Using the Windows interface Using a command line Using the Windows interface 1. • The Net Logon service on each domain controller registers. you might need to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a non-domain controller as an LDAP server for your network. as appropriate. 3. you do not need to perform step 2. click the applicable DNS server. As a security best practice. consider using Run as to perform this procedure. For more information. If needed. As a best practice. If the computer is joined to a domain. add and connect to the applicable server in the console. Open DNS. click Start. you might need to complete additional tasks. a number of different DNS resource records with DNS servers. On the Action menu. 2. When you finish configuring the server. use the checklist for installing a new DNS server. To open DNS. obtain additional technical information on DNS available from the Microsoft Web site. see Related Topics. Where? o DNS/Applicable DNS server 4. you must be a member of the Administrators group on the local computer. In the console tree. Notes • To perform this procedure. For more information. or you must have been delegated the appropriate authority. see Related Topics. Page 9 of 165 • • • • . click Control Panel. If the DNS server is running locally. 5.

you must be a member of the Administrators group on the local computer. at the command prompt. As a security best practice. There are different properties available for Property servers and zones. or you must have been delegated the appropriate authority. point to All programs. type . Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server.. Required. Sets configuration options to either 1 (on) or 0 (off).. Type: dnscmdServerName/Config {ZoneName|. consider using Run as to perform this procedure. members of the Domain Admins group might be able to perform this procedure. click Start. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools. 2. To {ZoneName|.. at a command prompt.Using a command line 1. and then click Command prompt. If the computer is joined to a domain.AllZones.AllZ apply the configuration for all zones hosted by the ones} specified DNS server. For a list of the available properties. To open a command prompt.AllZones} Property {1|0} Value Description dnscmd Specifies the name of the command-line tool. {1|0} Note that some server and zone properties must be reset as part of a more complex operation. To view the complete syntax for this command. see Related Topics. Specifies the name of the zone to be configured. you can also type a period (. point to Accessories. type: dnscmd /Config /help. Open Command Prompt. /Config Specifies the configuration command. To specify the DNS server on the local computer. Specifies the server property or zone property to be configured. Notes • To perform this procedure.). type: dnscmd/Config/help • • • Page 10 of 165 .

Web Edition. right-click the applicable server. 3. click Control Panel. When you finish configuring the server. Default groups. see Related Topics. see Related Topics. double-click Administrative Tools. For more information. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. see Overview of Windows Server 2003. To modify security for the DNS Server service on a domain controller 1. or you must have been delegated the appropriate authority. 2. The security settings determine who can administer the server. and Using Run as. consider using Run as to perform this procedure. you might need to complete additional tasks. To open DNS. and then double-click DNS.• • As a best practice. This feature is not included on computers running the Microsoft® Windows Server® 2003. Notes • To perform this procedure. modify the list of member users or groups that are allowed to administer the applicable server. For more information. but do not affect the ACLs for the zones and resource records hosted on the server. On the Security tab. such as enabling dynamic updates for its zones or adding resource records to its zones. and then click Properties. As a security best practice. Web Edition. For more information. • • • • To add a secondary server for an existing zone • • Using the Windows interface Using a command line Page 11 of 165 . operating system. Active Directory access control lists (ACLs) are only supported for the DNS Server service when it is running on a domain controller. use the checklist for installing a new DNS server provided in the online Help. In the console tree. see Default local groups. To apply security settings for DNS zones and resource records. Open DNS. click Start.

Type: dnscmdServerName /ZoneAdd ZoneName /Secondary MasterIPaddress.[/file FileName] Value Description dnscmd ServerName Specifies the name of the command-line tool.. In order to add a secondary server for an existing zone. When adding the zone. you must be a member of the Administrators group on the local computer. As a security best practice.). In the console tree. 4. Where? o DNS/Applicable DNS server 3. 2. you can also type a period (. select Secondary zone as the zone type. To specify the DNS server on the local computer. The master server acts as the source for zone data. click Control Panel. Open Command Prompt. 2. or you must have been delegated the appropriate authority.Using the Windows interface 1. You can also type the IP address of the DNS server. you need to have network access to the server acting as the master server for this server and its use of the zone. Open DNS. If the DNS server is running locally. If the computer is joined to a domain. click New Zone. To open DNS. you do not need to perform step 2. On the Action menu. Follow the instructions in the New Zone Wizard. and then double-click DNS. click the applicable DNS server. Specifies the DNS host name of the DNS server. consider using Run as to perform this procedure. members of the Domain Admins group might be able to perform this procedure. • • • Using a command line 1. Required. double-click Administrative Tools. click Start. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed. Notes • To perform this procedure. Page 12 of 165 ..

Required. As a security best practice. The master server acts as the source for zone data. 3. To install a caching-only DNS server 1. Specifies the fully qualified domain name (FQDN) of the secondary zone you are adding. click Start. at a command prompt. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed. Verify server root hints are configured or updated correctly. and then click Command prompt. /Secondary Required. To view the complete syntax for this command. Adds a zone. from which it copies ss. This procedure requires the Dnscmd Windows support tool. Notes Page 13 of 165 . install a DNS server on the server computer./ZoneAdd Required. Notes • To perform this procedure. you need to have network access to the server acting as the master server for this server and its use of the zone. or you must have been delegated the appropriate authority.. Adds a secondary zone type.. 2. see Related Topics. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. zone data. type: dnscmd/ZoneAdd /help • • • • To add a secondary server for an existing zone. To open a command prompt. members of the Domain Admins group might be able to perform this procedure. If the computer is joined to a domain. To install a caching-only DNS server. For more information. Specifies one or more IP addresses for the MasterIPaddre master servers of the secondary zone. /file Specifies the command to use a file. Specifies the name of the file to use for creating the FileName secondary zone. The zone name ZoneName must be the same as the primary zone from which the secondary zone is created. Required. point to All programs. For information about installing Windows support tools. point to Accessories. Do not configure the DNS server (as you might normally) to load any zones. see Related Topics.

click the applicable DNS server. Page 14 of 165 . • • • To restrict a DNS server to listen only on selected addresses • • Using the Windows interface Using a command line Using the Windows interface 1. type an IP address for the DNS server to be enabled for use. members of the Domain Admins group might be able to perform this procedure. In IP address. you must be a member of the Administrators group on the local computer. and then click Add. On the Action menu. 6. If you need to remove an IP address from the list. On the Interfaces tab. 5. It is strongly recommended that. 2. 4.• To perform this procedure. A caching-only DNS server can be valuable at a site where DNS functionality is needed locally but it is not administratively desirable to create a separate domain or zone for that location. As a security best practice. They are DNS servers that build a local server cache of names learned while performing recursive queries on behalf of their clients. or you must have been delegated the appropriate authority. when operating the computer as a DNS server. click Only the following IP addresses. click it and then click Remove. Open DNS. repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server. If the computer is joined to a domain. click Properties. This information is then available from its cache when answering subsequent client queries. Where? o DNS/applicable DNS server 3. As needed. consider using Run as to perform this procedure. In the console tree. you manually configure TCP/IP and use a static IP address. Caching-only DNS servers do not host any zones and are not authoritative for a particular domain.

If later you change or remove addresses specified here from TCP/IP configurations maintained at this server. you can also type a period (.. the ListenAddress. or you must have been delegated the appropriate authority..Notes • To perform this procedure.. Type: dnscmd ServerName /ResetListenAddresses [ListenAddress .).] Value Description dnscmd ServerName Specifies the name of the command-line tool. members of the Domain Admins group might be able to perform this procedure. 2. consider using Run as to perform this procedure. If the computer is joined to a domain. • • • • • Using a command line 1. double-click Administrative Tools. Server IP addresses that are added here need to be statically managed. As a security best practice. you must be a member of the Administrators group on the local computer. Specifies the DNS host name of the DNS server. To open DNS. By default. click Start. and then double-click DNS. Resets the IP addresses of the interfaces on ResetListenAddr which the DNS server listens. Open Command Prompt.. update this list accordingly. Page 15 of 165 . or hosts with a router that connects them to that same segment. You can also type the IP address of the DNS server. After you update or revise the list of restricted interfaces. By default. the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. / Required. will have access to the server. Required. esses Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. you need to stop and restart the DNS server to apply the new list. click Control Panel. To specify the DNS server on the local computer. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet.

Page 16 of 165 . Type the IP address for the fully qualified domain name (FQDN) of a forwarder. • • To configure a DNS server to use forwarders • • Using the Windows interface Using a command line Using the Windows interface 1. If the computer is joined to a domain. After you update or revise the list of restricted interfaces. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet. This procedure requires the Dnscmd Windows support tool. click Start. at a command prompt. click Properties. you must be a member of the Administrators group on the local computer. 2. and then click OK. On the Action menu. type: dnscmd ServerName /ResetListenAddresses /help • • • • Server IP addresses that are added here need to be statically managed. point to Accessories. members of the Domain Admins group might be able to perform this procedure. or hosts with a router that connects them to that same segment. click Edit. For information about installing Windows support tools. and then click Command prompt. Open the DNS snap-in. On the Forwarders tab. 5. see Related Topics. will have access to the server. Where? o DNS/applicable DNS server 3. point to All programs. click the applicable Domain Name System (DNS) server. update this list accordingly. To view the complete syntax for this command. 4. you need to stop and restart the DNS server to apply the new list. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server. To open a command prompt.Notes • To perform this procedure. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority. As a security best practice. In the console tree.

[/TimeOut Time] [/Slave] Value Description dnscmd ServerName /ZoneAdd Specifies the name of the command-line tool. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail.. Required. You can disable recursion for the DNS server so that it will not perform recursion on any query. click Start. see Related Links. members of the Domain Admins group might be able to perform this procedure. the DNS server will wait 5 seconds for a response from one forwarder IP address before trying another forwarder IP address. that forwarder should be ordered first in the series of forwarder IP addresses.). Open Command Prompt. or you must have been delegated the appropriate authority. When the server has exhausted all forwarders. you can also type a period (. Required. In Number of seconds before forward queries time out.. Type: dnscmdServerName/ZoneAddZoneName/ForwarderMasterIPaddress . By default. • • • • Do not enter a forwarder's IP address more than once in a DNS server's forwarders list because it is a more reliable or geographically closer server. you will not be able to use forwarders on the same server. To open DNS. If the computer is joined to a domain. You can also type the IP address of the DNS server. Page 17 of 165 . click Control Panel.Notes • To perform this procedure. 2. it will attempt standard recursion. As a security best practice. double-click Administrative Tools. you can change the number of seconds the DNS server will wait. Adds a zone. and then double-click DNS. you must be a member of the Administrators group on the local computer. For more information about disabling recursion on the DNS server. If one of the forwarders is preferred. consider using Run as to perform this procedure. Specifies the DNS host name of the DNS server. select the Do not use recursion for this domain check box. If you disable recursion on the DNS server. Problems associated with forwarders often result from inefficient configurations and overuse. • Using a command line 1. To specify the DNS server on the local computer.

Specifies the timeout setting. Required. at a command prompt. you must be a member of the Administrators group on the local computer. To view the complete syntax for this command. members of the Domain Admins group might be able to perform this procedure. Notes • To perform this procedure. and then click Command prompt. To open a command prompt. For information about installing Windows support tools. You may specify a list of space-separated IP addresses. use the following command: dnscmdServerName/ZoneInfoZoneName • To reset the forwarder IP addresses for a conditional forwarder domain name... or you must have been delegated the appropriate authority. When configuring forwarders on DNS servers running on Active Directory domain controllers. consider using Run as to perform this procedure. This procedure requires the Dnscmd Windows support tool. and the ServerIPs parameter is the list of one or more IP addresses of master servers for the zone. /DsForwarder will replicate the forwarder setting to all DNS servers running on domain controllers in an Active Directory domain. Determines whether or not the DNS server uses recursion /Slave when querying for the domain name specified by ZoneName. The timeout setting is the /TimeOut number of seconds before unsuccessful forward queries time out. Specifies the command to configure a forwarder. click Start. Specifies the FQDN of the zone. If the computer is joined to a domain. see Related Links. Master servers may Page 18 of 165 . point to All programs. Required. type: dnscmd/ZoneAdd/help • • • • To view a zone added for use as only a conditional forwarder. The value Time is in seconds. Specifies the value for the /TimeOut parameter. Specifies a space-separated list of one or more IP MasterIPaddre addresses of the DNS servers where queries for ZoneName ss.ZoneName Required. point to Accessories. you must use /Forwarder /DsForwarder in place of /Forwarder. As a security best practice. type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [ServerIPs] The /Local parameter sets the local master list for Active Directory– integrated forwarders. The default timeout is 5 seconds. are forwarded.

Problems associated with forwarders often result from inefficient configurations and overuse. type: dnscmdServerName/ResetForwarders [IPAddress . For example. The /Timeout and Time parameters are described in the table above. 2. Follow the instructions to create the DNS application directory partitions. o o Where? DNS/applicable DNS server 3.. you cannot configure that DNS server with a conditional forwarder for example. Open DNS. Such a configuration would make the forwardering path cyclical. Page 19 of 165 .microsoft. • To create the default DNS application directory partitions Using the Windows interface Using a command line Using the Windows interface 1. The /Slave parameter sets the DNS server as a subordinate server. 4. nonconditional forwarder for a DNS server.] [ /[No]Slave ] [/TimeOut Time] The parameter IPAddress is the IP address where the DNS server will forward unsolvable DNS queries.com. right-click the applicable DNS server. only members of the Enterprise Admins group can create a DNS application directory partition. • To reset the standard. or stub zone for that domain name. if a DNS server is authoritative for the domain name example.. In the console tree.com (hosts the primary zone for that domain name). The /NoSlave parameter (default setting) sets the DNS server as a nonsubordinate server.microsoft. Notes • By default. secondary. Click Create Default Application Directory Partitions. meaning that it will perform recursion. • You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary.include DNS servers that host primary or secondary copies of the zone. but they should not include DNS server IP addresses in such a way that two DNS servers hosting copies of a zone use each other as master servers.

click Start. DNS zones stores DNS zone DomainDnsZones.DnsForestN forest. Page 20 of 165 . the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. DNS zones stored in data and ame this application directory replicates that partition are replicated to data to all DNS all DNS servers running on servers in the domain controllers in the forest forest. and then double-click DNS. Notes • By default. It contains all the directory DNS servers running on the partition that domain controllers in the stores DNS zone ForestDnsZones. Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain controller hosting the default DNS application directory partitions. The following table describes the options available when creating the DNS default application directory partitions. the option to create the default application directory partitions in the DNS console will not be available.• • To open DNS. the administrator can manually create the application directory partitions using this procedure. Once the default DNS application directory partitions are created. If the default DNS application directory partitions are currently available in Active Directory.DnsDomai stored in this application data and nName directory partition are replicates that replicated to all DNS data to all DNS servers running on domain servers in the controllers in the domain. domain DNS application directory Create a single partition for the entire application forest. click Control Panel. • • Option Partition name Description Create a single application DNS application directory directory partition for each domain in partition that the forest. If the DNS Server service is unable to do this. double-click Administrative Tools. the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. By default.

Creates a default application directory partition. type /Domain. 2. The computer on which this command is run must be joined to a domain in the forest where you want to create all of the default domain-wide application directory Page 21 of 165 . Required. To create a default domain-wide DNS application directory partitions on a DNS server in each domain in the Active Directory forest where the user running this command is logged on. The ServerName parameter is ignored for /AllDomains. To create a default forest-wide DNS application directory partition for the Active Directory forest where the specified DNS server is located. Do one of the following: To create a default domain-wide DNS application directory partition for the Active Directory domain where the specified DNS server is located.• For more information about creating and deleting an application directory partition. Required. Open Command Prompt. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. type /AllDomains. Required. type /Forest. To specify the DNS server on the local computer. Specifies which default application directory partition to create. see Related Topics. Type: dnscmd ServerName /CreateBuiltinDirectoryPartitions {/Domain|/Forest|/AllDomains} Value Description dnscmd ServerName / CreateBuiltinDirectoryP artitions {/Domain|/Forest|/AllDo mains} Specifies the name of the command-line tool.). Using a command line 1. you can also type a period (.

DnsForestN DNS application directory ame partition for the entire forest. see Related Topics. type: dnscmd /CreateDirectoryPartition /? By default. To view the complete syntax for this command. the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. DNS zones stored in this application directory Page 22 of 165 . at a command prompt. DNS zones DomainDnsZones. • • Option Partition name Description Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the domain Create a single application directory partition that stores DNS zone data and replicates that DNS application directory partition for each domain in the forest. the administrator can manually create the application directory partitions using this procedure. The following table describes the options available when creating the DNS default application directory partitions. only members of the Enterprise Admins group can create a DNS application directory partition. click Control Panel. Notes • • • • • • By default. double-click Administrative Tools. For information about installing Windows support tools. and then double-click DNS. click Start. This procedure requires the Dnscmd Windows support tool. the option to create the default application directory partitions in the DNS console will not be available. ForestDnsZones.DnsDomai stored in this application nName directory partition are replicated to all DNS servers running on domain controllers in the domain. If the default DNS application directory partitions are currently available in Active Directory. If the DNS Server service is unable to do this. It contains all the DNS servers running on the domain controllers in the forest.partitions. To open DNS.

). Specifies the DNS host name of the DNS server. you can also type a period (. Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain hosting the default DNS application directory partitions. Once the default DNS application directory partitions are created. Notes Page 23 of 165 . rtition Required.data to all DNS servers in the forest Notes • partition are replicated to all DNS servers running on domain controllers in the forest. see Related Topics. Specifies the name of the new DNS FQDN application directory partition. By default. Open Command Prompt. the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. • To create a DNS application directory partition 1. Required. / Required. To specify the DNS server on the local computer. You must use a DNS fully qualified domain name (FQDN). Type: dnscmd ServerName /CreateDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line tool. Creates a DNS application directory CreateDirectoryPa partition. You can also type the IP address of the DNS server. For more information about creating and deleting an application directory partition. 2.

only members of the Enterprise Admins group can create a DNS application directory partition. You can also type the IP address of the DNS server. you can also type a period (. 2. and then click Command prompt. To open a command prompt. Required. For more information. point to Accessories. tition Required. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools. type: dnscmd /CreateDirectoryPartition /? • • • To enlist a DNS server in a DNS application directory partition 1. To view the complete syntax for this command. point to Accessories. click Start. at a command prompt. / Required. To specify the DNS server on the local computer. Default groups. or you must have been delegated the appropriate authority. Page 24 of 165 • . Type: dnscmdServerName/EnlistDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line program. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. and then click Command prompt. Specifies the fully qualified domain name FQDN (FQDN) of the DNS application directory partition. point to All programs. Specifies the DNS host name of the DNS server. point to All programs. see Default local groups. consider using Run as to perform this procedure.• By default. click Start. As a security best practice. Enlists a DNS server in a DNS application EnlistDirectoryPar directory partition. see Related Topics. Open Command Prompt. Notes • To perform this procedure.). and Using Run as. To open a command prompt.

Specifies the fully qualified domain name (FQDN) of the DNS application directory partition FQDN from which you are removing the DNS server specified by ServerName. you must be a member of the Administrators group on the local computer. As a security best practice. type: dnscmd /EnlistDirectoryPartition /? • • For more information about creating and deleting an application directory partition. Specifies the DNS host name of the DNS server. Type: dnscmdServerName/UnenlistDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line program. at a command prompt. point to Accessories. You can also type the IP address of the DNS server. or you must have been delegated the appropriate authority. To open a command prompt. For information about installing Windows support tools. / Required. Removes a DNS server from a DNS UnenlistDirectoryPa application directory partition. Open Command Prompt.). consider using Run as to perform this procedure. To view the complete syntax for this command.• This procedure requires the Dnscmd Windows support tool. To remove a DNS server from a DNS application directory partition 1. and then click Command prompt. click Start. 2. rtition Required. Notes • To perform this procedure. If the computer is joined to a domain. Required. Page 25 of 165 • . see Related Topics. you can also type a period (. members of the Domain Admins group might be able to perform this procedure. point to All programs. To specify the DNS server on the local computer. see Related Topics.

Notes Page 26 of 165 . you likely need to configure the following: 1. type: dnscmd /UnenlistDirectoryPartition /? • • For more information about creating and deleting an application directory partition. For information about installing Windows support tools.• This procedure requires the Dnscmd Windows support tool. which are used for searching and submitting DNS queries at the client for resolution. 2. DNS host name (or names) for the client computer. see Related Topics. Install and configure clients • • • • • • • Configure DNS for static clients Enable DNS for DHCP-enabled clients Configure the primary DNS suffix for a client computer Preload the client resolver cache Display and view a client resolver cache using the ipconfig command Flush and reset a client resolver cache using the ipconfig command Renew DNS client registration using the ipconfig command To configure DNS for static clients • To configure DNS for clients with statically configured IP addresses. Connection-specific dynamic update and registration behavior. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names. see Related Topics. at a command prompt. A list of DNS suffixes to be appended for use in completing unqualified DNS names. To view the complete syntax for this command. such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server. 3. 4.

For DHCP clients. you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. for example. Therefore. the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection.• Performing this task does not require you to have administrative credentials. To configure the DNS client to allow the dynamic update of TLD zones. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names. • • • To enable DNS for DHCP-enabled clients • To configure DNS for clients with dynamically configured IP addresses provided by a DHCP server. blank. this must be set at the client computer or assigned during unattended setup. the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. you generally need to configure the following at either the DHCP server or applicable clients: 1. this can be set by assigning the DNS domain name option (option 15) and providing single DNS suffix for the client to append and use in searches. mycompany. DNS host name (or names) for the client computer. edu. configure TCP/IP manually for DNS configuration. For more information. consider performing this task as a user without administrative credentials. To modify this configuration. com. By default. Any zone named with a single-label name is considered a TLD zone. To configure additional DNS suffixes. 2. as a security best practice. this can be set by assigning the DNS server option (option 6) and providing a configured list of ordered IP addresses for the DNS servers that the client is configured to use. see Related Topics. Page 27 of 165 . For DHCP clients. By default. you can use the Update Top Level Domain Zones policy setting or modify the registry. For more information about how to configure DNS for static clients not running Windows XP. For DHCP clients. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for these clients. A list of DNS suffixes to be appended for use in completing unqualified DNS names used for searching and submitting DNS queries at the client for resolution. 3.

• • • To configure the primary DNS suffix for a client computer 1. 4. For DHCP clients. blank. Connection-specific dynamic update and registration behavior. 3. By default. configure TCP/IP manually for DNS configuration. To modify this behavior at the client. Notes • Performing this task does not require you to have administrative credentials. the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. consider performing this task as a user without administrative credentials. and a brief description of the computer. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor. This tab displays the computer name. Any zone named with a single-label name is considered a TLD zone. To modify this configuration. the workgroup or domain to which it belongs. such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server. For more information on how to configure other DNS for DHCP clients. edu. do the following: For Primary DNS suffix of this computer. the default is for client connections to register their configured IP addresses with a DNS server. you can use the Update Top Level Domain Zones policy setting or modify the registry. see Related Topics. Click the Computer Name tab. To configure the DNS client to allow the dynamic update of TLD zones. and then click More. Open System in Control Panel. 2. For more information. Click Change. as a security best practice. com. Therefore. In DNS Suffix and NetBIOS Computer Name.4. for example. mycompany. By default. the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. specify the DNS suffix Page 28 of 165 .

substituting the new FQDN to replace the single label name previously in use.0. • • • To preload the client resolver cache 1. the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. 2. and then click Control Panel. restart the computer to initialize it with its new DNS domain name. For example.1). If the computer has been previously installed and configured as a DNS server.to be appended to the name of this computer when completing its fully qualified domain name (FQDN). double-click System. Using the default entry in the file (a mapping for the local host to the loopback IP address. click Start. 5. add additional host name-toaddress mappings on separate lines to be preloaded into the resolver cache of the client. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for your other clients. After applying these changes. For more information about how to configure the primary DNS suffix for other clients and servers. To open System. Therefore. In Control Panel. By default. Notes • Performing this task does not require you to have administrative credentials. as a security best practice. At the command prompt. a domain administrator can create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. open Command Prompt. type the following command: notepad %systemroot%\system32\drivers\etc\hosts 3. point to Settings. At the client computer. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP). To allow different primary DNS suffixes. For more information. see Related Topics. 6. consider performing this task as a user without administrative credentials. These include the start of authority (SOA) and name server (NS) resource records. verify that zone authority records are updated. 127. you might add: Page 29 of 165 .0.

you could add lines for the following multi-homed or multi-addressable DNS host computer: 10. point to Accessories. For example. and then click Notepad. and then Exit. consider using Run as to perform this procedure.example. you must be a member of the Administrators group on the local computer.0.0. and then click Command prompt. members of the Domain Admins group might be able to perform this procedure.microsoft.2 host-a. On the File menu.microsoft.com • • • • • When multiple names or IP addresses are used in the file.1 host-a host-a. only the first entry in the file is used to resolve the query.1) that maps to more than one DNS host name: 10.10. click Start. or you must have been delegated the appropriate authority.microsoft. If the computer is joined to a domain.0.1 host-a host-a.com Likewise. you could add a line such as the following with an IP address (10.0.0. Notes • To perform this procedure. Page 30 of 165 .microsoft. click Save.0. Entries you add are always answered first from the local resolver cache and not sent to the DNS query when queries are made locally to resolve these names to host (A) resource records. point to All programs.0.com 10. a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines.1 host-a.microsoft.example2. the DNS Client service must be running for all entries to be returned or used in answering queries.example.3 host-a.example. If the DNS Client service is not running.0.0. To open a command prompt. As a security best practice. For example. To open Notepad. Every line in the Hosts file should contain an IP address followed by one or more host names.example.com 10. point to Accessories. As an option.0.microsoft. 5.com hostb.example. you can verify that your changes have been updated in the resolver cache by viewing its contents.0. click Start.com 4. point to All programs.0.

the resultant output generally includes the local host and loopback IP address (127. To open a command prompt. as a security best practice. 2. Therefore.0. type: ipconfig /help • • • To pause the display of the command output to one screen at time. point to Accessories. consider performing this task as a user without administrative credentials. / The command to display a client displayd resolver cache. type ipconfig /displaydns|more. This information is used by the DNS Client service to quickly resolve frequently queried names before it queries its configured DNS servers. When the ipconfig /displaydns command is used to display current resolver cache contents. at a command prompt. Page 31 of 165 • • . click Start. and then click Command prompt. Open Command Prompt.1) mappings. which includes entries preloaded from the local Hosts file. To view the complete syntax for this command.0. ns Notes • Value Performing this task does not require you to have administrative credentials. The ipconfig /displaydns command provides you with a means to view the contents of the DNS client resolver cache.To display and view a client resolver cache using the ipconfig command 1. as well as any recently obtained resource records for name queries resolved by the system. point to All programs. Type: ipconfig /displaydns Description The name of the command-line ipconfig program. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file.

The negative result is cached for a short period of time so that it is not again queried. click Start. Page 32 of 165 • . During DNS troubleshooting. These entries are added by the DNS Client service when it receives a negative answer from a DNS server for a queried name. and then click Command prompt. 2. these entries are added to the displayed output of this command. For more information. For more information. g / The command to flush and reset a client flushd resolver cache.• After you can add host mapping entries to the local Hosts file and save the file. point to All programs. • • Although the ipconfig command is provided for earlier versions of Windows. To flush and reset a client resolver cache using the ipconfig command 1. as a security best practice. To open a command prompt. The resolver cache can also support negative caching of unresolved or non-valid DNS names. you can flush and reset the cache to discard negative entries from the cache and any other dynamically added entries that were not preloaded. Windows XP. see Related Topics. Type: ipconfig /flushdns Value Description ipconfi The name of the command-line program. consider performing this task as a user without administrative credentials. see Related Topics. Therefore. which could cause query performance problems. point to Accessories. the /displaydns option is only available for use on computers running Windows 2000. ns Notes • Performing this task does not require you to have administrative credentials. Open Command Prompt. or Windows Server 2003 operating systems.

Type: ipconfig /registerdns Description The name of the command-line ipconfig program. type: ipconfig /help • The ipconfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. and then click Command prompt. as well as. / The command to renew DNS client registerd registration. Although the ipconfig command is provided for earlier versions of Windows. During DNS troubleshooting. at a command prompt. Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. click Start. the /flushdns option is only available for use on computers running Windows 2000. or Windows Server 2003 operating systems. 2. For more information. ns Notes • Value Performing this task does not require you to have administrative credentials. Open Command Prompt. To open a command prompt. remove them from this file. see Related Topics. To eliminate those entries from the cache. any other dynamically added entries. Windows XP. point to Accessories. as a security best practice. consider performing this task as a user without administrative credentials. • Page 33 of 165 . • • To renew DNS client registration using the ipconfig command 1. you can use this procedure to discard negative cache entries from the cache. if necessary. Therefore. point to All programs.• To view the complete syntax for this command.

The command output displays all adapters by name that are available for use at the computer. the DHCP Client service is used to perform dynamic registrations and updates.• To view the complete syntax for this command. or Windows Server 2003 operating systems. • The ipconfig /registerdns command provides you with a means to manually initiate dynamic registration for the DNS names and IP addresses configured at a computer. If you are troubleshooting a failed DNS dynamic registration for a client computer and its DNS names. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and the DNS server without restarting the client. The zone where the client requires update or registration is not able to accept dynamic updates. first type the ipconfig command by itself (that is. On computers running Windows 2000. regardless of whether the computer uses a DHCP server or static configuration to obtain its IP address. Windows XP. it might help to verify that the cause is not related to one of the following commonly known causes for such failures: 1. Although the ipconfig command is provided for earlier versions of Windows. 2. the ipconfig /registerdns command refreshes all DHCP address leases and registers all related DNS names configured and used by the client computer. The DNS servers that the client is configured to use do not support or recognize the DNS dynamic update protocol. Windows XP. do not specify any additional parameters). To learn the names of adapters that you can optionally specify with this command. By default. type: ipconfig /help • An additional command to /registerdns is to type: ipconfig /registerdns [adapter] Where adapter is the name of a specific network adapter installed on the computer for which you want to renew or update registrations. Page 34 of 165 • • • • • . at a command prompt. or Windows Server 2003 operating systems. the /registerdns option is only available for use on computers running Windows 2000.

The server or zone is not available because of other problems. Notes • To perform this procedure. This can most likely occur because the client is not permitted under current zone or resource records security sufficient access rights to update its own name. • Page 35 of 165 .3. members of the Domain Admins group might be able to perform this procedure. and then double-click DNS. double-click Administrative Tools. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority. To open DNS. As a security best practice. The primary (or directory-integrated) DNS server for the zone refused the update request. such as a network or server failure. you must be a member of the Administrators group on the local computer. click Control Panel. Manage servers • • • • • • • • • • Open the DNS console Start or stop a DNS server Add a server to the DNS console Remove a server from the DNS console Manually update server data files Change the boot method used by the DNS server Change the name-checking method used by the DNS server Restrict NS resource record registration Allow NS record creation for specific domain controllers Restrict DNS resource records updated by Netlogon To open the DNS console • Open DNS. click Start. If the computer is joined to a domain. 4.

To interrupt the service. click Start. click Pause. point to All Tasks and then click one of the following: o o o o To start the service. After you pause or stop the service. click Start. if a DNS value is manually changed directly in the Page 36 of 165 • • • . click Restart. If the computer is joined to a domain. in All Tasks. To open DNS. When using registry-based configuration. Notes • To perform this procedure. On the Action menu. click the applicable DNS server. In the console tree. To start or stop a DNS server 1. 2. you must be a member of the Administrators group on the local computer. click Control Panel. Open DNS. consider using Run as to perform this procedure. Where? o DNS/Applicable DNS server 3. you can click Resume to immediately resume service. As a security best practice. on the Action menu. For more information. or you must have been delegated the appropriate authority. In these cases. see Related Topics. changes are applied to DNS servers only when the DNS Server service is re-initialized.• The DNS console is an administrative tool for managing DNS servers running Windows Server 2003 family operating systems only. To stop the service. and then double-click DNS. members of the Domain Admins group might be able to perform this procedure. To stop and then automatically restart the service. click Stop. double-click Administrative Tools.

In Connect to DNS Server. To open DNS. 3. Notes • To perform this procedure. click either: o This computer. members of the Domain Admins group might be able to perform this procedure. On the Action menu. The DNS console is a Microsoft Management Console (MMC) administrative tool for managing DNS servers running Windows Server 2003 operating systems only. Select the Connect to the specified computer now check box. The following computer. o If you choose to connect to a remote server. For more information. the DNS Server service must always be restarted for the new value to be used. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. and then double-click DNS. click Start. and then click OK. • • • To remove a server from the DNS console 1. To add a server to the DNS console 1. Page 37 of 165 . you must be a member of the Administrators group on the local computer. As a security best practice. Open DNS. double-click Administrative Tools. see Related Topics. if the server you want to connect to and manage is located on the same computer you are using to manage it. 2. If you use the Windows Server 2003 DNS console to administer a Windows 2000 DNS server. Open DNS. if the server you want to connect to and manage is located on a remote computer. any new features will not be available when viewing the Windows 2000 DNS server. specify either its DNS computer name or its IP address. 4. click Control Panel. If the computer is joined to a domain. click Connect To DNS Server.registry.

consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. click the applicable DNS server. Where? o DNS/applicable DNS server 3. and then double-click DNS. or you must have been delegated the appropriate authority. and then double-click DNS. As a security best practice. In the console tree. double-click Administrative Tools. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. 2. To open DNS. members of the Domain Admins group might be able to perform this procedure. On the Action menu. If the computer is joined to a domain. click Start. Notes • To perform this procedure. click OK. As a security best practice. • To manually update server data files • • Using the Windows interface Using a command line Using the Windows interface 1.2. If the computer is joined to a domain. Where? o DNS/applicable DNS server 3. members of the Domain Admins group might be able to perform this procedure. click the applicable DNS server. Open DNS. click Delete. When prompted to confirm you want to delete this server from the list. click Control Panel. click Control Panel. On the Action menu. click Start. Page 38 of 165 • . To open DNS. Notes • To perform this procedure. In the console tree. double-click Administrative Tools. click Update Server Data Files. 4.

mDs Required. As a security best practice. Open Command Prompt.• For standard primary zones. this procedure does not apply. members of the Domain Admins group might be able to perform this procedure. point to All programs. see Related Topics. To update Active Directory-integrated zones. To open a command prompt. type: dnscmd/ZoneUpdateFromDs/help • • • Page 39 of 165 . Type: Dnscmd ServerName /ZoneUpdateFromDs ZoneName Value Description dnscmd ServerName Specifies the name of the command-line tool. Required. 2. at a command prompt. see the command-line procedure below. consider using Run as to perform this procedure. click Start.). Normally these changes are only written at predefined update intervals and when the DNS server is shut down. / Required. You can also type the IP address of the DNS server. Notes • To perform this procedure. you must be a member of the Administrators group on the local computer. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating. or you must have been delegated the appropriate authority. you can also type a period (. and then click Command prompt. For information about installing Windows support tools. To view the complete syntax for this command. Specifies the DNS host name of the DNS server. this procedure causes the DNS server to immediately write its in-memory changes out to disk for storage with the zone file. For Active Directory-integrated zones. This procedure requires the Dnscmd Windows support tool. If the computer is joined to a domain. To specify the DNS server on the local computer. point to Accessories. • Using a command line 1. Updates the zone file with data from Active ZoneUpdateFro Directory.

the file used must be a text file named Boot. From file. then click Properties. Open DNS. then click Properties. located on this computer in the systemroot\Windows\System32\Dns folder. If you use the file method. click Control Panel. select From registry. Multibyte (UTF8). or All names. Page 40 of 165 . or From Active Directory and registry. • • To change the name-checking method used by the DNS server 1. you can supplement local registry data with zone data retrieved for directory-integrated zones stored in the Active Directory database. In the console tree. you must be a member of the Administrators group on the local computer. 4. 2. Click the Advanced tab. double-click Administrative Tools. To open DNS. For standard zones. see the Windows interface procedure above. DNS servers use information stored in the registry to initialize for service and load any zone data for use at the server. select Strict RFC (ANSI). Open DNS. To change the boot method used by the DNS server 1. 4. click Start. In the Load zone data on startup list. Click the Advanced tab. or you must have been delegated the appropriate authority. In the Name checking list. Notes • To perform this procedure. in Active Directory environments. As added options. and then double-click DNS. you can configure the DNS server to boot from a file or. consider using Run as to perform this procedure. right-click the applicable DNS server. As a security best practice. By default. 2. 3. right-click the applicable DNS server. Non RFC (ANSI). In the console tree. If the computer is joined to a domain. 3.• The command-line procedure updates Active Directory-integrated zones only. members of the Domain Admins group might be able to perform this procedure.

and then double-click DNS. you should back up any valued data on the computer. Multibyte (UTF8) This method allows names that use the Unicode 8-bit translation encoding scheme. Non RFC (ANSI) This method allows names that are not RFCcompliant to be used with the DNS server. Before making changes to the registry. to be used with the DNS server. members of the Domain Admins group might be able to perform this procedure. You can also use the Last Known Good Page 41 of 165 . If the computer is joined to a domain. which is a proposed RFC draft. Names that are not RFC-compliant are treated as erred data by the server. you must be a member of the Administrators group on the local computer. To restrict NS resource record registration • • Using the Windows interface Using a command line Using the Windows interface 1. By default.Notes • To perform this procedure. Strict RFC (ANSI). or you must have been delegated the appropriate authority. double-click Administrative Tools. consider using Run as to perform this procedure. To open DNS. click Start. The DNS Server service supports different possible methods for checking the names it receives and processes during normal operations: o • • Strict RFC (ANSI) This method strictly enforces RFCcompliant naming rules for all DNS names that the server processes. such as names that use ASCII characters but are not compliant with RFC host naming requirements. o o o All names Allows Non RFC (ANSI). Open Registry Editor. the server uses Multibyte (UTF8) to check names. click Control Panel. and Multibyte (UTF8) naming conventions. As a security best practice. Caution o Incorrectly editing the registry may severely damage your system.

This procedure restricts NS resource records registered for Active Directory domain controllers only. Notes • To perform this procedure. type regedit. you must be a member of the Administrators group on the local computer. navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. To open Registry Editor.Configuration startup option if you encounter problems after manual changes have been applied. If the computer is joined to a domain. Add the following REG_DWORD value: DisableNSRecordsAutoCreation 4. Assign a value of 0x1. • • • • • • Using a command line 1. In Registry Editor. and then click OK. members of the Domain Admins group might be able to perform this procedure. you may assign a value of 0x0 or enter no value (default setting). If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones. click Start. Open Command Prompt. or you must have been delegated the appropriate authority. Caution Page 42 of 165 . Regardless of the settings of these registry entries. 2. This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry. consider using Run as to perform this procedure. The registry key entry described here does not exist by default and must be created and configured according to this procedure. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone. As a security best practice. The REG_DWORD value is a local DNS server setting and applies to DNS zones for which this DNS server is authoritative. any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted. query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server. click Run.

Before making changes to the registry. Notes • To perform this procedure. If the computer is joined to a domain. type: Page 43 of 165 • • • • . click Start. Incorrectly editing the registry may severely damage your system. This procedure requires the Dnscmd Windows support tool. see Related Topics.). or you must have been delegated the appropriate authority. you should back up any valued data on the computer. As a security best practice. you can also type a period (. 0x1 To specify that the DNS server should add NS resource records for all its authoritative zones. Specifies the DNS host name of the DNS server. Type: dnscmdServerName/Config/DisableNSRecordsAutoCreation 0x1 Value Description dnscmd Specifies the name of the command-line tool. /Config Specifies the configuration command.o In this procedure you will be editing the registry. consider using Run as to perform this procedure. type a value of 0x0. To view the complete syntax for this command. / Determines the local DNS server configuration DisableNSRecordsAutoC for registering NS resource records for reation authoritative zones. 2. You can also type the IP address of the DNS ServerName server. at a command prompt. Specifies that the DNS server specified in ServerName should not add NS resource records for authoritative zones. you must be a member of the Administrators group on the local computer. For information about installing Windows support tools. and then click Command prompt. To specify the DNS server on the local computer. point to Accessories. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. point to All programs. This procedure restricts NS resource records registered for Active Directory domain controllers only. members of the Domain Admins group might be able to perform this procedure. To open a command prompt.

Regardless of the settings above. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone. query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers. If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones. Regardless of a NS resource record registration setting. The registry key entries described here do not exist by default and must be created and configured using this procedure. any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted. see Related Topics. Open Command Prompt.dnscmd /config /? • • The DWORD value is a local DNS server setting and applies to authoritative DNS zones hosted on this DNS server.. 2. Important o This procedure applies to domain controller name server (NS) resource records in Active Directory-integrated DNS zones that are hosted on DNS servers configured to not add these resource records for their authoritative zones. query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are authoritative. This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.. Type: dnscmdServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses. you may assign a value of 0x0 or enter no value (default setting). • • • • To allow NS resource record creation for specific domain controllers 1. Page 44 of 165 . For more information.

you can also type a period (. see Related Topics. Type a spaceseparated list of the IP addresses of the DNS servers. Specifies the configuration /Config command. or to clear the list of allowed DNS server IP Page 45 of 165 . Required. at a command prompt. consider using Run as to perform this procedure. you must remove them manually if you do not want them.16. see Default local groups. Specifies the IP addresses of the domain controllers that will add their names in NS resource records for the zone IpAddresses. Default groups. To view the complete syntax for this command. Therefore.0. You can also type the IP ServerName address of the DNS server. To specify the DNS server on the local computer. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory..0 192. For more information. their names will be deleted from the NS resource records for the zone specified in ZoneName. To specify that all domain controllers are allowed to add their names to NS resource records for the zone. Required.0.0.. Required.168. point to All programs. This procedure requires the Dnscmd Windows support tool. Specifies that domain controllers entered for Value will add their names to / NS resource records for the zone specified AllowNSRecordsAutoC in ZoneName. For information about installing Windows support tools. and then click Command prompt. dnscmd Additional considerations • To perform this procedure. type: dnscmd /Config /? • • • • If any domain controllers in the specified zone are not listed for IpAddresses.0. specified in ZoneName.. Required.0 172.). point to Accessories. Specifies the DNS host name of the DNS server.Value Description Specifies the name of the command-line program.. Specifies the fully qualified ZoneName domain name (FQDN) of the zone. and Using Run as. NS resource records that reation were previously registered for this zone are not affected. As a security best practice. For example. Required. To open a command prompt. 10.0. click Start..

<DnsDomainName> _ldap.gc._tcp. To restrict the DNS resource records updated by the Net Logon service 1. In this value.: dnscmdServerName/ConfigZoneName/AllowNSRecordsAutoCreation • Regardless of the settings above. Before making changes to the registry._sites.<DnsDomainNa LdapAtSite SRV me> Pdc SRV _ldap. Caution o Incorrectly editing the registry may severely damage your system._sites. you should back up any valued data on the computer. Add the following multi-string value (REG_MULTI_SZ) value: DnsAvoidRegisterRecords 4. navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N etlogon\Parameters 3.<DnsF Page 46 of 165 . 2.<SiteName>. The list of data include: Resou rce Data Value Recor DNS Resource Record d Type LdapIpAddre A <DnsDomainName> ss Ldap SRV _ldap. type the command and omit IpAddresses._tcp. specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service.addresses.gc. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.<DnsForestName> GcAtSite SRV _ldap. Open Registry Editor.._tcp. query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.<SiteName>._tcp.<DnsDomainName> Gc SRV _ldap._msdcs..pdc. In Registry Editor._tcp._msdcs._msdcs.

_msdcs.dc.dc.< KdcAtSite SRV DnsDomainName> Dc SRV _ldap. or you must have been delegated the appropriate authority.<DnsDomainName> d Rfc1510Udp SRV _kpasswd.<SiteName>. Restart of the Net Logon service is not required to make the changes to this value effective._tcp. If the computer is joined to a domain._msdcs._tcp. consider using Run as to perform this procedure._tcp.<DnsForestName> GenericGcAt SRV _gc._msdcs._sites.<D nsForestName> gc. Notes • To perform this procedure.<DnsDomainName> _ldap._tcp._sites. As a security best practice. then appropriate DNS updates may take place with a short delay. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started._tcp.<DnsDomainName> Rfc1510KdcA _kerberos.domains.<DnsDomain SRV tSite Name> GenericGc SRV _gc.dc.<SiteName>. the delay is no later than 15 minutes after the Net Logon service starts._sites._tcp.<DnsForestName> This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.<DnsForestName> Site Rfc1510Udp SRV _kerberos._msdcs._tcp.<DnsForestName> E Kdc SRV _kerberos. you must be a member of the Administrators group on the local computer._msdcs._udp._tcp.dc.<SiteName>._udp.DcByGuid SRV GcIpAddress A CNAM DsaCname <DsaGuid>._sites._msdcs. members of the Domain Admins group might be able to perform this procedure. click Start.<SiteName>. however._msdcs._tcp. To open Registry Editor. type regedit._tcp.<Dns DcAtSite SRV DomainName> Rfc1510Kdc SRV _kerberos. click Run.<DnsDomainName> Kdc Rfc1510Kpw SRV _kpasswd. and then click OK.<DnsDomainName> Kpwd Important • orestName> _ldap.<DnsDomainName> _kerberos. Page 47 of 165 • • .<DomainGuid>.

2. 4. To enable or disable fast transfer format during zone transfers using the Windows interface 1. Page 48 of 165 .Optimize servers • • • • • • • • • • • • Enable or disable fast transfer format during zone transfers Prevent loading of a zone when bad data is found Disable round-robin rotation for multihomed names Disable local subnet prioritization for multihomed names Restore server default preferences Disable recursion on the DNS server Update root hints on the DNS server Secure server cache against names pollution Clear the server names cache Modify DNSSEC configuration Modify EDNS0 configuration Modify UDP message size To enable or disable fast transfer format during zone transfers • • Using the Windows interface Using a command line Using the Windows interface You can enable or disable fast transfer format during zone transfers using the Windows interface. On the Action menu. Click the Advanced tab. Open DNS. click Properties. Where? o DNS/applicable DNS server 3. In the console tree. click the applicable DNS server.

and then click OK.9. consider using Run as to perform this procedure. clear the BIND secondaries check box. The procedure title 1. in the Server options list. You should enable the Bind secondaries option if you are transferring zones to BIND servers running versions earlier than 4. Zone transfers between Windows-based DNS servers always use the fast transfer format. you can also type a period (. click Start. Specifies use of fast transfer format used by legacy Page 49 of 165 . Do one of the following: o To enable the fast transfer format (the default). Open Command Prompt. You can also type the IP address of the DNS server. DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation prior to version 4. The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations.4 do not support the fast transfer format. double-click Administrative Tools. in the Server options list. and then click OK.) Specifies the configuration command. To disable the fast transfer format. select the BIND secondaries check box. To open DNS. To specify the DNS server on the local computer. o Notes • To perform this procedure. and it is enabled by default. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. As a security best practice. Type: dnscmd ServerName /Config /BindSecondaries {1|0} Value Description dnscmd ServerName /Config / Specifies the name of the command-line tool. click Control Panel.5. • • • Using a command line You can enable or disable fast transfer format during zone transfers using a command line. 2. or you must have been delegated the appropriate authority. and then double-click DNS. Specifies the DNS host name of the DNS server. members of the Domain Admins group might be able to perform this procedure.9.4.

click the applicable DNS server. To view the complete syntax for this command. type 1 (on). • To prevent loading of a zone when bad data is found 1.4 do not support the fast transfer format.BindSeconda Berkeley Internet Name Domain (BIND) servers. point to Accessories. Where? o DNS/applicable DNS server 3. Open DNS. As a security best practice. you must be a member of the Administrators group on the local computer. ries To disable fast transfer format when transferring a zone to {1|0} legacy BIND DNS servers.9. and it is enabled by default. members of the Domain Admins group might be able to perform this procedure. Zone transfers between Windows-based DNS servers always use the fast transfer format. This procedure requires the Dnscmd Windows support tool. click Properties.9. and then click Command prompt. Notes • To perform this procedure. If the computer is joined to a domain. type: dnscmdServerName/Config/help • • • • The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations. To enable fast transfer format. Click the Advanced tab. For information about installing Windows support tools. click Start. consider using Run as to perform this procedure. type 0 (off). DNS servers running versions of the BIND server implementation earlier than version 4. Page 50 of 165 . On the Action menu. 4. To open a command prompt. point to All programs.4. 2. at a command prompt. see Related Topics. You should set BindSecondaries to 1 if you are transferring zones to BIND servers running versions earlier than 4. In the console tree. or you must have been delegated the appropriate authority.

To open DNS. and then click OK. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. • To disable round-robin rotation for multihomed names • • Using the Windows interface Using a command line Using the Windows interface 1. 4. Notes • To perform this procedure. double-click Administrative Tools. or you must have been delegated the appropriate authority.. Notes • To perform this procedure. If the computer is joined to a domain. • Page 51 of 165 . and then click OK. click Properties. To open DNS. In the console tree. Where? o DNS/applicable DNS server 3.5. consider using Run as to perform this procedure. 5. Open DNS. As a security best practice. If the computer is joined to a domain. As a security best practice. consider using Run as to perform this procedure. On the Action menu. or you must have been delegated the appropriate authority. In Server options. and then double-click DNS. click Start. Click the Advanced tab. select the Fail on load if bad zone data check box. click the applicable DNS server. clear the Enable round robin check box. and then double-click DNS. click Control Panel. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. 2. In Server options. click Start. click Control Panel. double-click Administrative Tools.

To view the complete syntax for this command. Specifies the DNS host name of the DNS server. You can also ServerNam type the IP address of the DNS server. To disable round robin. bin To enable round robin. 2. /Config Specifies the configuration command. This procedure requires the Dnscmd Windows support tool. point to All programs. Open Command Prompt. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. and then click Command prompt. To open a command prompt. / RoundRo Configures round robin rotation. you must be a member of the Administrators group on the local computer. As a security best practice. Type: dnscmdServerName/Config/RoundRobin {1|0} Value Description dnscmd Specifies the name of the command-line tool. To specify the DNS e server on the local computer. type 1 (on).). see Related Topics. point to Accessories. For information about installing Windows support tools. at a command prompt.Using a command line 1. type: dnscmd/Config/help • • • Page 52 of 165 . members of the Domain Admins group might be able to perform this procedure. you can also type a period (. type {1|0} 0 (off). Notes • To perform this procedure. click Start. If the computer is joined to a domain.

To open DNS. • Using a command line 1. double-click Administrative Tools. In the console tree. clear the Enable netmask ordering check box. If the computer is joined to a domain. Click the Advanced tab. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. 5. click the applicable DNS server. click Properties. As a security best practice. Where? o DNS/applicable DNS server 3. 4. consider using Run as to perform this procedure. Open Command Prompt. Type: dnscmdServerName/Config/LocalNetPriority {1|0} Value Description dnscmd ServerName Specifies the name of the command-line tool.To disable local subnet prioritization for multihomed names • • Using the Windows interface Using a command line Using the Windows interface 1. 2. 2. or you must have been delegated the appropriate authority. Specifies the DNS host name of the DNS server. and then click OK. Open DNS. You can Page 53 of 165 . On the Action menu. In Server options. click Start. click Control Panel. Notes • To perform this procedure. and then double-click DNS.

click Control Panel. see Related Topics. In the console tree./Config / LocalNetPrio Configures netmask ordering. type: dnscmd/Config/help • • • To restore server default preferences 1. right-click the applicable DNS server. Notes • also type the IP address of the DNS server. To perform this procedure. Click Reset to Default. Page 54 of 165 • . As a security best practice. members of the Domain Admins group might be able to perform this procedure. As a security best practice. and then click Command prompt. Open DNS. To open DNS. If the computer is joined to a domain. and then click OK. click Start. 4. 3. type 1 (on). 2. point to Accessories. If the computer is joined to a domain. and then double-click DNS. consider using Run as to perform this procedure. To open a command prompt. you must be a member of the Administrators group on the local computer. you must be a member of the Administrators group on the local computer. To disable {1|0} netmask ordering. To specify the DNS server on the local computer. Notes • To perform this procedure.). rity To enable netmask ordering. For information about installing Windows support tools. To view the complete syntax for this command. double-click Administrative Tools. point to All programs. you can also type a period (. or you must have been delegated the appropriate authority. at a command prompt. consider using Run as to perform this procedure. type 0 (off). members of the Domain Admins group might be able to perform this procedure. click Start. This procedure requires the Dnscmd Windows support tool. Specifies the configuration command. or you must have been delegated the appropriate authority. Click the Advanced tab. and then click Properties.

• Clicking Reset to Default configures the DNS server with the initial configuration it had following installation. or you must have been delegated the appropriate authority. click Start. and then click OK. consider using Run as to perform this procedure. 3. click Control Panel. Notes • To perform this procedure. As a security best practice. Page 55 of 165 • • . If you disable recursion on the DNS server. Property Disable recursion BIND secondaries Fail on load if bad zone data Enable round robin Enable netmask ordering Secure cache against pollution Name checking Load zone data on startup Enable automatic scavenging of stale records Setting Off On Off On On On Multibyte (UTF8) From Active Directory and registry Off To disable recursion on the DNS server • • Using the Windows interface Using a command line Using the Windows interface 1. right-click the applicable DNS server. you will not be able to use forwarders on the same server. then click Properties. 4. 2. you must be a member of the Administrators group on the local computer. In the console tree. If the computer is joined to a domain. double-click Administrative Tools. These setting are displayed in the table below. members of the Domain Admins group might be able to perform this procedure. Click the Advanced tab. To open DNS. In Server options. Open DNS. and then double-click DNS. select the Disable recursion check box.

/ NoRecursi Required. type 1 (off). Open DNS. you can also type a period (. Specifies the configuration command. at a command prompt. You ServerNam can also type the IP address of the DNS server. Notes • To perform this procedure. To disable recursion. consider using Run as to perform this procedure. For information about installing Windows support tools. Type: dnscmdServerName/Config/NoRecursion {1|0} Value Description dnscmd Specifies the name of the command-line tool. click Start.). Required. If the computer is joined to a domain.Using a command line 1. you must be a member of the Administrators group on the local computer. Page 56 of 165 . and then click Command prompt. To enable {1|0} recursion. /Config Required. To specify the e DNS server on the local computer. 2. see Related Topics. type 0 (on). As a security best practice. To view the complete syntax for this command. point to Accessories. To update root hints on the DNS server 1. on Required. recursion is enabled. To open a command prompt. Specifies the command to disable recursion. you will not be able to use forwarders on the same server. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. point to All programs. type: dnscmd/Config/help • • • • If you disable recursion on the DNS server. Specifies the DNS host name of the DNS server. Open Command Prompt. By default. This procedure requires the Dnscmd Windows support tool.

In the console tree. o o o Notes • To perform this procedure. • To secure server cache against names pollution 1. and then specify the name and IP address of the server to be added to the list. click Start. Where? o DNS/applicable DNS server 3. click the applicable DNS server. To remove a root server from the list. select it in the list. or you must have been delegated the appropriate authority. On the Action menu. These root hints will not overwrite any existing root hints. If the computer is joined to a domain. and then specify the name and IP address of the server to be modified in the list. click Edit. and then click Remove. double-click Administrative Tools. click Control Panel. and then double-click DNS.2. As a security best practice. 5. click Copy from server. 2. Where? o DNS/applicable DNS server Page 57 of 165 . Modify server root hints as follows: o To add a root server to the list. you must be a member of the Administrators group on the local computer. and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. To open DNS. To copy root hints from a DNS server. In the console tree. To modify a root server in the list. Open DNS. click Add. members of the Domain Admins group might be able to perform this procedure. click the applicable DNS server. 4. click Properties. Click the Root Hints tab. consider using Run as to perform this procedure.

and then double-click DNS. If the computer is joined to a domain. select the Secure cache against pollution check box. On the Action menu. click Start. Notes • To perform this procedure. members of the Domain Admins group might be able to perform this procedure. click Control Panel. 2. • Page 58 of 165 . Notes • To perform this procedure. The Secure cache against pollution option is enabled by default. As a security best practice. 4. and then click OK. click Start. click Properties. or you must have been delegated the appropriate authority. On the Action menu. To open DNS. In Server options. or you must have been delegated the appropriate authority. double-click Administrative Tools. Open DNS. and then double-click DNS. click Control Panel. consider using Run as to perform this procedure. click Clear Cache. If the computer is joined to a domain. To open DNS. Click the Advanced tab. you must be a member of the Administrators group on the local computer. you must be a member of the Administrators group on the local computer. click the applicable DNS server. As a security best practice. • • To clear the server names cache • • Using the Windows interface Using a command line Using the Windows interface 1. double-click Administrative Tools. Where? o DNS/applicable DNS server 3. In the console tree. consider using Run as to perform this procedure. 5. members of the Domain Admins group might be able to perform this procedure.3.

members of the Domain Admins group might be able to perform this procedure. Type the following command and then press ENTER: Dnscmd ServerName /clearcache Value Description dnscmd Specifies the name of the command-line program.). / clearcac Required. point to Accessories. you must be a member of the Administrators group on the local computer. click Start. Before making changes to the registry. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. For information about installing Windows support tools. or you must have been delegated the appropriate authority. As a security best practice. 2. see Related Topics. If the computer is joined to a domain. Open Registry Editor.Using a command line 1. point to All programs. Caution o Incorrectly editing the registry may severely damage your system. You ServerNa can also type the IP address of the DNS server. Open Command Prompt. 2. Specifies the command to clear the DNS server cache. This procedure requires the Dnscmd Windows support tool. and then click Command prompt. Required. he Notes • To perform this procedure. navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters Page 59 of 165 . consider using Run as to perform this procedure. To specify the me DNS server on the local computer. you can also type a period (. In Registry Editor. • • To modify DNSSEC configuration 1. To open a command prompt. Specifies the DNS host name of the DNS server. you should back up any valued data on the computer.

Open Registry Editor. consider using Run as to perform this procedure. click Run. assign a value of 0x2. members of the Domain Admins group might be able to perform this procedure. Appropriate resource records will be included in responses to requests for SIG. type regedit. Caution o Incorrectly editing the registry may severely damage your system. and then click OK. Do one of the following: o To exclude DNSSEC resource records in query responses other than responses to requests for SIG. you should back up any Page 60 of 165 . The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry. or NXT resource records only. o o Notes • To perform this procedure. To open Registry Editor. or you must have been delegated the appropriate authority. click Start. you must be a member of the Administrators group on the local computer. KEY or NXT resource records. To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671). Add the following DWORD entry: EnableDnsSec 4. assign a value of 0x1 or do not create the value at all. KEY. • • To modify EDNS0 configuration • • Using the Windows interface Using a command line Using the Windows interface 1.3. If the computer is joined to a domain. assign a value of 0x0. Before making changes to the registry. The value of the registry entry EnableDnsSec determines whether the DNS server will include or exclude DNSSEC resource records when it receives queries. As a security best practice. To include the DNSSEC resource records in all query responses (according to RFC 2535).

valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. 2. In Registry Editor, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. Add the following DWORD entry: EDNSCacheTimeout 4. To change the cache timeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days). 5. In the same registry subkey (Parameters), add the following DWORD entry: EnableEDNSProbes 6. To configure the DNS server to include an OPT resource record only in response to EDNS0 requests containing OPT resource records, type 0x1 (DWORD). 7. Restart DNS server.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. The value of the registry key EDNSCacheTimeout determines how long the DNS server will keep information about the EDNS versions supported by other DNS servers that have responded to a query with a OPT resource record.

• •

Using a command line
• •

Open Command Prompt. Type one of the following:
o o

dnscmdServerName/Config/EDNSCacheTimeoutValue dnscmdServerName/Config/EnableEDNSProbesValue

Page 61 of 165

Value

Description

dnscmd ServerName /Config / EDNSCacheTim eout / EnableEdnsPro bes

Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Specifies the command to configure the DNS server. Required. Specifies the length of time the DNS server remembers the EDNS parameters remote servers report. Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS. Required. For /EDNSCacheTimeout, type a value in between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes, type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.

Value

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config help

• • •

For information about the current registry setting, type one of the following:
o o

dnscmd /Info /EDNSCacheTimeout dnscmd /Info /EnableEDNSProbes

To modify UDP message size
Page 62 of 165

1. Open Registry Editor.

Caution
o

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

2. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters
3. Add the following DWORD entry:

MaximumUdpPacketSize 4. Type a maximum UDP packet size value in bytes. The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format). 5. Restart DNS server.

Caution

When configuring the UDP packet size to be larger than 512 bytes, remember UDP packets must travel through devices other than UDP hosts, such as routers, and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices, and the path's MTU, if possible, and configure your UDP hosts according to this maximum.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Page 63 of 165

Click the Debug Logging tab. click Start. 3. Select Log packets for debugging. you must first select Log packets for debugging. 2. As a security best practice. "Path MTU Discovery. In the console tree. To open DNS. members of the Domain Admins group might be able to perform this procedure.• For information on discovering the maximum transmission unit (MTU) of an arbitrary Internet path. and then select the events that you want the DNS server to record for debug logging. If the computer is joined to a domain. and then double-click DNS. see Request for Comment (RFC) 1191. To set the debug logging options. Page 64 of 165 • • . you must be a member of the Administrators group on the local computer. double-click Administrative Tools. then click Properties." Monitor servers • • • • • • • • Select and enable debug logging options on the DNS server Disable debug logging options on the DNS server Test a simple query on the DNS server Test a recursive query on the DNS server Enable automatic query testing on the DNS server View the DNS server system event log View a DNS server debug log file Verify DNS server responsiveness using the nslookup command To select and enable debug logging options on the DNS server 1. right-click the applicable DNS server. consider using Run as to perform this procedure. click Control Panel. Notes • To perform this procedure. or you must have been delegated the appropriate authority. Open DNS. 4.

you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. 2. you can specify the file name. 4. If the computer is joined to a domain. Click the Debug Logging tab. click Properties. Clear the Log packets for debugging check box. location. and then click OK. In the console tree. In addition to selecting events for the DNS debug log file. consider using Run as to perform this procedure. click Start. and maximum file size for the file. For this reason. members of the Domain Admins group might be able to perform this procedure. Where? o DNS/applicable DNS server Page 65 of 165 . or you must have been delegated the appropriate authority. Open DNS. • To test a simple query on the DNS server 1. and then double-click DNS. On the Action menu. click the applicable DNS server. • • To disable debug logging options on the DNS server 1. To open DNS. In the console tree. Using debug logging options slows DNS server performance. click Control Panel. double-click Administrative Tools. As a security best practice. Open DNS. all debug logging options are disabled by default. click the applicable DNS server.• To get useful debug logging output you need to select a Packet direction. Where? o DNS/applicable DNS server 3. 2. 5. a Transport protocol and at least one more option.

On the Action menu.3. Select the A recursive query to other DNS servers check box. To open DNS. double-click Administrative Tools. If the computer is joined to a domain. and then double-click DNS. Select the A simple query against this DNS server check box. Notes • To perform this procedure. As a security best practice. 4. click Control Panel. 6. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. 5. 4. In the console tree. 2. Click Test Now. 6. Where? o DNS/applicable DNS server 3. or you must have been delegated the appropriate authority. Open DNS. click Start. If the computer is joined to a domain. Click the Monitoring tab. click Start. Results of the query test appear in Test results. Page 66 of 165 • . and then double-click DNS. you must be a member of the Administrators group on the local computer. As a security best practice. 5. click the applicable DNS server. double-click Administrative Tools. members of the Domain Admins group might be able to perform this procedure. members of the Domain Admins group might be able to perform this procedure. click Properties. consider using Run as to perform this procedure. On the Action menu. To open DNS. consider using Run as to perform this procedure. Notes • To perform this procedure. Click the Monitoring tab. click Control Panel. click Properties. Click Test Now. • • To test a recursive query on the DNS server 1.

On the Action menu.• Results of the query test appear in the Test results list box. If the computer is joined to a domain. 2. Click the Monitoring tab. click Control Panel. or you must have been delegated the appropriate authority. To enable automatic query testing on the DNS server 1. click Properties. 5. click the applicable DNS server. double-click Administrative Tools. you must be a member of the Administrators group on the local computer. Select the Perform automatic testing at the following interval check box. Where? o DNS/applicable DNS server 3. Set the Test interval to be used. In the console tree. The default polling interval is 1 minute. 4. Results of automated query tests appear in Test results and are updated after each test interval. and then double-click DNS. To open DNS. click Start. Notes • To perform this procedure. You can select one of both of the following: o o A simple query against this DNS server A recursive query to other DNS servers 6. Open DNS. • • To view the DNS server system event log Page 67 of 165 . 7. members of the Domain Admins group might be able to perform this procedure. The query tests that you select are performed at regular intervals based on the value of the interval you specify. Select the type of testing to be used during automatic query testing. As a security best practice. consider using Run as to perform this procedure.

1. if the applicable DNS server is running locally. click Start. If the computer is joined to a Page 68 of 165 . 3. • • To view a DNS server debug log file 1. Click The following computer. Where? o DNS/applicable DNS server/Event Viewer/DNS Events Notes • To perform this procedure. If the DNS server for which you want to view the log is located on another computer.log 5. or you must have been delegated the appropriate authority. click Control Panel. 2. click Open to view the log file. in the console tree. 4. and then specify the name or IP address of the remote computer. and then on the Action menu. members of the Domain Admins group might be able to perform this procedure. 2. After you specify the correct path and file. To open DNS. On the File menu. By default. and then double-click DNS. In the console tree. As a security best practice. click DNS. Stop the DNS Server service. click DNS Events. Notes • To perform this procedure. double-click Administrative Tools. If the computer is joined to a domain. the file and path are as follows: systemroot\System32\Dns\Dns. or you must have been delegated the appropriate authority. for File name. click Open. Open WordPad. consider using Run as to perform this procedure. Open DNS. In Open. you must be a member of the Administrators group on the local computer. click Connect to DNS Server. you must be a member of the Administrators group on the local computer. specify the path to the DNS server debug log file.

Open Command Prompt.0. Page 69 of 165 . By default. see Related Topics.log file is empty if you have not previously enabled debug logging options. if the IP address of your DNS server is ess 10.1. point to All programs. you would type: nslookup 10. • To open WordPad. continue troubleshooting the DNS server.0.1 Notes • To open a command prompt.log file. Value nslookup Description The name of the command-line program.0. As a security best practice. and then click WordPad. the name "localhost" is returned. point to All programs.1 127. point to Accessories. To stop the DNS Server service.0.1 3. If the server is responding.0. server_ip_addr For example. see Related Topics. If the server does not respond. the Dns.0. click Start. Debug logging slows DNS server performance and should only be enabled for temporary use. The IP address of the DNS server at which you are verifying its responsiveness.0.0. The location of the DNS. Type: nslookupserver_ip_address127.log file is managed using the DNS console. To specify the name and location of the DNS. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. • • • • To verify DNS server responsiveness using the nslookup command 1.domain. click Start. point to Accessories. For more information. and then click Command prompt. 2. see Related Topics.

or stub zone. or you must have been delegated the appropriate authority. Notes • To perform this procedure. As a security best practice. and then click New Zone to open the New Zone Wizard. If the computer is joined to a domain.• To view the complete syntax for this command. Open DNS. press Enter and then type help Add and remove zones • • • • • • Add a forward lookup zone Add a reverse lookup zone Add a stub zone Delete a zone Pause a zone Start a zone To add a forward lookup zone • • Using the Windows interface Using a command line Using the Windows interface 1. Follow the instructions to create a new primary. type: nslookup. 3. right-click a DNS server. you must be a member of the Administrators group on the local computer. click Start. double-click Administrative Tools. 2. • Using a command line 1. In the console tree. click Control Panel. at a command prompt. Open Command Prompt. Type: Page 70 of 165 . 2. consider using Run as to perform this procedure. members of the Domain Admins group might be able to perform this procedure. secondary. and then double-click DNS. To open DNS.

Adds an administrator e-mail /a address for the zone. If this parameter is not /load specified. Adds a zone. This /file parameter is invalid for the /DsPrimary zone type. To specify the DNS server on the local computer. You can also type the IP address of the ServerName DNS server. Required. Specifies the administrator email AdminEmail name for the zone. Specifies a file for the new zone. Specifies the DNS host name of the DNS server. Specifies the type of / zone. Loads an existing file for the zone. Specifies the name of the zone file. Loads an existing file for the zone. Required. /DP Adds the zone to an application directory partition. This parameter does not apply to /DsPrimary. you can also type a period (. You may also use one of the following: dsncmd • /DP /domain For domain directory partition (replicates Page 71 of 165 . Specifies the fully ZoneName qualified domain name (FQDN) of the zone. This FileName parameter is invalid for the /DsPrimary zone type. /DsPrimary and /DsStub Primary|/DsPrimary|/Secondary|/Stu specify an Active Directoryb|/DsStub integrated zone type.dnscmdServerName/ZoneAddZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN] Value Description Specifies the name of the command-line tool. Required for /Primary. Required for /Primary.) /ZoneAdd Required. default zone records are created automatically. Required.

or you must have been delegated the appropriate authority. In the console tree. point to All programs. members of the Domain Admins group might be able to perform this procedure. Page 72 of 165 . To perform this procedure. This procedure requires the Dnscmd Windows support tool. type: dnscmd/ZoneAdd/help • • • To add a reverse lookup zone • • Using the Windows interface Using a command line Using the Windows interface 1. you must be a member of the Administrators group on the local computer. • /DP /forest For forest directory partition (replicates to all DNS server in the forest). right-click a DNS server. If the computer is joined to a domain. /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). Open DNS. To open a command prompt. To view the complete syntax for this command. consider using Run as to perform this procedure. 2. point to Accessories. see Related Topics.to all DNS servers in the domain). and then click Command prompt. This setting supports domains using legacy Windows 2000 Server domain controllers. and then click New Zone to open the New Zone Wizard. As a security best practice. For information about installing Windows support tools. • FQDN Notes • Specifies the fully qualified domain name of the directory partition. at a command prompt. click Start.

Required. and then double-click DNS. type /DsPrimary. Required. click Control Panel. members of the Domain Admins group might be able to perform this procedure. Specifies the name of the zone file. default zone records are created automatically. To specify the DNS server on the local computer.1. Specifies the fully qualified domain name (FQDN) of the in-addr. If the computer is joined to a domain. Loads an existing file for the zone. To open DNS. • Using a command line 1.3. Follow the instructions to create a new reverse lookup zone. Open Command Prompt. or you must have been delegated the appropriate authority.. This parameter is invalid for the /DsPrimary zone type.arpa domain for the zone. Required for /Primary. To specify an Active Directory-integrated zone. Specifies the type of zone. you must be a member of the Administrators group on the local computer.in-addr. Loads an existing file for the zone. 2. For example. Adds an administrator e-mail address for the zone. consider using Run as to perform this procedure. Type: dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN] Value Description dnscmd ServerName /ZoneAdd ZoneName / Primary|/DsPri mary /file FileName Specifies the name of the command-line tool. Required for /Primary. click Start.arpa. You can also type the IP address of the DNS server. If this parameter is not specified. Specifies the administrator e-mail name for the zone. Required. This parameter is invalid for the /DsPrimary zone type. Notes • To perform this procedure.) Required. you can also type a period (. double-click Administrative Tools. Specifies the DNS host name of the DNS server.192.168. Adds the zone to an application directory partition. This parameter does not apply to /DsPrimary. Adds a zone. 20. You Page 73 of 165 /load /a AdminEmail /DP . As a security best practice. Specifies a file for the new zone.

/DP /forest For forest directory partition (replicates to all DNS server in the forest). /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). As a security best practice. click Start. at a command prompt. type: dnscmd /ZoneAdd /help • • • To add a stub zone • • Using the Windows interface Using a command line Using the Windows interface 1. • FQDN Notes • Specifies the fully qualified domain name of the directory partition. Follow the instructions to create a new stub zone. To perform this procedure. Open DNS. point to Accessories. To view the complete syntax for this command. This procedure requires the Dnscmd Windows support tool. see Related Topics. point to All programs. and then click Command prompt. To open a command prompt. members of the Domain Admins group might be able to perform this procedure. If the computer is joined to a domain. right-click a DNS server. 3. 2. For information about installing Windows support tools. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. In the console tree. Notes Page 74 of 165 .may also use one of the following: • • /DP /domain For domain directory partition (replicates to all DNS servers in the domain). or you must have been delegated the appropriate authority. and then click New Zone to open the New Zone Wizard. This setting supports domains using legacy Windows 2000 Server domain controllers.

you will need the IP addresses of the local master servers.. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method). To open DNS. from which it copies zone data. type /DsStub. you can also type a period (. Type: dnscmdServerName /ZoneAdd ZoneName {/Stub|/DsStub} MasterIPaddress. • • • • Using a command line 1. rather than have the DNS server use the master servers list stored in Active Directory.. To specify the DNS server on the local computer. members of the Domain Admins group might be able to perform this procedure.. 2. If you want to use a local master servers list. If you want the DNS server hosting a stub zone to use a local list of master servers. double-click Administrative Tools. /Stub|/DsStubRequired. /file Adds a file for the new zone. Adds a zone. you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records. Specifies the DNS host name of the DNS server. click Control Panel. you must be a member of the Administrators group on the local computer. As a security best practice. click Start. or you must have been delegated the appropriate authority. ServerName Required. To specify an Active Directory-integrated stub zone. Specifies one or more IP addresses for the master servers of the stub zone. Open Command Prompt. You can also type the IP address of the DNS server. [/file FileName] [/load] [/DP FQDN] ValueDescription dnscmd Specifies the name of the command-line tool. and then double-click DNS. MasterIPaddress. If the computer is joined to a domain..) /ZoneAdd Required. Specifies the fully qualified domain name (FQDN) of the zone. Specifies the type of zone. consider using Run as to perform this procedure. ZoneName Required. Page 75 of 165 . Required. see Related Topics. The stub zone cannot be hosted on a DNS server that is authoritative for the same zone.• To perform this procedure.

you must be a member of the Administrators group on the local computer. If the computer is joined to a domain.FileName Specifies the name of the zone file. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method). This procedure requires the Dnscmd Windows support tool. point to All programs. You may also use one of the following: • • • /DP /domain For domain directory partition (replicates to all DNS servers in the domain). /load Loads an existing file for the zone. and then click Command prompt. To open a command prompt. or you must have been delegated the appropriate authority. members of the Domain Admins group might be able to perform this procedure. rather than have the DNS server use the master servers list stored in Active Directory. click Start. Page 76 of 165 • . point to Accessories. see Related Topics. default zone records are created automatically. If you want the DNS server hosting a stub zone to use a local list of master servers. FQDN Specifies the fully qualified domain name of the directory partition. If you want to use a local master servers list. This setting supports domains using legacy domain controllers running Windows 2000 Server. you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records. Notes • To perform this procedure. /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). type: dnscmd/ZoneAdd /help • • • • • The stub zone cannot be hosted on a DNS server that is authoritative for the same zone. /DP /forest For forest directory partition (replicates to all DNS server in the forest). To view the complete syntax for this command. at a command prompt. For information about installing Windows support tools. consider using Run as to perform this procedure. If this parameter is not specified. As a security best practice. /DP Adds the zone to an application directory partition. see Related Topics. you will need the IP addresses of the local master servers.

Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. If the computer is joined to a domain. When asked to confirm that you want to delete the zone. Open Command Prompt. consider using Run as to perform this procedure. click Control Panel.To delete a zone • • Using the Windows interface Using a command line Using the Windows interface 1. Open DNS. As a security best practice. click OK. click Start. 4. 2. This procedure is most often used to delete a secondary copy of a zone. although it can also be used to delete a primary zone. Notes • To perform this procedure. or you must have been delegated the appropriate authority. On the Action menu. 2. To open DNS. In the console tree. In most cases. For more information. Caution • Deleting an Active Directory-integrated zone effectively deletes the zone and eliminates its use at all other DNS servers using the same directory store of zone data. members of the Domain Admins group might be able to perform this procedure. and then double-click DNS. • • • Using a command line 1. you must be a member of the Administrators group on the local computer. double-click Administrative Tools. see Related Topics. click Delete. unless you are redesigning your DNS namespace and the zone is no longer needed or used. Deleting a standard primary zone is usually unnecessary. you can change the zone type if you only want to modify the zone. click the applicable zone. Type: dnscmdServerName/ZoneDeleteZoneName [/DsDel] [/f] Page 77 of 165 .

you must be a member of the Administrators group on the local computer. click Start. As a security best practice. te ZoneNam Required. If the computer is joined to a domain. Performs the command without asking for confirmation. /DsDel Deletes a the zone from Active Directory. To specify the me DNS server on the local computer. point to Accessories. Notes • To perform this procedure. Open DNS. For information about installing Windows support tools. or you must have been delegated the appropriate authority. type: dnscmd /ZoneDelete /help • • • To pause a zone • • Using the Windows interface Using a command line Using the Windows interface 1. If you /f omit this parameter. click the applicable zone. Where? Page 78 of 165 . point to All programs.Value Description dnscmd Specifies the name of the command-line tool.) / Required. This procedure requires the Dnscmd Windows support tool. you can also type a period (. Specifies the command to delete the zone specified ZoneDele by ZoneName. In the console tree. members of the Domain Admins group might be able to perform this procedure. at a command prompt. see Related Topics. and then click Command prompt. Specifies the fully qualified domain name (FQDN) of e the zone you are deleting. Specifies the DNS host name of the DNS server. consider using Run as to perform this procedure. 2. Required. To open a command prompt. You ServerNa can also type the IP address of the DNS server. To view the complete syntax for this command. you are prompted to confirm the deletion of the resource record.

o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. On the General tab. As a security best practice. To open DNS. you must be a member of the Administrators group on the local computer.) / ZonePau Required. On the Action menu. members of the Domain Admins group might be able to perform this procedure. If the computer is joined to a domain. se ZoneNam Required. You ServerNa can also type the IP address of the DNS server. consider using Run as to perform this procedure. click Pause. double-click Administrative Tools. Open Command Prompt. • • Using a command line 1. Pauses the zone. click Properties. Specifies the DNS host name of the DNS server. Notes • To perform this procedure. click Start. and then click OK. or you must have been delegated the appropriate authority. or you must have been delegated the appropriate authority. By default. Notes • To perform this procedure. Once you use this procedure to pause a zone. zones are started when created or loaded at the server. Required. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. Type: dnscmdServerName/ZonePauseZoneName Value Description dnscmd Specifies the name of the command-line program. you can also type a period (. and then double-click DNS. 4. members of Page 79 of 165 . Specifies the fully qualified domain name (FQDN) of e the zone. you must restart the zone before it is available for servicing clients or zone updates. click Control Panel. 2. To specify the me DNS server on the local computer.

Open Command Prompt. members of the Domain Admins group might be able to perform this procedure. To start a zone • • Using the Windows interface Using a command line Using the Windows interface 1. On the Action menu. click Start. Open DNS. click the applicable zone. By default. • • Using a command line 1. and then click Command prompt. 2. click Start. Only zones that have previously been paused need to be restarted. click Control Panel. click Properties. On the General tab. consider using Run as to perform this procedure.the Domain Admins group might be able to perform this procedure. For information about installing Windows support tools. As a security best practice. In the console tree. 4. If the computer is joined to a domain. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. point to Accessories. and then click OK. Notes • To perform this procedure. • • To open a command prompt. double-click Administrative Tools. click Start. consider using Run as to perform this procedure. point to All programs. To open DNS. As a security best practice. zones are started when created or loaded at the server. you must be a member of the Administrators group on the local computer. Page 80 of 165 . or you must have been delegated the appropriate authority. This procedure requires the Dnscmd Windows support tool. and then double-click DNS. see Related Topics.

Only zones that have previously been paused need to be restarted. and then click Command prompt. Notes • • • To open a command prompt. For information about installing Windows support tools. zones are started when created or loaded at the server. click Start. Specifies the fully qualified domain name (FQDN) of ZoneName the zone resuming operation. Configure zone properties • • • • • • • • • • Change the zone type Change a zone file name Change zone replication scope Modify the start of authority (SOA) record for a zone Modify zone transfer settings Create and manage a notify list for a zone Create a zone delegation Verify a zone delegation using the nslookup command Configure a stub zone for local master servers Specify other DNS servers as authoritative for a zone Page 81 of 165 . you can also type a period (. Type: dnscmdServerName/ZoneResumeZoneName Value Description dnscmd Specifies the name of the command-line tool. By default.2. point to Accessories. Required. me Required. Resumes the hosting of the zone by the DNS server. see Related Topics. Specifies the DNS host name of the DNS server.) / ZoneResu Required. To specify the e DNS server on the local computer. This procedure requires the Dnscmd Windows support tool. point to All programs. You ServerNam can also type the IP address of the DNS server.

2. or you must have been delegated the appropriate authority. click Control Panel. 3. note the current zone type. On the General tab. Open DNS. Page 82 of 165 • • • . click Start. 4. and then click Properties. In the console tree. As a security best practice. If the computer is joined to a domain. zone data is stored and replicated as part of the Active Directory database. select a zone type other than the current one. In Change Zone Type. right-click the applicable zone. You can select from Primary zone. Additional considerations • To perform this procedure. and then click Change. If the DNS server computer is operating as a domain controller. and then double-click DNS. consider using Run as to perform this procedure. Secondary zone.• • • Update the master server for a secondary zone Enable DNS to use WINS resolution Verify WINS as the source for answering a DNS query To change the zone type • • Using the Windows interface Using a command line To change the zone type using the Windows interface 1. you must specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. and then click OK. double-click Administrative Tools. you must be a member of the Administrators group on the local computer. members of the Domain Admins group might be able to perform this procedure. To open DNS. or Stub zone. This option is not otherwise available. the option to change the zone type to Active Directory-integrated is available. When selecting the secondary or stub zone types. When this zone type is selected for use.

• • To change the zone type using a command line 1. 2.. you can also type a period (. and then press ENTER: dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress.. see Related Topics. Specifies the Domain Name System (DNS) host name of the DNS server. One of the following zone types: • /Primary Standard primary zone. or stub) and the method for storing the zone at the same time. • /DsPrimary Active Directory Domain Services (AD DS)– integrated primary zone. Type the following command. secondary.Note You cannot change the zone type (primary. For more information.] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN} Value Description dnscmd ServerName ZoneName Property Specifies the name of the command-line tool. Required. • Changing a zone from secondary to primary type can affect other zone activities. You must perform the two operations separately. The /fileFileName option is required. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones. You can also type the IP address of the DNS server. Open Command Prompt.) Required. including management of dynamic updates and zone transfers and the use of DNS notify lists to notify other servers about changes in the zone. Required. Changing DNS zone type or storage can be time-consuming for large zones. If the zone is not Page 83 of 165 . To specify the DNS server on the local computer. Specifies the fully qualified domain name (FQDN) of zone.

• /Stub Stub zone. You must specify at least one MasterIPaddress. Specifies the name of a file for the new zone. /OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory. /file FileName Page 84 of 165 .already a primary zone. Specifies one or more IP addresses MasterIPaddress.microsoft. you must convert it to a primary zone (using /Primary) before you use this option to integrate the zone with AD DS. Required for /Primary. • /DsStub Active Directory-integrated stub zone. Required for /Secondary. /DirectoryPartition e_Ds| stores the new zone in the application directory partition specified by FQDN.. / /OverWrite_Ds overwrites Active Directory OverWrite_Mem|/OverWrit data with data in DNS. You must specify at least one MasterIPaddress. This parameter is not valid for the /DsPrimary zone type. /Stub and /DsStub. such /DirectoryPartition FQDN as DomainDnsZones. • /Secondary Secondary zone. If the zone is an AD DS– integrated primary zone. If the zone is not already a stub zone.example.corp. you must use /DsStub to convert it to an AD DS– integrated stub zone before using this option. from which it copies zone data. You must specify at least one MasterIPaddress. for the master servers of the secondary or stub zone.co m. you must convert it to a stub zone (using /Stub) before using this option to integrate the zone with AD DS..

you need to specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. including management of dynamic updates and zone transfers. point to All programs. To open a command prompt. 2. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone Page 85 of 165 . zone data is stored and replicated as part of the Active Directory database. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones. or you must have been delegated the appropriate authority. Open DNS. the option to change the zone type to Active Directory-integrated is available. Changing a zone from secondary to primary type can affect other zone activities. click Start. To view the complete syntax for this command. • • • To change a zone file name 1. members of the Domain Admins group might be able to perform this procedure.Additional considerations • To perform this procedure. click the applicable zone. and then click Command prompt. and the use of DNS notify lists to notify other servers about changes in the zone. When selecting the secondary or stub zone type. point to Accessories. at a command prompt. If the computer is joined to a domain. secondary or stub zone. This procedure requires the Dnscmd Windows support tool. In the console tree. If the DNS server computer is operating as a domain controller. This option is not otherwise available. type: dnscmd/ZoneResetType/help • • • • You can select from primary. As a security best practice. When this zone type is selected for use. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer.

Click OK when you have finished entering the new zone file name. You can use Windows Explorer to view or verify the new zone file name. or you must have been delegated the appropriate authority. On the Action menu. right-click the applicable zone. members of the Domain Admins group might be able to perform this procedure. click Control Panel. 4. be sure to update Zone file name on other DNS servers that maintain this zone. type the new file name for this zone. Open DNS. you must be a member of the Administrators group on the local computer. double-click Administrative Tools. Page 86 of 165 . The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database and not a text file on the DNS server computer. click Properties. Notes • To perform this procedure.3. consider using Run as to perform this procedure. in the Zone file name text box. This can occur in the following situations: o o The zone type is primary on this server. To open DNS. On the General tab. As a security best practice. Caution • If the zone file name is changed. • • • To change zone replication scope • • Using the Windows interface Using a command line Using the Windows interface 1. and then click Properties. In the console tree. and then double-click DNS. click Start. Otherwise. 2. 5. The zone type is secondary on this server and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of this zone. subsequent zone transfers and updates might fail. The name of the zone file changes. not the name of the zone. If the computer is joined to a domain.

members of the Domain Admins group might be able to perform this procedure. Changes a zone's replication scope. Required. This feature is not included on computers running the Microsoft® Windows Server® 2003. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. 4. see Overview of Windows Server 2003. Select a replication scope for the zone. or you must have been delegated the appropriate authority. and then double-click DNS.3. On the General tab. click Control Panel. consider using Run as to perform this procedure. 2. and then click Change. Specifies the fully qualified domain ZoneName name (FQDN) of the zone. note the current zone replication type. To specify the DNS server on the local computer. Web Edition. click Start. you can also type a period (. For more information. Specifies the DNS host name of the DNS server. Page 87 of 165 .) / ZoneChangeDirectoryP Required. • • • Using a command line 1. You can also type the IP address of the DNS server. Open Command Prompt. artition Required. operating system. double-click Administrative Tools. Only Active Directory-integrated primary and stub forward lookup zones can change their replication scope. As a security best practice. Secondary forward lookup zones cannot change their replication scope. To open DNS. The FQDN of the DNS application NewPartitionName directory partition where the zone will be stored. Notes • To perform this procedure. Required. Web Edition. Type: dnscmdServerName/ZoneChangeDirectoryPartitionZoneNameNewPar titionName Value Description dnscmd ServerName Specifies the name of the command-line program.

• To modify the start of authority (SOA) record for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. point to Accessories. As needed. or you must have been delegated the appropriate authority. 3. see Overview of Windows Server 2003. Secondary forward lookup zones cannot change their replication scope. you must be a member of the Administrators group on the local computer. at a command prompt. Click the Start of Authority (SOA) tab. This feature is not included on computers running the Microsoft® Windows Server® 2003. point to All programs. type: dnscmd /ZoneChangeDirectoryPartition /? • • • • Only Active Directory-integrated primary forward lookup zones and Active Directory-integrated stub zones can change their replication scope. operating system. For more information. To view the complete syntax for this command. Notes • To perform this procedure. Open DNS. members of the Domain Admins group might be able to perform this procedure. modify properties for the start of authority (SOA) record. This procedure requires the Dnscmd Windows support tool. right-click the applicable zone. 4.Notes • To perform this procedure. Web Edition. As a security best practice. If the computer is joined to a domain. and then click Properties. Page 88 of 165 . see Related Topics. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. members of the Domain Admins group might be able to perform this procedure. 2. For information about installing Windows support tools. click Start. or you must have been delegated the appropriate authority. In the console tree. consider using Run as to perform this procedure. To open a command prompt. and then click Command prompt. consider using Run as to perform this procedure. As a security best practice. Web Edition.

For example. dd ZoneNam Required.• • To open DNS.com. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. Specifies the type of resource record you are SOA modifying.microsoft. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. /OpenAcl Without this parameter. Specifies the Time to Live (TTL) setting for the resource record.) / RecordA Required. The settings applied for the start of authority (SOA) record affect how zone transfers are made between servers. Specifies that new records are open to modification by any user. Page 89 of 165 . Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. only administrators may modify the new record.microsoft. To specify the me DNS server on the local computer. see Related Topics. Required. Using a command line 1. 2. the resource record /Aging remains in the DNS database unless it is manually updated or removed. You can also type the node e name relative to the ZoneName or @. click Start. Ttl (The default TTL is defined in SOA resource record). nameserver.place. postmaster.nameserver. Required. Specifies that this resource record is able to be aged and scavenged. Required. Specifies the fully qualified domain name (FQDN) of e the zone. For example. Required. click Control Panel. If this parameter is not used. double-click Administrative Tools.place. Specifies the DNS host name of the DNS server. which specifies the zone's root node. You ServerNa can also type the IP address of the DNS server. Specifies the name of the DNS administrator for the Admin zone.example.com. you can also type a period (. and then double-click DNS. For more information. Open Command Prompt. Required. Adds or modifies a resource record.example.

type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. For information about installing Windows support tools. click Start. Specifies the expire interval for the zone. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). or you must have been delegated the appropriate authority. do one of the following: o To disable zone transfers. Required. and then click Properties. On the Zone Transfers tab. Required.Serial#\ Refresh Retry Expire MinTTL Required. Specifies the version information for the zone. Specifies the refresh interval for the zone. The standard setting is 3600 (one hour). see Related Topics. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. The standard setting is 86400 (one day). Open DNS. This procedure requires the Dnscmd Windows support tool. To open a command prompt. To view the complete syntax for this command. at a command prompt. The standard setting is 600 (ten minutes). consider using Run as to perform this procedure. 2. To modify DNS zone transfer settings • • Using the Windows interface Using a command line Using the Windows interface 1. Page 90 of 165 . Right-click a DNS zone. Specifies the retry interval for the zone. you must be a member of the Administrators group on the local computer. point to All programs. Notes • To perform this procedure. point to Accessories. members of the Domain Admins group might be able to perform this procedure. Required. If the computer is joined to a domain. The standard setting is 3600 (one hour). clear the Allow zone transfers check box. Specifies the minimum Time to Live (TTL) value. As a security best practice. Required. 3. and then click Command prompt.

As a security best practice. and then add the IP address of one or more DNS servers. To allow zone transfers only to specific DNS servers. To allow zone transfers only to the DNS servers listed on the Name Servers tab. members of the Domain Admins group might be able to perform this procedure. Specifies the fully qualified domain name (FQDN) of zone. you are allowing internal network information to be transferred to any host that can contact your DNS server. click Only to servers listed on the Name Servers tab. Open Command Prompt. o Notes • To perform this procedure. Required. or you must have been delegated the appropriate authority. zone transfers should only be allowed for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. click Control Panel. Required. you can also type a period (. click To any server. If you allowed zone transfers. select the Allow zone transfers check box.). and then double-click DNS. • • Using a command line 1.. double-click Administrative Tools. Type: dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress. you must be a member of the Administrators group on the local computer. You can also type the IP address of the DNS server. To improve the security of your DNS infrastructure.o To allow zone transfers. click Start. If the computer is joined to a domain. click Only to the following servers. Specifies the DNS host name of the DNS server. To specify the DNS server on the local computer. 4..]} Value Description dnscmd ServerName ZoneName Specifies the name of the command-line tool. 2. To open DNS. do one of the following: o o To allow zone transfers to any server. If you allow any DNS server to perform a zone transfer. consider using Run as to perform this procedure. Page 91 of 165 .

2. If you allow any DNS server to perform a zone transfer. see Related Topics. click Properties. and then click Command prompt. if /SecureList is specified. Permits zone transfers to any DNS server. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. To create and manage a notify list for a zone 1. consider using Run as to perform this procedure. click Start. zone transfers should only be allowed for either the DNS servers in the NS resource records for a zone or for specified DNS servers. Page 92 of 165 . A list of one or more SecondaryIPAdd IP addresses for DNS servers that are permitted to obtain ress zone transfers. 4. or you must have been delegated the appropriate authority. Permits zone transfers only to DNS servers listed in the /SecureNs zone using name server (NS) resource records. Open DNS./NoXfr /NonSecure Disables zone transfers for the zone. at a command prompt. To open a command prompt. you are allowing internal network information to be transferred to any host that can contact your DNS server. As a security best practice. For information about installing Windows support tools. Permits zone transfers only to DNS servers specified by /SecureList SecondaryIPAddress. type: dnscmd /ZoneResetSecondaries /? • • • • To improve the security of your DNS infrastructure. This procedure requires the Dnscmd Windows support tool. Required. members of the Domain Admins group might be able to perform this procedure. click the applicable zone. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. point to Accessories. Click the Zone Transfers tab. In the console tree. To view the complete syntax for this command. point to All programs. Notes • To perform this procedure. On the Action menu.

For secondary zones. add or remove server IP addresses to form the notify list as needed: o To add a server to the notify list. click Control Panel. • • • Page 93 of 165 . to permit only those servers that appear by IP address on the Name Servers tab to be included in the notify list. o 8. DNS Notify is an RFC-compliant extension of the DNS standard defined in RFC 1996. click the server IP address in the list box and click Remove. these properties are read-only. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. 6. 7. Select The following servers if you want to specify a different notify list to be used instead. or you must have been delegated the appropriate authority. you must be a member of the Administrators group on the local computer. type its IP address in the IP address field and click Add. To open DNS. o Notes • To perform this procedure. Your options are: o Use the default. click Start. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. Verify that the Automatically notify check box is checked. As a security best practice. and then double-click DNS. "A Mechanism for Prompt Notification of Zone Changes." By default. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. To remove a server from the notify list. If you selected The following servers in the previous step.5. Changes to the notify list properties are only available on primary zones. Click Notify. If the computer is joined to a domain. Servers listed on the Name Servers tab. double-click Administrative Tools.

Open the DNS console. To Page 94 of 165 . As necessary. Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN} Value Description dnscmd ServerName Specifies the name of the command-line tool. 3. Specifies the DNS host name of the DNS server. If the computer is joined to a domain. double-click Administrative Tools. consider using Run as to perform this procedure. click Control Panel. see Related Topics. • • Using a command line 1. or you must have been delegated the appropriate authority. Required. To open DNS.To create a zone delegation • • Using the Windows interface Using a command line Using the Windows interface 1. members of the Domain Admins group might be able to perform this procedure. All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation as described here. and then click New Delegation. In the console tree. right-click the applicable subdomain. Notes • To perform this procedure. you must be a member of the Administrators group on the local computer. As a security best practice. click Start. 2. Open Command Prompt. Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain. You can also type the IP address of the DNS server. 2. use the DNS console to first add domains to the zone before completing this procedure. For more information. and then double-click DNS.

com /recordadd test A 10. see Related Topics. If this command is not used. Required. only administrators may modify the new record. point to All programs. Specifies the host name or FQDN of the new FQDN authoritative server.contoso. To view the complete syntax for this command. HostName| Required. which specifies the zone's root node.5 dnscmd /recordadd test. See the following examples: dnscmd dnssvr1.com test MX 10 mailserver. you must be a member of the Administrators group on the local computer. Required. type: dnscmd /RecordAdd /help Page 95 of 165 • • • . click Start. As a security best practice. If the computer is joined to a domain. Specifies that new records are open to modification by any /OpenAcl user.0.contoso.com For more information. you can also type a period (. Specifies the fully qualified domain name (FQDN) ZoneName of the zone. and then click Command prompt. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also NodeName type the node name relative to the ZoneName or @. Specifies that you are adding a name server (NS) NS resource record to the zone specified in ZoneName.contoso. this resource record is able to be aged and scavenged. members of the Domain Admins group might be able to perform this procedure.0.specify the DNS server on the local computer. For information about installing Windows support tools. Notes • To perform this procedure. (The default TTL is defined in SOA resource record).) /RecordAdd Required. Specifies the Time-To-Live (TTL) setting for the resource Ttl record. Without this parameter. or you must have been delegated the appropriate authority. point to Accessories. If this command is used. Required. To open a command prompt. Specifies the command to add a resource record. consider using Run as to perform this procedure. the /Aging resource record remains in the DNS database unless it is manually updated or removed.test. see Dnscmd Syntax. This procedure requires the Dnscmd Windows support tool. at a command prompt.

If the NS query response contains no names or IP addresses for delegated servers. you do not find at least one valid IP address in an A resource record. Then type: nslookup 4.To verify a zone delegation using the nslookup command 1. 8. 7. Type the fully qualified domain name (FQDN) for the failed name. type set recurse and query individually for any of the A resource records of servers listed in the NS resource records. type q=ns and query again using the FQDN for the parent zone of the failed name. for each NS resource record you encounter in a zone. Open Command Prompt. 2. a list of name server (NS) resource records for delegated servers should be returned in the response. type: set norecurse 5. but no host (A) resource records. type: set q=NS 6. At the next prompt. If. Page 96 of 165 . if the failed name you used in the previous step was example. Use the trailing period (. If zone delegations are set correctly.microsoft. Type: nslookupRootServerIpAddress 3. If the response contains NS resource records. you have a broken delegation. query for microsoft. At the next prompt. For example.) when entering the name.com.com.

Either fix the broken delegation or retry the delegation test described in the previous step using a different IP address. root_server_ip_add The IP address of a valid root server for your network. To view the complete syntax for this command. press Enter and then type help • • To configure a stub zone to use local master servers • • Using the Windows interface Using a command line Using the Windows interface 1. 2. point to Accessories. If more than one A resource record or IP address is found. Therefore. right-click the stub zone. To open a command prompt. and then click Properties. modify the list to display the IP addresses of the local master servers that you want the DNS server to use Page 97 of 165 . add or update an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone. at a command prompt. On the General tab. The command to send the query for NS resource set q=NS records to the root server. point to All programs. Open DNS.9. use it to repeat the delegation test described in the previous step. Value Description nslookup The name of the command-line tool. under IP address. To fix a delegation. and then click Command prompt. ress A command to instruct the root server to not perform set norecursion recursion on your query. as a security best practice. 3. type: nslookup. click Start. In the console tree. Notes • Performing this task does not require you to have administrative credentials. consider performing this task as a user without administrative credentials.

the master servers list from Active Directory is applied and the local list of master servers is deleted. Select the Use the list above as a local list of masters check box. Specifies the fully qualified domain name (FQDN) of the zone. You can also type the IP address of the DNS server. consider using Run as to perform this procedure. Open Command Prompt. or you must have been delegated the appropriate authority. 4. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. click Start. As a security best practice. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone. • • • • Using a command line 1. The DNS server will keep the master servers list from Active Directory stored in memory. and then click OK. If the local list of master servers is cleared at a later date. Specifies the DNS host name of the DNS server. Notes • To perform this procedure.when loading and updating the stub zone. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server. see Default local groups. To open DNS. and Using Run as. the list of master servers for the stub zone is updated in Active Directory.] Value Description dnscmd ServerName ZoneName /Local Specifies the name of the command-line tool. Default groups. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [MasterIPaddress. Required.. Configures the local master list for Active DirectoryPage 98 of 165 . 2. you can also type a period (. click Control Panel.) Required.. and then double-click DNS. For more information. To specify the DNS server on the local computer. double-click Administrative Tools.

integrated zones. List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers hosting other secondary copies for MasterIPaddre the zone. To clear the local list of masters, type the ss... command without entering any IP addresses. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server. Notes

To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneResetMasters/help

• • •

If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory. The DNS server will keep the master servers list from Active Directory stored in memory.

To specify other DNS servers as authoritative for a zone
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. Page 99 of 165

2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Name Servers tab. 4. Click Add. 5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list. DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone added to the server.

• •

Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}

Value

Description

dnscmd

Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To ServerName specify the DNS server on the local computer, you can also type a period (.) /RecordAdd Required. Specifies the command to add a resource record.
Page 100 of 165

ZoneName NodeName

/Aging

/OpenAcl Ttl NS HostName| FQDN Notes

Required. Specifies the fully qualified domain name (FQDN) of the zone. Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record). Required. Specifies that you are adding a name server (NS) resource record to the zone specified in ZoneName. Required. Specifies the host name or FQDN of the new authoritative server.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/RecordAdd/help

• • •

DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary type added to the server.

Page 101 of 165

You can also type the IP address of the DNS server. Notes • To perform this procedure. click Start. Page 102 of 165 . To open DNS. consider using Run as to perform this procedure. 2. As a security best practice. you must be a member of the Administrators group on the local computer. To specify the DNS server on the local computer.. Open DNS. and then click Properties. If the computer is joined to a domain. in IP address. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating.To update the master server for a secondary zone • • Using the Windows interface Using a command line Using the Windows interface 1. Value Description dnscmd ServerName Specifies the name of the command-line tool. double-click Administrative Tools. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] MasterIPaddress. members of the Domain Admins group might be able to perform this procedure. ters Required.. • Using a command line 1. 3. and then double-click DNS. right-click the applicable secondary zone. click Control Panel. Specifies the DNS host name of the DNS server. Updates the master servers for a secondary ZoneResetMas zone. and then click Add to update the list. 2. Required. In the console tree. specify the IP address for a new master server. On the General tab. or you must have been delegated the appropriate authority. you can also type a period (.) / Required. Open Command Prompt.

Open DNS. and then click Command prompt. For information about installing Windows support tools. then click Properties.. As a security best practice. This procedure requires the Dnscmd Windows support tool. list. To open a command prompt.. at a command prompt. or you must have been delegated the appropriate authority. Page 103 of 165 . select the Use WINS-R lookup check box. The request may be denied because a zone must always have at least one master server. is required to clear the local master list for a zone. If the computer is joined to a domain. you are MasterIPaddress requesting the DNS server to reset the value to an empty .. type a name. type the IP address of a WINS server to be used for resolution of names not found in DNS. members of the Domain Admins group might be able to perform this procedure. 2. point to All programs. type: dnscmd /ZoneResetMasters /help • • • To enable DNS to use WINS resolution 1. MasterIPaddress.Specifies the local master list for Active Directoryintegrated zones. 3. point to Accessories. If the applicable zone is a reverse lookup zone. If you do not specify ServerIPs. and then click Add. In IP address. In Domain to append to returned name. select the Use WINS forward lookup check box. o 4. if applicable. Select the Do not replicate this record check box for this WINS record. Required.. see Related Topics. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. on the WINS-R tab. Do one of the following: o If the applicable zone is a forward lookup zone. click Start. In the console tree. right-click the applicable zone. consider using Run as to perform this procedure. /Local Notes • To perform this procedure. you must be a member of the Administrators group on the local computer. on the WINS tab. To view the complete syntax for this command.

If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. • • • To verify WINS as the source for answering a DNS query 1. this is a critical option as BIND will not recognize WINS records. click Start. If this zone will be used in performing zone transfers to BIND servers. at the nslookup ("") prompt type: set debug 4. Optionally. specified WINS servers configured in this procedure are used for final referral of names not found in the applicable zone. This prevents these records from being replicated to these other servers during zone transfers. When this option is used. Next. you must be a member of the Administrators group on the local computer. either type: set querytype=a if you are testing for a WINS forward lookup. Type: nslookup 3. or you must have been delegated the appropriate authority. As a security best practice. To open DNS. double-click Administrative Tools. and then double-click DNS. or: set querytype=ptr if you are testing for a WINS-R reverse lookup. consider using Run as to perform this procedure. click Control Panel. Notes • To perform this procedure. After the previous command completes. Open Command Prompt. click Advanced to adjust advanced WINS lookup parameters.If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records. Page 104 of 165 . click this check box. 2.

type: 1. If the server answered authoritatively. providing extended information in the command output. if the forward lookup you are tracing is for a domain name host-a. More information about Page 105 of 165 . If the TTL value decreased for an authoritatively answered query. repeat the same query you performed in step 4. 8. This mode is required to view query response information about whether the source for a query answer is: • • set debug authoritative (from a DNS zone or WINS server database) non-authoritative (cached data from previous queries made by the DNS server or loaded from root hints) set Changes the type of information query.10. In the response.com.example.example. For example. and note the Time-To-Live (TTL) value. Based on whether you are verifying possible WINS sourcing for either a forward or reverse lookup. note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value specified in the first query answer.1. If the reverse lookup you are tracing is for an IP address 10.microsoft. Value Description nslookup The name of the command-line program. To leave debug mode and return to the command prompt. type: host-a.Respectively. In the response. 9. the source of the query answer is a WINS server. 6. type the appropriate fully qualified domain name (FQDN). 7. note whether the server answered authoritatively or non-authoritatively.0. Enables the nslookup command to operate in debug mode. 5.in-addr.com.microsoft.0.arpa. type exit.0.0. these two commands can be used to set the query type to filter either by host (A) or pointer (PTR) resource records as appropriate for researching either a forward or reverse lookup.

To open a command prompt. In so doing. point to All programs. when a DNS server answers a query from its authoritative zone data. and then click Command prompt. WINS lookups present an exceptional case. e Notes • Performing this task does not require you to have administrative credentials. type: nslookup. To view the complete syntax for this command. In this case. at a command prompt. as a security best practice. click Start. TTLs are decreased in answers the server returns if based on nonauthoritative data. where an answer received back from a WINS server is cached by the DNS server but is also considered to be authoritative data. Therefore.querytyp types can be found in Request For Comment (RFC) 1035. press Enter and then type help • • • Normally. it uses the set minimum or default TTL for the zone or the record-specific TTL value (if one is configured). Manage zones • • • • • • • • Allow dynamic updates Allow only secure dynamic updates Initiate a zone transfer at a secondary server Reload or transfer a stub zone Adjust the refresh interval for a zone Adjust the retry interval for a zone Adjust the expire interval for a zone Modify security for a directory-integrated zone Allow dynamic updates Page 106 of 165 . the WINS sourced data is returned to clients as authoritative but ages while in the DNS server names cache. causing the TTL used by the server to decrease over time. such as a cached record at the server. point to Accessories. consider performing this task as a user without administrative credentials.

Updated: January 21. consider using Run as to perform this procedure. and then double-click DNS. click Control Panel. and then click Properties. 2005 Applies To: Windows Server 2003. right-click the applicable zone. As a security best practice. Windows Server 2003 with SP1. In the console tree.AllZones} /AllowUpdate {1|0} Value Description dnscmd Specifies the name of the command-line program. Windows Server 2003 R2. double-click Administrative Tools. or you must have been delegated the appropriate authority. To open DNS. members of the Domain Admins group might be able to perform this procedure. 3. you must be a member of the Administrators group on the local computer. 2. click Nonsecure and secure. Windows Server 2003 with SP2 To allow dynamic updates • • Using the Windows interface Using a command line Using the Windows interface 1. The DNS update process is defined in RFC 2136. 4. If the computer is joined to a domain. 2. Notes • To perform this procedure. Open DNS. Type: dnscmd ServerName /Config {ZoneName|.. Dynamic update is an RFC-compliant extension to the DNS standard. Page 107 of 165 . click Start. Open Command Prompt. verify that the zone type is either Primary or Active Directory-integrated. In Dynamic Updates. On the General tab." • • Using a command line 1. "Dynamic Updates in the Domain Name System (DNS UPDATES).

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command. Configures dynamic update. To allow dynamic updates, 1|0 enter a value of 1. To not allow dynamic updates, enter a value of 0. Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help

• • •

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."

To allow only secure dynamic updates
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. 3. On the General tab, verify that the zone type is Active Directoryintegrated. Page 108 of 165

4. In Dynamic Updates, click secure only.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory integrate the zone prior to securing it for DNS dynamic updates. Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

• •

• •

Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {ZoneName|..AllZones} /AllowUpdate 2

Value

Description

dnscmd

Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command.
Page 109 of 165

2 Notes

Required. Configures server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help

• • •

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

• •

To initiate a zone transfer at a secondary server
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Transfer from master.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the Page 110 of 165

or you must have been delegated the appropriate authority. and then click Command prompt. esh ZoneName Required. Specifies the name of the secondary zone to update. Updates the secondary zone. If the SOA resource records are not synchronized. consider using Run as to perform this procedure. • Using a command line 1. members of the Domain Admins group might be able to perform this procedure. Page 111 of 165 • • . you can also type a period (. To open a command prompt. double-click Administrative Tools. you must be a member of the Administrators group on the local computer. To specify the e DNS server on the local computer. Specifies the DNS host name of the DNS server. • • To open DNS. As a security best practice. For information about installing Windows support tools. see Related Topics. then there is no zone transfer. click Control Panel. then there is a zone transfer. This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. Notes • To perform this procedure. Required. If the computer is joined to a domain. This procedure requires the Dnscmd Windows support tool. 2. click Start. point to Accessories. consider using Run as to perform this procedure. Type: dnscmdServerName/ZoneRefreshZoneName Value Description dnscmd Specifies the name of the command-line tool. members of the Domain Admins group might be able to perform this procedure. Open Command Prompt. point to All programs. By default. As a security best practice. You ServerNam can also type the IP address of the DNS server. If the SOA resource records are synchronized. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone.appropriate authority.) / ZoneRefr Required. and then double-click DNS. click Start. If the computer is joined to a domain.

and then double-click DNS. at a command prompt. To open DNS. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. type: dnscmd /ZoneRefresh /help • This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. If the SOA resource records are not synchronized. click Control Panel.• To view the complete syntax for this command. click Start. To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record. By default. then there is no zone transfer. To have the DNS server determine if the serial number in the stub zone's SOA resource record has expired and then perform a zone transfer from the stub zone's master server. Open DNS. In the console tree. members of the Domain Admins group might be able to perform this procedure. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. right-click the applicable stub zone. double-click Administrative Tools. • Page 112 of 165 . then there is a zone transfer. • To reload or transfer a stub zone • • Using the Windows interface Using a command line Using the Windows interface 1. click Reload from Master. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. As a security best practice. click Reload. If the SOA resource records are synchronized. click Transfer from Master. 2. o Notes • To perform this procedure. and do one of the following: o o To reload the stub zone from storage.

you can also type a period (. Specifies the DNS host name of the DNS server. 2. Notes • Specifies the name of the command-line program. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. To perform this procedure. members of the Domain Admins group might be able to perform this procedure. type: dnscmd /ZoneReload /help or dnscmd /ZoneUpdateFromDs /help or dnscmd /ZoneRefresh /help. or you must have been delegated the appropriate authority. Type: dnscmdServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName Value Description dnscmd ServerName /ZoneReload / ZoneUpdateFro Reloads the stub zone from Active Directory. As a security best practice. You can also type the IP address of the DNS server. To open a command prompt. If the serial number has expired. Open Command Prompt. point to All programs. This procedure requires the Dnscmd Windows support tool. consider using Run as to perform this procedure. point to Accessories. and then click Command prompt. To specify the DNS server on the local computer. To view the complete syntax for this command. For information about installing Windows support tools. see Related Topics.) Reloads the stub zone. click Start. mDs Refreshes the stub zone. The DNS server will determine if the serial number in the stub zone's SOA resource /ZoneRefresh record has expired. Specifies the name of the stub zone you want ZoneName to reload or refresh. • • • Page 113 of 165 . at a command prompt.Using a command line 1. Required. Required. the DNS server will perform a zone transfer from the stub zone's master server.

2. members of the Domain Admins group might be able to perform this procedure. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone.• There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. As a security best practice. right-click the applicable zone and click Properties. In Refresh interval. use the Windows interface procedure. 2. consider using Run as to perform this procedure. or days. 5. click a time period in minutes. 3. the refresh interval for each zone is set to 15 minutes. Click OK to save the adjusted interval. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. double-click Administrative Tools. click Control Panel. Page 114 of 165 . Click the Start of Authority (SOA) tab. 4. you must be a member of the Administrators group on the local computer. verify that the zone type is either Primary or Active Directory-integrated. In the console tree. Open Command Prompt. and type a number in the text box. click Start. Open DNS. If the computer is joined to a domain. By default. hours. To adjust the refresh interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. On the General tab. 6. To open DNS. Notes • To perform this procedure. or you must have been delegated the appropriate authority. To perform this operation. • • Using a command line 1. and then double-click DNS.

Required. you must be a member of the Administrators group on the local computer.) / RecordA Required. If the computer is joined to a domain. For example.nameserver. The Expire standard setting is 86400 (one day). Adds or modifies a resource record. consider using Run as to perform this procedure.example. Specifies the Time-To-Live (TTL) setting for the resource record. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Required.microsoft. Required. Required. Specifies the expire interval for the zone. Required. /OpenAcl Without this parameter. The standard setting is 3600 (one hour). Specifies the type of resource record you are SOA modifying. Serial#\ Required. Specifies the version information for the zone.Required. Specifies that new records are open to modification by any user. Ttl (The default TTL is defined in SOA resource record). or you must have been delegated the appropriate authority. postmaster. Required. which specifies the zone's root node. Specifies the DNS host name of the DNS server. Required. only administrators may modify the new record. You ServerNa can also type the IP address of the DNS server.example. Page 115 of 165 .place. nameserver. members of the Domain Admins group might be able to perform this procedure. Specifies the retry interval for the zone. If this parameter is not used. Required. The standard Retry setting is 600 (ten minutes). You can also type the node e name relative to the ZoneName or @. To specify the me DNS server on the local computer. As a security best practice. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. you can also type a period (. dd ZoneNam Required. The Refresh standard setting is 900 (15 minutes).com. Specifies the fully qualified domain name (FQDN) of e the zone. Specifies the refresh interval for the zone. Notes • To perform this procedure. For example.place. Specifies the name of the DNS administrator for the Admin zone. the resource record /Aging remains in the DNS database unless it is manually updated or removed. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added.microsoft. Specifies that this resource record is able to be aged and scavenged. Specifies the minimum Time-To-Live value.com.

3. By default. click Control Panel. hours. consider using Run as to perform this procedure. Click OK to save the adjusted interval. at a command prompt. double-click Administrative Tools. and then double-click DNS. • To adjust the retry interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. verify that the zone type is either Primary or Active Directory-integrated. click an interval in minutes. To view the complete syntax for this command. Click the Start of Authority (SOA) tab. To open DNS. 2. see Related Topics. and then click Command prompt. As a security best practice. click Start. or you must have been delegated the appropriate authority. For information about installing Windows support tools. In Retry interval. point to All programs. type: dnscmd /RecordAdd /help • To modify any specific SOA resource record's values using dnscmd. or days. and type a number in the text box. Open DNS. If the computer is joined to a domain. On the General tab. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). you must be a member of the Administrators group on the local computer. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone. • Page 116 of 165 . 5. This procedure requires the Dnscmd Windows support tool. point to Accessories. Notes • To perform this procedure. 6. right-click the applicable zone and click Properties. the refresh interval for each zone is set to 15 minutes. 4.• • • To open a command prompt. In the console tree. click Start. members of the Domain Admins group might be able to perform this procedure.

• By default.nameserver. nameserver. You can also type the node e name relative to the ZoneName or @. For example. Required. The Refresh standard setting is 3600 (one hour). /OpenAcl Without this parameter. Using a command line 1. Specifies the DNS host name of the DNS server. Specifies that this resource record is able to be aged and scavenged.example. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You ServerNa can also type the IP address of the DNS server. which specifies the zone's root node.place. Specifies that new records are open to modification by any user. Required. you can also type a period (. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. 2. the resource record /Aging remains in the DNS database unless it is manually updated or removed. Required.com. Specifies the Time-To-Live (TTL) setting for the resource record.com. Serial#\ Required. Open Command Prompt. dd ZoneNam Required. postmaster. Required.place.microsoft.microsoft. Ttl (The default TTL is defined in SOA resource record).example. If this parameter is not used. Specifies the refresh interval for the zone. Adds or modifies a resource record. the retry interval for each zone is set at 10 minutes. Page 117 of 165 . Specifies the name of the DNS administrator for the Admin zone. Specifies the fully qualified domain name (FQDN) of e the zone.) / RecordA Required. only administrators may modify the new record. Specifies the version information for the zone. Required. Specifies the type of resource record you are SOA modifying. To specify the me DNS server on the local computer. For example. Required.

The standard setting is 86400 (one day). This procedure requires the Dnscmd Windows support tool. • To adjust the expire interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. point to Accessories. If the computer is joined to a domain. point to All programs. members of the Domain Admins group might be able to perform this procedure.Retry Expire MinTTL Required. Specifies the minimum Time-To-Live value. Notes • To perform this procedure. The standard setting is 600 (ten minutes). Page 118 of 165 . Required. To view the complete syntax for this command. the retry interval for each zone is set at 10 minutes. or you must have been delegated the appropriate authority. type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. and then click Command prompt. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). Required. The standard setting is 3600 (one hour). see Related Topics. at a command prompt. By default. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. Specifies the retry interval for the zone. To open a command prompt. consider using Run as to perform this procedure. right-click the applicable zone and click Properties. click Start. you must be a member of the Administrators group on the local computer. In the console tree. 2. As a security best practice. Specifies the expire interval for the zone. Open DNS. For information about installing Windows support tools.

Notes • To perform this procedure. 2. you must be a member of the Administrators group on the local computer. and then double-click DNS. Specifies the DNS host name of the DNS server. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. The expire interval is used by other DNS servers configured to load and host the zone to determine when zone data expires if not renewed. By default. you can also type a period (. To open DNS.3. 4. or you must have been delegated the appropriate authority. • • Using a command line 1. You ServerNa can also type the IP address of the DNS server. or days. If the computer is joined to a domain.) / RecordA Required. dd ZoneNam Required. click Control Panel. hours. verify that the zone type is either Primary or Active Directory-integrated. double-click Administrative Tools. consider using Run as to perform this procedure. Adds or modifies a resource record. 6. On the General tab. Required. and then type a number in the text box. the expire interval for each zone is set to 1 day. Specifies the fully qualified domain name (FQDN) of e the zone. members of the Domain Admins group might be able to perform this procedure. the resource record Page 119 of 165 . which specifies the zone's root node. /Aging Specifies that this resource record is able to be aged and scavenged. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. You can also type the node e name relative to the ZoneName or @. click Start. Open Command Prompt. In Expires after. 5. To specify the me DNS server on the local computer. Required. Click OK to save the adjusted interval. As a security best practice. click an interval in either minutes. Click the Start of Authority (SOA) tab. If this parameter is not used.

The Expire standard setting is 86400 (one day). Page 120 of 165 . /OpenAcl Without this parameter. Required. Required. consider using Run as to perform this procedure. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Serial#\ Required. nameserver. and then click Command prompt. point to Accessories.microsoft. Required.example.nameserver. This procedure requires the Dnscmd Windows support tool. only administrators may modify the new record. Required. Specifies the name of the DNS administrator for the Admin zone. Required. To open a command prompt.example. click Start. Specifies the refresh interval for the zone. or you must have been delegated the appropriate authority.place. If the computer is joined to a domain. Required. The Refresh standard setting is 3600 (one hour). you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). Specifies the retry interval for the zone.com. The standard setting is 3600 (one hour). Required. For information about installing Windows support tools. type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. Specifies the version information for the zone.com.microsoft. Specifies the minimum Time-To-Live value. For example. you must be a member of the Administrators group on the local computer. Notes • To perform this procedure.remains in the DNS database unless it is manually updated or removed. To view the complete syntax for this command. Specifies that new records are open to modification by any user. members of the Domain Admins group might be able to perform this procedure. Specifies the Time-To-Live (TTL) setting for the resource record. As a security best practice. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. Specifies the type of resource record you are SOA modifying. Ttl (The default TTL is defined in SOA resource record). Specifies the expire interval for the zone.place. at a command prompt. see Related Topics. The standard Retry setting is 600 (ten minutes). point to All programs. postmaster. For example.

click Start. operating system. For more information. see Default local groups. 5. see Related Topics. 2. but do not affect dynamic updates to the zone. modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed. click Properties. The security settings determine who can administer the zone. 4. For more information. Web Edition. To open DNS. • • • • Manage resource records Page 121 of 165 . On the Security tab. click the applicable zone. and then double-click DNS. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. Default groups and Using Run as. Notes • To perform this procedure. Web Edition. Open DNS. On the Action menu. verify that the zone type is Active Directory- integrated. On the General tab. consider using Run as to perform this procedure.To modify security for a directoryintegrated zone 1. To apply security settings for dynamic updates. Secure dynamic updates are only supported for zones stored in Active Directory. As a security best practice. click Control Panel. In the console tree. see Overview of Windows Server 2003. This feature is not included on computers running the Microsoft® Windows Server® 2003. double-click Administrative Tools. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory.

Notes • To perform this procedure. Open DNS. type the DNS computer name for the new host. 4. As an option. you must be a member of the Administrators group on the local computer. type the IP address for the new host. 2. In the Name text box. As a security best practice. To open DNS. right-click the applicable forward lookup zone and click New Host. 5. Click Add Host to add the new host record to the zone. consider using Run as to perform this procedure. based on the information you entered in Name and IP address. click Start. click Control Panel. Page 122 of 165 • . or you must have been delegated the appropriate authority. 3. members of the Domain Admins group might be able to perform this procedure.• • • • • • • • • • Add a host (A) resource record to a zone Add a mail exchanger (MX) resource record to a zone Add an alias (CNAME) resource record to a zone Add a new domain to a zone Add a pointer (PTR) resource record to a reverse zone Add a resource record to a zone Modify an existing resource record in a zone Delete a resource record from a zone View unsupported resource records in a zone Modify security for a resource record To add a host (A) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. In the IP address text box. 6. select the Create associated pointer (PTR) record check box to create an additional pointer record in a reverse zone for this host. double-click Administrative Tools. If the computer is joined to a domain. In the console tree. and then double-click DNS.

Required. point to All programs. click Start. only administrators may modify the new record. and then click Command prompt. You ServerNa can also type the IP address of the DNS server. Ttl (The default TTL is defined in SOA resource record). the resource record /Aging remains in the DNS database unless it is manually updated or removed. you can also type a period (. point to Accessories. Specifies the DNS host name of the DNS server. If the computer is joined to a domain. Notes • To perform this procedure. Using a command line 1.• PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted. consider using Run as to perform this procedure. If this command is not used. The IP address for the host. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress Value Description dnscmd Specifies the name of the command-line program. Specifies the fully qualified domain name (FQDN) of e the zone. / RecordA Required. To specify the me DNS server on the local computer. Adds a new resource record. As a security best practice. Specifies that new records are open to modification by any user. Specifies the Time-To-Live (TTL) setting for the resource record. which specifies the zone's root node. members of the Domain Admins group might be able to perform this procedure. You can also type the node name relative to the e ZoneName or @. 2.). Specifies the FQDN of the node in the DNS NodeNam namespace. Required. Specifies the resource record type of the record you A are adding. Required. Specifies that this resource record is able to be aged and scavenged. Open Command Prompt. /OpenAcl Without this parameter. or you must have been delegated the appropriate authority. you must be a member of the Administrators group on the local computer. IPAddress Required. Page 123 of 165 • . To open a command prompt. dd ZoneNam Required.

type the domain name for which this record is to be used to deliver mail. For information about installing Windows support tools. consider using Run as to perform this procedure. right-click the applicable forward lookup zone and click New Mail Exchanger. 5. you must be a member of the Administrators group on the local computer. Open DNS. 3.• • This procedure requires the Dnscmd Windows support tool. Click OK to add the new record to the zone. In the Mail server text box. If the computer is joined to a domain. As an option. 2. or you must have been delegated the appropriate authority. To open DNS. type: dnscmd /RecordAdd /help • PTR resource records are deleted automatically if the corresponding A resource record is deleted. at a command prompt. you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined. In the Host or domain text box. double-click Administrative Tools. type the DNS host computer name of the mail exchanger or mail server host that delivers mail for the specified domain name. Notes • To perform this procedure. In the console tree. To view the complete syntax for this command. Adjust the Mail server priority as needed for this zone. members of the Domain Admins group might be able to perform this procedure. click Start. 4. As a security best practice. • Page 124 of 165 . 6. To add a mail exchanger (MX) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. and then double-click DNS. see Related Topics. click Control Panel.

you can also type a period (. As a security best practice. you must be a member of the Administrators group on the local computer. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect Preference to the other mail exchange servers. You can also type the IP address of the DNS server. only administrators may modify the new record. 2. To specify the ServerName DNS server on the local computer. If this command is not used. If this command is used. Required. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName Value Description dnscmd Specifies the name of the command-line program.). If the computer is joined to a domain. Specifies the MX resource record type for the MX record you are adding. Specifies the DNS host name of the DNS server. Lower numbers are given greater preference. Required. Required. this resource record is /Aging able to be aged and scavenged. Specifies that new records are open to modification by any /OpenAcl user. Page 125 of 165 . Specifies that this resource record is able to be aged and scavenged. Open Command Prompt. Notes • To perform this procedure. Specifies the fully qualified domain name (FQDN) of ZoneName the zone in which you will add the new MX resource record. Specifies the fully qualified domain name (FQDN) MXServerNa for a mail exchanger. the resource record remains in the DNS database unless it is manually updated or removed. Without this parameter.Using a command line 1. Required. Required. Specifies the FQDN of the node in the DNS NodeName namespace. /RecordAdd Adds a new resource record. which specifies the zone's root node. Required. You can also type the node name relative to the ZoneName or @. members of the Domain Admins group might be able to perform this procedure. Ttl Specifies the Time-To-Live setting for the resource record. The value entered here must resolve to me a corresponding host (A) resource record in this zone. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority.

Open Command Prompt. type the fully qualified domain name of the DNS host computer for which this alias is to be used. If the computer is joined to a domain. point to All programs. members of the Domain Admins group might be able to perform this procedure. type: dnscmd /RecordAdd /help To add an alias (CNAME) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. or you must have been delegated the appropriate authority.• • • To open a command prompt. As an option. This procedure requires the Dnscmd Windows support tool. consider using Run as to perform this procedure. click Control Panel. In the console tree. 5. right-click the applicable forward lookup zone. at a command prompt. For information about installing Windows support tools. As a security best practice. In the Alias name text box. 4. click Start. Page 126 of 165 . and then click Command prompt. 3. see Related Topics. and then click New Alias. you must be a member of the Administrators group on the local computer. • Using a command line 1. you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined. Open DNS. Notes • To perform this procedure. click Start. 2. To view the complete syntax for this command. and then double-click DNS. point to Accessories. type the alias name. In the Fully qualified domain name (FQDN) for target host text box. double-click Administrative Tools. Click OK to add the new record to the zone. To open DNS.

For FQDN's. This procedure requires the Dnscmd Windows support tool. you must be a member of the Administrators group on the local computer. and then click Command prompt. members of the Domain Admins group might be able to perform this procedure. Specifies the Time-To-Live (TTL) setting for the resource record. If the computer is joined to a domain. You can also type the IP address of the DNS server. consider using Run as to perform this procedure. Required. point to All programs. see Related Topics.2. the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Page 127 of 165 • • . Required. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName Value Description dnscmd ServerName /RecordAdd ZoneName NodeName /Aging /OpenAcl Ttl CNAME HostName| DomainName Notes • Specifies the name of the command-line program. For information about installing Windows support tools. Required. or you must have been delegated the appropriate authority. which specifies the zone's root node. If this parameter is not used.) is used to fully qualify the name. To perform this procedure. Specifies the name of the zone where this CNAME resource record will be added. Specifies the resource record type of the record you are adding. As a security best practice. Without this parameter. only administrators may modify the new record. you can also type a period (. (The default TTL is defined in SOA resource record). Specifies the command to add a new resource record. To specify the DNS server on the local computer. Specifies the FQDN of the node in the DNS namespace. a trailing period (. To open a command prompt. click Start.) Required. You can also type the node name relative to the ZoneName or @. Specifies that this resource record is aged and scavenged. Required. Specifies the DNS host name of the DNS server. Required. Specifies the FQDN of any valid DNS host or domain name in the namespace. point to Accessories.

click the applicable zone. or you must have been delegated the appropriate authority. • To add a pointer (PTR) resource record to a reverse zone • • Using the Windows interface Using a command line Page 128 of 165 . Click OK to add the new domain to the zone. Open DNS. type: dnscmd /RecordAdd /help To add a new domain to a zone 1. If the computer is joined to a domain. at a command prompt. As a security best practice. click Start. In the console tree. you must be a member of the Administrators group on the local computer. On the Action menu. click Control Panel.• To view the complete syntax for this command. and then double-click DNS. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. click New Domain. and then type the name of the new domain without using periods. double-click Administrative Tools. 2. 4. To open DNS. consider using Run as to perform this procedure. members of the Domain Admins group might be able to perform this procedure. Notes • To perform this procedure.

and then double-click DNS. /RecordAdd Required. right-click the applicable reverse lookup zone. In the Host name text box. Open DNS. ServerName Required. 3. To open DNS. you must be a member of the Administrators group on the local computer. Adds a new resource record. 4. there is an option to create an associated PTR resource record automatically. Page 129 of 165 . Specifies the DNS host name of the DNS server. you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined. On the Action menu. type the fully qualified domain name for the DNS host computer for which this pointer record is to be used to provide reverse lookup (address-to-name resolution). or you must have been delegated the appropriate authority. As an option. click Control Panel. Click OK to add the new record to the zone. click Start. 6. To specify the DNS server on the local computer. 2. In the Host IP number text box. As a security best practice. click New Pointer. Open Command Prompt. type the host IP address octet number. PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted. In the console tree. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName ValueDescription dnscmd Specifies the name of the command-line tool. members of the Domain Admins group might be able to perform this procedure. double-click Administrative Tools. You can also type the IP address of the DNS server.). When creating a new A resource record. If the computer is joined to a domain.Using the Windows interface 1. Notes • To perform this procedure. 5. consider using Run as to perform this procedure. • • Using a command line 1. you can also type a period (.

members of the Domain Admins group might be able to perform this procedure. Specifies the resource record type. Without this parameter. To add a resource record to a zone • • Using the Windows interface Using a command line Page 130 of 165 . point to All programs. point to Accessories. and then click Command prompt.ZoneName Required. consider using Run as to perform this procedure. For information about installing Windows support tools. HostName|DomainName Required. As a security best practice. /Aging Specifies that this resource record is able to be aged and scavenged. you must be a member of the Administrators group on the local computer. Specifies the fully qualified domain name (FQDN) of the zone. To open a command prompt. click Start. NodeName Required. the resource record remains in the DNS database unless it is manually updated or removed. type: dnscmd /RecordAdd /help • • • • PTR resource records are deleted automatically if the corresponding A resource record is deleted. If the computer is joined to a domain. this resource record is able to be aged and scavenged. which specifies the zone's root node. Notes • To perform this procedure. /OpenAcl Specifies that new records are open to modification by any user. PTR Required. You can also type the node name relative to the ZoneName or @. This procedure requires the Dnscmd Windows support tool. at a command prompt. Specifies the FQDN of the node in the DNS namespace. or you must have been delegated the appropriate authority. The host you specify is used as the data for answering reverse lookups based on the address information specified by this pointer (PTR) resource record. only administrators may modify the new record. If this command is used. Specifies the FQDN of a resource record located in the DNS namespace. see Related Topics. If this command is not used. To view the complete syntax for this command. Ttl Specifies the Time-To-Live setting for the resource record.

You can also type the IP address of the DNS server. 2. Specifies the DNS host name of the DNS server. To specify the DNS server on the local computer. If the computer is joined to a domain. Open DNS. • Using a command line 1. 3. double-click Administrative Tools. Click Create Record. Required. Open Command Prompt. / RecordAd Required. 5. click Start. After you specify all of the necessary information for the resource record. or you must have been delegated the appropriate authority. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData Value Description dnscmd ServerNa me Specifies the name of the command-line tool. In New Resource Record. Notes • To perform this procedure. In the console tree. You can also type the node name relative to the Page 131 of 165 . 4. and then double-click DNS. As a security best practice. Specifies the FQDN of the node in the DNS e namespace.). 6. NodeNam Required.Using the Windows interface 1. you can also type a period (. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. In Select a resource record type list box. To open DNS. d ZoneNam Required. Adds a new resource record. click OK to add the new record to the zone. click Control Panel. you must be a member of the Administrators group on the local computer. right-click the applicable zone and click Other New Records. enter the information needed to complete the resource record. Specifies the fully qualified domain name (FQDN) of e the zone. 2. select the type of resource record you want to add.

. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress ipv6Address Protocol Service HostName| Specifies a standard IP address. For example. smtp. domain.. Specifies a standard service.MB. Specifies the transmission protocol: UDP or TCP. For example...HINFO. Required.MD. followed RRType by the data to be contained in the resource record.AFSDB SRV SOA AAAA TXT.255. only administrators may modify the new record. Resource record type Resource record data A NS.X25.PTR.MF. MapFlag LookupTimeout CacheTimeout IPAddress.MR MX. this resource record is able /Aging to be aged and scavenged. For example. 1:2:3:4:5:6:7:8. Ttl Specifies the Time-To-Live setting for the resource record. Specifies the type of resource record to add.255. If this command is used.255. the resource record remains in the DNS database unless it is manually updated or removed. Without this parameter. Specifies that this resource record is able to be aged and scavenged. Specifies that new records are open to modification by any /OpenAcl user.ZoneName or @.RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service.ISDN MINFO. If this command is not used.CNAME. For RRData information about each resource record type see the Resource records reference. Specifies the FQDN of a resource record located in the Page 132 of 165 .RT. Specifies a standard IPv6 address.M G. 255. which specifies the zone's root node.

To modify an existing resource record in a zone • • Using the Windows interface Using a command line Using the Windows interface 1. To open a command prompt. click the applicable zone. point to All programs. For information about installing Windows support tools. point to Accessories. Specifies the transmission protocol: UDP or TCP. If the computer is joined to a domain. For example. domain. members of the Domain Admins group might be able to perform this procedure. 255. Example: {even|odd} Courier font Optional items Set of choices from which the user must choose only one Code or program output IPAddress ipv6Address Protocol Service HostName| DomainName Specifies a standard IP address. and then click Command prompt.255. type: dnscmd /RecordAdd /help • • • Between brackets ([]) Between braces ({}). or you must have been delegated the appropriate authority. To perform this procedure. For example. you must be a member of the Administrators group on the local computer. As a security best practice. see Related Topics.DomainName Notes • DNS namespace. choices separated by pipe (|). smtp. at a command prompt.255. Open DNS. consider using Run as to perform this procedure. click Start. In the console tree. To view the complete syntax for this command. For example. Specifies a standard service. Specifies the FQDN of a resource record located in the DNS namespace. 2. 1:2:3:4:5:6:7:8. Page 133 of 165 . Specifies a standard IPv6 address.255. This procedure requires the Dnscmd Windows support tool.

To specify the DNS server on the local computer. edit the properties that can be modified. In Properties.3. You can also type the IP address of the DNS server. such as its record-specific Time to Live (TTL). If the computer is joined to a domain. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData Value Description dnscmd ServerNa me Specifies the name of the command-line program. Specifies the type of resource record to add. which specifies the zone's root node. 5. click Control Panel. Adds a new resource record. As a security best practice. Required. Notes • To perform this procedure. d Required. Specifies the FQDN of the node in the DNS NodeName namespace. RRType Required. click Start. you must be a member of the Administrators group on the local computer. right-click the resource record you want to modify. • • Using a command line 1. you can also type a period (. 2. you can modify additional settings for an existing resource record. double-click Administrative Tools. 4. You can also type the node name relative to the ZoneName or @. To open DNS. / RecordAd Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. on the View menu. consider using Run as to perform this procedure. If necessary. When Advanced view options are enabled. Specifies the DNS host name of the DNS server. you can view and modify advanced resource record properties for the DNS console. Required.). and then double-click DNS. Click OK when you have finished modifying the record. Open Command Prompt. To display advanced properties. and then click Properties. click Advanced. In the details pane. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. followed Page 134 of 165 .

PTR.MR MX. point to Accessories.255. Page 135 of 165 • . As a security best practice. consider using Run as to perform this procedure. 1:2:3:4:5:6:7:8. or you must have been delegated the appropriate authority.RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress ipv6Address Protocol Service HostName| DomainName Notes • Specifies a standard IP address.. 255. MapFlag LookupTimeout CacheTimeout IPAddress. smtp. If the computer is joined to a domain.X25.CNAME.AFSDB SRV SOA AAAA TXT. For example. domain.MD.HINFO. you must be a member of the Administrators group on the local computer. Specifies a standard IPv6 address. Resource record type Resource record data A NS. For information about each resource record type see the Resource records reference.M G. and then click Command prompt.MB.. Specifies a standard service. Specifies the transmission protocol: UDP or TCP.RT..255. For example.. Specifies the FQDN of a resource record located in the DNS namespace. members of the Domain Admins group might be able to perform this procedure.MF.RRData by the data to be contained in the resource record. To open a command prompt. point to All programs. To perform this procedure.255. For example. click Start.ISDN MINFO.

• • This procedure requires the Dnscmd Windows support tool. double-click Administrative Tools. click Start. When you are asked to confirm that you want to delete the selected resource record. As a security best practice. • • Using a command line 1. click Control Panel. and then double-click DNS. members of the Domain Admins group might be able to perform this procedure. click the applicable zone. To view the complete syntax for this command. If the computer is joined to a domain. 2. Open DNS. and then click Delete. you must be a member of the Administrators group on the local computer. 2. consider using Run as to perform this procedure. right-click the resource record you want to delete. Open Command Prompt. 4. In the console tree. type: dnscmd /RecordAdd /help To delete a resource record from a zone • • Using the Windows interface Using a command line Using the Windows interface 1. click OK. To open DNS. 3. see Related Topics. In the details pane. Type: dnscmdServerName/RecordDeleteZoneNameNodeNameRRTypeRRData [/f] Value Description Page 136 of 165 . Notes • To perform this procedure. PTR resource records are deleted automatically if the corresponding A resource record is deleted. or you must have been delegated the appropriate authority. For information about installing Windows support tools. at a command prompt.

dnscmd Specifies the name of the command-line program.MR MX. RRType followed by the data to be contained in the resource record. For example. Deletes a resource record.255. You can also type the IP address of the DNS server. Required.MD.HINFO. you can also type a period (.MF. Specifies the type of resource record (RR) to add. ete Required.MB.)..CNAME.255.PTR.. Required.X25. Resource record type Resource record data A NS. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress Specifies a standard IP address. You can also type the node name relative to the ZoneName or @.ISDN MINFO.RT.. RRData For information about each resource record type see the Resource records reference.M G. Specifies the DNS host name of the DNS server.255.. Required. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Page 137 of 165 . 255.AFSDB SRV SOA AAAA TXT.RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service. which specifies the zone's root node. Specifies the FQDN of the node in the DNS NodeName namespace. / RecordDel Required. To specify the ServerName DNS server on the local computer. MapFlag LookupTimeout CacheTimeout IPAddress.

point to Accessories.ipv6Address Protocol Service HostName| DomainName /f Specifies a standard IPv6 address. click Start. all resource records of the same type are deleted. To view the complete syntax for this command. Specifies that the command is executed without asking for confirmation. you must be a member of the Administrators group on the local computer. at a command prompt. PTR resource records are deleted automatically if the corresponding A resource record is deleted. all resource record types matching the previous criteria are deleted. This procedure requires the Dnscmd Windows support tool. For example. Specifies the FQDN of a resource record located in the DNS namespace. point to All programs. smtp. 1:2:3:4:5:6:7:8. If the computer is joined to a domain. domain. Important • If the parameter RRData is not specified. Specifies a standard service. type: dnscmd /RecordDelete /help • • • • • If the variable RRData is not specified. Specifies the transmission protocol: UDP or TCP. consider using Run as to perform this procedure. For example. Notes • To perform this procedure. and then click Command prompt. Page 138 of 165 . As a security best practice. members of the Domain Admins group might be able to perform this procedure. To open a command prompt. see Related Topics. For information about installing Windows support tools. If you omit this parameter. you are prompted to confirm the deletion of the resource record. or you must have been delegated the appropriate authority.

4. such as DNS servers running versions of BIND. and then double-click DNS. click Start. If the computer is joined to a domain. In the console tree. In the details pane. Open DNS. 5. In Properties. such as mail forwarder (MF) and mail domain (MD) resource records (RRs). 2. On the Action menu. • • To modify security for a resource record 1. 4. members of the Domain Admins group might be able to perform this procedure. right-click the record you want to view. As a security best practice. Notes Page 139 of 165 . consider using Run as to perform this procedure. click the applicable zone. modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed. view properties specific to this record. 3. click the applicable zone. These types of records include legacy records. 5.To view unsupported resource records in a zone 1. To open DNS. click Properties. In the details pane. click Control Panel. In the console tree. The DNS console allows you to view unsupported resource records (RRs) in secondary zones that are obtained from other DNS server implementations. you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. These records are not used by DNS servers running Windows Server 2003 and cannot be managed through the DNS console. Open DNS. 3. On the Security tab. 2. click the record you want to view. When you have finished viewing the record. then click Properties. double-click Administrative Tools. click OK. or you must have been delegated the appropriate authority.

click Start. see Default local groups. consider using Run as to perform this procedure. click Control Panel. Web Edition. As a security best practice. The names of resource records are listed in the Name column of the DNS console. double-click Administrative Tools. and then double-click DNS. For more information. • • • • • Use aging and scavenging • • • • • • Set aging/scavenging properties for the DNS server Set aging/scavenging properties for a zone Enable automatic scavenging of stale resource records Start immediate scavenging of stale resource records View when a zone can start scavenging stale records Reset scavenging and aging properties for a specified resource record To set aging/scavenging properties for the DNS server • • Using the Windows interface Using a command line Page 140 of 165 . operating system. Secure dynamic updates are only supported or configurable for resource records in zones stored in Active Directory. This feature is not included on computers running the Microsoft® Windows Server® 2003. see Overview of Windows Server 2003. or you must have been delegated the appropriate authority. Resource records with the same name share the same resource record security settings. Web Edition. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. see Related Topics. To open DNS. For information on the security settings that affect who may administer a zone.• To perform this procedure. These security settings do not affect who may administer the zone where these resource records are located. and Using Run as. For more information. Security settings applied to resource records only affect dynamic updates. Default groups.

right-click the applicable DNS server. click Control Panel. 4. • • • • Using a command line 1. and then click Set Aging/Scavenging for all zones. Required. this feature is disabled unless manually enabled at the applicable zone. If the computer is joined to a domain. Once you apply changes for server aging/scavenging settings. Open DNS. and then double-click DNS. Select the Scavenge stale resource records check box. members of the Domain Admins group might be able to perform this procedure. the DNS console prompts you to confirm.Using the Windows interface 1. or you must have been delegated the appropriate authority. Type: dnscmdServerName/Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value} Value Description dnscmd ServerName Specifies the name of the command-line program. Specifies the DNS host name of the DNS server. you must set the appropriate properties at the applicable zone. You then have the option to apply your changes to new Active Directory-integrated zones only. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. For standard primary zones. Open Command Prompt. 2. In the console tree. Aging and scavenging properties configured by this procedure act as server defaults that apply only toward Active Directory-integrated zones. To open DNS. double-click Administrative Tools. click Start. for standard primary zones. 2. You can also type the IP address of the DNS Page 141 of 165 . 3. you can also apply your changes to existing Active Directory-integrated zones. Notes • To perform this procedure. Modify other aging and scavenging properties as needed. If needed. As a security best practice. Regardless of whether the Scavenge stale resource records check box is selected as described in step 4.

see Related Topics. Required. To specify the DNS server on the local computer. point to Accessories. terval / Sets the default Refresh interval for scavengingDefaultRefreshInter enabled zones. point to All programs.server. This procedure requires the Dnscmd Windows support tool. members of the Domain Admins group might be able to perform this procedure. Specifies the configuration command. The default is 168 (one week). or you must have been delegated the appropriate authority. If the computer is joined to a domain. For /DefaultAgingState. For information about installing Windows support tools.) /Config Required. To open a command prompt. For /DefaultNoRefreshInterval. type a value in hours. consider using Run as to perform this procedure. Sets the frequency by which the server /ScavengingInterval will perform scavenging for all scavenging-enabled zones. Sets the default aging configuration for all /DefaultAgingState zones on the server. Notes • To perform this procedure. click Start. type a value in hours. Sets the default No-refresh interval for DefaultNoRefreshIn scavenging-enabled zones. As a security best practice. type: dnscmd /Config /help • • • To set aging/scavenging properties for a zone • • Using the Windows interface Using a command line Page 142 of 165 . val For /ScavengingInterval. For /DefaultRefreshInterval. To view the complete syntax for this command. you must be a member of the Administrators group on the local computer. type a value in hours. The default is 168 (one week). at a command prompt. you can also type a period (. The default is 168 (one week). Required. Type 0 to disable Value aging for new zones. / Required. and then click Command prompt. type 1 to enable aging for new zones when they are created.

Specifies the Refresh interval for a Page 143 of 165 . members of the Domain Admins group might be able to perform this procedure.. • Using a command line 1. Enables aging for zones. Specifies the name of the zone to which you ZoneName|. To apply the ones operation to all zones.AllZones. you must be a member of the Administrators group on the local computer. To specify the DNS server on the local computer..) /Config Required. In the console tree. Required. click Start. 2.AllZones} {/AgingValue|/RefreshInterval Value|/NoRefreshInterval Value} Value Description dnscmd Specifies the name of the command-line program. To open DNS. double-click Administrative Tools. consider using Run as to perform this procedure. 5.AllZ want to set aging and scavenging. On the General tab. Modify other aging and scavenging properties as needed. you can also type a period (.. 2. right-click the applicable zone. click Aging. Open Command Prompt. 3. and then double-click DNS. Select the Scavenge stale resource records check box. Specifies the configuration command.Using the Windows interface 1. click Control Panel. Required. use . You can also type the IP address of the DNS ServerName server. 4. /RefreshInterval Required. Type: dnscmdServerName/Config {ZoneName|. Open DNS. If the computer is joined to a domain. As a security best practice. Notes • To perform this procedure. then click Properties. or you must have been delegated the appropriate authority. Specifies the DNS host name of the DNS server. /Aging Required.

If the computer is joined to a domain. Notes • To perform this procedure. at a command prompt. If the computer is joined to a domain. or you must have been delegated the appropriate authority. point to All programs. As a security best practice. To view the complete syntax for this command. In the console tree. / Required. The default setting is 168 hours (one week). For /RefreshInterval.scavenging-enabled zone. you must be a member of the Administrators group on the local computer. Open DNS. type 1 to enable aging. To adjust the Scavenging period. 3. Notes • To perform this procedure. The standard setting is 3600 (one hour). Click the Advanced tab. and then click Command prompt. val Required. 2. right-click the applicable DNS server. Select the Enable automatic scavenging of stale records check box. type a value in Value hours. members of the Domain Admins group might be able to perform this procedure. Specifies the No-refresh interval for a NoRefreshInter scavenging-enabled zone. you must be a member of the Administrators group on the local computer. type: dnscmd /Config /help • • To enable automatic scavenging of stale resource records 1. Type 0 to disable aging. 4. type a value in seconds. or you must have been delegated the appropriate authority. 5. consider using Run as to perform this procedure. and then type a number in the text box. click Start. point to Accessories. To open a command prompt. select from the drop-down list an interval in either hours or days. For /NoRefreshInterval. members of the Domain Admins group might be able to Page 144 of 165 . For /Aging. then click Properties.

consider using Run as to perform this procedure. 2. 2. Required. and then double-click DNS. double-click Administrative Tools. • Using a command line 1. double-click Administrative Tools. Notes • To perform this procedure.perform this procedure. To Page 145 of 165 . Type: dnscmdServerName/StartScavenging Value Description dnscmd ServerName Specifies the name of the command-line tool. or you must have been delegated the appropriate authority. To start immediate scavenging of stale resource records • • Using the Windows interface Using a command line Using the Windows interface 1. consider using Run as to perform this procedure. As a security best practice. click OK. 3. Open Command Prompt. To open DNS. • To open DNS. click Start. click Control Panel. If the computer is joined to a domain. Specifies the DNS host name of the DNS server. In the console tree. As a security best practice. When asked to confirm that you want to scavenge all stale resource records on the server. You can also type the IP address of the DNS server. then click Scavenge Stale Resource Records. and then double-click DNS. right-click the applicable DNS server. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. click Control Panel. click Start. Open DNS.

2. see Related Topics. 5. Open DNS. members of the Domain Admins group might be able to perform this procedure. click Advanced. point to All programs. This procedure requires the Dnscmd Windows support tool. On the General tab. If the computer is joined to a domain. then click Properties. Notes Page 146 of 165 .specify the DNS server on the local computer. 3. you must be a member of the Administrators group on the local computer. As a security best practice. 4. and then click Command prompt. you can also type a period (. at a command prompt. Under Refresh interval. or you must have been delegated the appropriate authority. To view the complete syntax for this command. Initiates resource record scavenging. To open a command prompt. ging Notes • To perform this procedure. click Aging. For information about installing Windows support tools. view when the zone is first eligible to be scavenged for stale resource records. type: dnscmd /StartScavenging /help • • • To view when a zone can start scavenging stale records • • Using the Windows interface Using a command line Using the Windows interface 1. On the View menu. point to Accessories.) / StartScaven Required. consider using Run as to perform this procedure. click Start. Right-click the applicable zone.

As a security best practice. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. point to All programs. If the check box is cleared. members of the Domain Admins group might be able to perform this procedure. see Related Topics. After the start scavenging date and time stamp are reached. To open DNS. For information about installing Windows support tools. 2. click Start. The default setting is 168 hours (one week). type: Page 147 of 165 . Displays configuration information. click Control Panel. • • • Using a command line 1. To specify ServerName the DNS server on the local computer. or you must have been delegated the appropriate authority. Required. Specifies the configuration property that displays RefreshInt when the zone is first eligible to be scavenged for stale erval resource records. and then double-click DNS. The output value is in hours. This procedure requires the Dnscmd Windows support tool. Notes • • • To open a command prompt.) /ZoneInfo Required. you must be a member of the Administrators group on the local computer. For more information. scavenging for the zone cannot be performed. consider using Run as to perform this procedure. Required.• To perform this procedure. If the computer is joined to a domain. To view the complete syntax for this command. Required. and then click Command prompt. click Start. Specifies the DNS host name of the DNS server. Open Command Prompt. you can also type a period (. Type: dnscmdServer/ZoneInfoZoneNameRefreshInterval Value Description dnscmd Specifies the name of the command-line tool. at a command prompt. The start scavenging date and time stamp are used to determine when zone scavenging starts. You can also type the IP address of the DNS server. point to Accessories. scavenging can occur only if the Scavenge stale resource records check box is selected. see Related Topics. double-click Administrative Tools.

Depending on the how the resource record was originally added to the zone. 3. click Start. excluding it from the scavenging process. In the console tree. 4. double-click the resource record for which you want to reset scavenging and aging properties.dnscmd /ZoneInfo /help To reset scavenging and aging properties for a specified resource record • • Using the Windows interface Using a command line Using the Windows interface 1. consider using Run as to perform this procedure. do one of the following: o If the record was added dynamically using dynamic update. or you must have been delegated the appropriate authority. o Notes • To perform this procedure. click Control Panel. a time stamp value of zero always applies to the record. For records that you manually add to a zone. Page 148 of 165 • • • . not the properties for the resource record. To open DNS. In the details pane. click the applicable zone. members of the Domain Admins group might be able to perform this procedure. Open DNS. you must be a member of the Administrators group on the local computer. As a security best practice. This procedure is only necessary for resource records that are dynamically registered. you can clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. If you added the record statically. If dynamic updates to this record continue to occur. double-click Administrative Tools. and then double-click DNS. 2. the DNS server will always reset this check box so that the dynamically updated record can be deleted. If the computer is joined to a domain. you can select Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process. Scavenging and aging properties for NS and SOA resource records are reset in the properties for the zone.

. To open a command prompt. If the computer is joined to a domain. at a command prompt.AllZones} /ScavengingInterval Value Value Description dnscmd Specifies the name of the command-line program. Specifies the configuration command. you must be a member of the Administrators group on the local computer. Required. Required. you can also type a period (. members of the Domain Admins group might be able to perform this procedure. 2. point to Accessories. As a security best practice. Notes • To perform this procedure. point to All programs. Type: dnscmd ServerName /Config {ZoneName|. To specify the DNS server on the local computer.AllZones. or you must have been delegated the appropriate authority. click Start.AllZ (FQDN) of the zone. Value specified in hours. type: dnscmd /Config /help • • • Concepts This section provides general background information about Domain Name System (DNS) and the DNS Server service. and then click Command prompt.) /Config Required. consider using Run as to perform this procedure. You can also type the IP address of the DNS ServerName server. type . see Related Topics. To view the complete syntax for this command.Using a command line 1. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools. rval Required. as well as details about Page 149 of 165 . Sets the scavenging interval. The new value for the scavenging interval.. Open Command Prompt. The default is 168 (one week). To configure all zones hosted on the ones specified DNS server to allow dynamic updates. Specifies the fully qualified domain name ZoneName|. / ScavengingInte Required.. Specifies the DNS host name of the DNS server.

com to locate a computer such as a mail or Web server Page 150 of 165 . Windows Server 2003 R2.microsoft.supporting software provided for DNS clients running under Microsoft operating systems. Windows Server 2003 with SP1. DNS naming is used in TCP/IP networks. such as the Internet. When a user enters a DNS name in an application. to locate computers and services through user-friendly names. • • • • • DNS Overview Understanding DNS Deploying DNS Administering DNS DNS Resources DNS Overview Updated: January 21. 2005 Applies To: Windows Server 2003. a system for naming computers and network services that is organized into a hierarchy of domains. DNS services can resolve the name to other information associated with the name. Windows Server 2003 with SP2 DNS overview This section covers: • • • • • • DNS defined DNS tools Server features Client features Security information for DNS New features for DNS DNS defined DNS is an abbreviation for Domain Name System. most users prefer a friendly name such as example. such as an IP address. For example.

monitoring. it replies with an answer containing the requested information. These utilities include: • • The DNS console. For more information. Page 151 of 165 . name systems such as DNS provide a way to map the user-friendly name for a computer or service to its numeric address. A friendly name can be easier to learn and remember. The following figure shows a basic use of DNS. computers communicate over a network by using numeric addresses. which is a host (A) resource record that contains the IP address information for host-a.microsoft. a client computer queries a DNS server. In this example. DNS queries can be more involved than this and include additional steps not shown here.example. which is finding the IP address of a computer based on its name. Command-line utilities. Note • For additional background information about other DNS concepts. such as Nslookup.microsoft. asking for the IP address of a computer configured to use host-a. DNS tools There are a number of utilities for administering.com as its DNS domain name. Because the DNS server is able to answer the query based on its local database. and troubleshooting both DNS servers and clients. The example shows a simple DNS query between a single client and DNS server. see How DNS query works.com. To make the use of network resources easier. However.example. which is part of Administrative Tools. In practice.on a network. which can be used to troubleshoot DNS problems. see Understanding DNS.

Adding and removing forward and reverse lookup zones as needed. Tune advanced server options. Performing initial configuration of a new DNS server. Windows Management Instrumentation (WMI). removing. such as the DNS server log. as needed. Page 152 of 165 • • . 6. Platform Software Developer Kit (SDK).• Logging features. such as statistical counters to measure and monitor DNS server activity with System Monitor. 7. or manually update server data files. Adding. pause. • • • The DNS console The primary tool that you use to manage DNS servers is the DNS console. You can use the DNS console to perform these basic administrative server tasks: 1. which is located in the Administrative Tools folder in the Start menu's Programs folder. you can also use the DNS console to perform the following tasks: • Perform maintenance on the server. Modifying security for specific zones or resource records. 5. You can start. Performance monitoring utilities. stop. The DNS console can be used on its own or as a Microsoft Management Console (MMC) . Connecting to and managing a local DNS server on the same computer. File-based logs can also be used temporarily as an advanced debugging option to log and trace selected service events. a standard technology for accessing management information in an enterprise environment. Monitor the contents of the server cache and. and updating resource records in zones. Modifying how zones are stored and replicated between servers. 3. 4. which can be viewed using the DNS console or Event Viewer. further integrating DNS administration into your total network management. or resume the server. or remote DNS servers on other computers. Modifying how servers process queries and handle dynamic updates. clear it. 2. The DNS console can only be used after DNS is installed on the server. In addition.

• Configure and perform aging and scavenging of stale resource records stored by the server. see New ways to do familiar DNS tasks. such as one running Microsoft® Windows® XP Professional. For p more information. A command-line interface for managing DNS servers. Notes • The DNS console provides new ways to perform familiar DNS administrative tasks previously performed in Microsoft® Windows® NT Server 4. see Install a DNS server. For more information. Important • The DNS console can only be used to manage DNS servers running Microsoft® Windows® and cannot be used to manage other DNS servers. see Flush and reset a client resolver cache using the ipconfig command or Renew DNS client registration using the ipconfig command. see Nslookup. This command is used to view and modify IP configuration details used by the computer.0 using DNS Manager. Comma Description nd Nslooku Used to perform query testing of the DNS domain namespace. The following table describes each of these utilities. To use the DNS console from another non-server computer. which can be run either by typing them at a command prompt or by entering them in batch files for scripted use. • • Command-line utilities There are several command-line utilities you can use to manage and troubleshoot DNS servers and clients. For more information. For more information. This utility is useful in scripting batch files to help automate routine DNS Dnscmd management tasks. or to perform simple unattended setup and configuration of new DNS servers on your network. such as BIND. you must install the Windows Server 2003 Administration Tools Pack For information on installing DNS. see Server administration using Dnscmd. Event monitoring utilities Page 153 of 165 . Additional command-line options are included with this utility to provide help in troubleshooting and Ipconfig supporting DNS clients.

the DNS server log. The event types logged by DNS servers can be changed using the DNS console. For example. The DNS server log contains events logged by the DNS Server service. These can be further studied and analyzed to determine if additional server tuning is needed. Dns. see View the DNS server system event log. For more information. a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here. see Windows interface administrative tool reference A-Z: Event Viewer. • Optional debug options for trace logging to a text file on the DNS server computer. such as when the server starts but cannot locate initializing data. such as zones or boot information stored in the registry or (in some cases) Active Directory. When using System Monitor.The Windows Server 2003 family includes two options for monitoring DNS servers: • Default logging of DNS server event messages to the DNS server log. you can create charts and graphs of server performance trends over time for any of your DNS servers. see DNS server log reference. Page 154 of 165 . DNS server event messages are separated and kept in their own system event log. For more information.log. which can be viewed using the DNS console or Event Viewer. which is provided in the Performance console. These appear in the System log and are written by the DNS Client service at any computers running Windows (all versions). These counters are accessible through System Monitor. Performance monitoring utilities Performance monitoring for DNS servers can be done using additional service-specific counters that measure DNS server performance. For more information. is stored in the systemroot\System32\Dns folder. You can use Event Viewer to view and monitor client-related DNS events. when the DNS server starts or stops. You can also use the DNS console to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file created and used for this feature.

• Interoperability with other DNS server implementations Page 155 of 165 .By measuring and reviewing server metrics over a period of time. Windows Management Instrumentation (WMI) WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM). WMI uses the Common Information Model (CIM) industry standard to represent systems. see Monitoring DNS server performance. which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. as well as the DNS protocol and how DNS operates. see the Microsoft Platform SDK Web site. For more information. it is possible to determine performance benchmarks and decide if further adjustments can be made to optimize the system. and looking up names. networks. Programmers should be familiar with the IP protocol suite. Programmable DNS components are designed for use by C/C++ programmers. see DNS RFCs. Note • For more information about manageability. comparing records. devices. and other managed components in an enterprise environment. Microsoft supports and complies with these standard specifications. For more information about Windows Management Instrumentation. such as programmatically making DNS queries. For more information. see Management Strategies and Tools. applications. Familiarity with networking and with DNS is required. Platform Software Developer Kit (SDK) Computers running a product in the Windows Server 2003 family provide functions that enable application programmers to use DNS. Server features The Domain Name System (DNS) Server service provides the following: • An RFC-compliant DNS server DNS is an open protocol and is standardized by a set of Request for Comments (RFCs).

Because the DNS Server service is RFC-compliant and can use standard DNS data file and resource record formats. If you install Active Directory on a server. it can successfully work with most other DNS server implementations. For more information. If a preferred DNS server is available. 3. In general. If you choose to install the DNS Server service locally. it checks to see whether a preferred DNS server is configured for its use. 2. a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory. For more information. You can. When using other types of DNS servers. you can automatically install and configure a DNS server if a DNS server that meets the Active Directory requirements cannot be located. • Support for Active Directory DNS is required for support of the Active Directory® directory service. at this point in the process. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the dynamic update protocol (RFC 2136). Later in the installation process. you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. consider additional issues related to DNS interoperability. it queries to find the primary authoritative server for the DNS name of the Active Directory domain you specified earlier in the wizard. the wizard tests for the following: 1. the IP address for the current preferred DNS server is used to configure a forwarder on the local DNS server. see Page 156 of 165 . Based on its TCP/IP client configuration. you are provided with the option to install the DNS Server service locally. however. in the Active Directory Installation Wizard. 4. If. 5. the use of the Windows Server 2003 DNS Server service is strongly recommended for the best possible integration and support of Active Directory and enhanced DNS server features. use another type of DNS server to support Active Directory deployment. This configuration maintains any existing resolution to an Internet Service Provider (ISP). First. see Interoperability issues. such as those that use the Berkeley Internet Name Domain (BIND) software.

example. For example. Note. Web Edition. see Overview of Windows Server 2003. such as over a slow network link. operating system. A partition is a data structure within Active Directory used to distinguish data for different replication purposes. Page 157 of 165 . Note o This feature is not included on computers running the Microsoft® Windows Server® 2003. For more information. A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. see DNS zone replication in Active Directory. that this replication efficiency is at the expense of resolution efficiency because the server hosting the stub zone is not authoritative for the zone and so must refer all queries for the zone to other servers. a DNS server can be configured to forward all the queries it receives for names ending with widgets.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. For more information. however. You can specify in which Active Directory partition to store the zone and. see Overview of Windows Server 2003. Web Edition.  Stub zones DNS supports a new zone type called a stub zone. consequently. For more information. the set of domain controllers between which that zone's data will be replicated. For more information. A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. Web Edition. see Understanding forwarders.Interoperability issues.  Conditional forwarders The DNS Server service extends a standard forwarder configuration with conditional forwarders.  Enhancements to DNS zone storage in Active Directory DNS zones can be stored in the domain or application directory partitions of Active Directory. You can use a stub zone instead of a secondary zone in situations where replicating all the zone data would be undesirable. operating system. Note o This feature is not included on computers running the Microsoft® Windows Server® 2003. Web Edition.

For more information. and DNS data. WINS lookup integration.For more information. For more information. see Understanding zones and zone transfer. see Dynamic update. see Active Directory integration. Incremental zone transfer is used to replicate only the changed portions of a zone. WINS.  Support for incremental zone transfer between servers Zone transfers are used between DNS servers to replicate information about a portion of the DNS namespace. Dynamic update. other tools are provided to help you better manage and support DNS servers and clients on your network.  RFC-compliant dynamic update protocol support The DNS Server service allows clients to dynamically update resource records. This improves DNS administration by reducing the time needed to manually manage these records. the DNS Client service. conserving network bandwidth. see Security information for DNS. based on the dynamic update protocol (RFC 2136). see Understanding stub zones.  Support for new resource record types Page 158 of 165 . For more information.  Integration with other Microsoft networking services The DNS Server service offers integration with other services and contains features beyond those specified in the RFCs. Also. there are several configuration wizards for performing common server administration tasks.  Improved ease of administration The DNS console offers an improved graphical user interface for managing the DNS Server service. see DNS tools. Computers running the DNS Client service can dynamically register their DNS names and IP addresses. For more information. and DHCP services. These include integration with Active Directory.  Enhanced DNS security features DNS provides enhanced security administration for the DNS Server service. For more information. In addition to the DNS console.

The DNS Server service includes support for several new resource record (RR) types. If no preferred DNS servers are available. • Avoidance of unresponsive DNS servers The DNS Client service uses a server search list. The list is arranged based on the following criteria: 1. A negative response results when a resource record for the queried name does not exist. This avoids continued negative caching of stale information if the records later become available. expand the possibilities for using DNS as a names database service. then alternate DNS servers are used. which include the service location (SRV) and ATM address (ATMA) RRs. Any query information negatively cached is kept for a shorter period of time than is used for positive query responses. Preferred DNS servers are given first priority. Negative caching is a new DNS standard specification defined in RFC 2308. Negative caching prevents the repeating of additional queries for names that do not exist. Page 159 of 165 . 2. For more information on obtaining RFCs. see TCP/IP RFCs. For more information. This list includes all preferred and alternate DNS servers configured for each of the active network connections on the system. This information is then cached for a set Time to Live (TTL) and can be used again to answer subsequent queries. Client features The Domain Name System (DNS) Client service is used to resolve DNS domain names and implements the following features: • System-wide caching Resource records (RRs) from query responses are added to the client cache as applications query DNS servers. ordered by preference. by default. the DNS Client service also caches negative query responses. no more than 5 minutes. • RFC-compliant negative caching support In addition to caching positive query responses from DNS servers (which contain resource record information in the answered reply). which can adversely affect client system performance. These types. refer to this RFC.

Security information for DNS Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. Data modification is an attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets the attacker has created. its CPU usage will eventually reach its maximum and the DNS Server service will become unavailable. Important • The DHCP Client service initiates dynamic registration for client DNS names. Without a fully operating DNS server on the network. For more information. As a DNS server is flooded with queries. This is Page 160 of 165 • • . you should be aware of the common threats to DNS security and the level of DNS security in your organization. a network. DNS security threats The following are the typical ways in which your DNS infrastructure can be threatened by attackers: • Footprinting is the process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names. computer names. or footprint. Before considering which of the security features to use. and IP addresses for sensitive network resources. thereby giving these packets the appearance of coming from a valid IP address in the network. Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure through the addition of security features. see Dynamic update or Using DNS servers with DHCP.3. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily. network services that use DNS will become unavailable to network users. Denial-of-service attack is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. Unresponsive servers are removed temporarily from these lists. An attacker commonly begins an attack by using this DNS data to diagram. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.

commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can gain access to the network and destroy data or conduct other attacks.

Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers under the control of the attacker. For example, if a query were originally made for example.microsoft.com and a referral answer provided a record for a name outside of the microsoft.com domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a query for that name. Redirection can be accomplished whenever an attacker has writable access to DNS data, such as with insecure dynamic updates.

Mitigating DNS security threats
DNS can be configured to mitigate the common DNS security issues discussed above. The following table lists five main areas on which to concentrate when determining your DNS security.

DNS security Description area DNS Incorporate DNS security into your DNS namespace design. For namespace more information, see Securing DNS deployment. Review the default DNS Server service security settings and DNS Server apply Active Directory security features when the DNS Server service service is running on a domain controller. For more information, see Securing the DNS Server service. Review the default DNS zone security settings and apply secure dynamic updates and Active Directory security features DNS zones when the DNS zone is hosted on a domain controller. For more information, see Securing DNS zones. Review the default DNS resource record (RR) security settings DNS and apply Active Directory security features when the DNS resource resource records are hosted on a domain controller. For more records information, see Securing DNS resource records. Control the DNS server IP addresses used by DNS clients. For DNS clients more information, see Securing DNS clients.

Three levels of DNS security
Page 161 of 165

The following three levels of DNS security will help you understand your current DNS configuration and enable you to increase the DNS security of your organization.

Low-level security
Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.

The DNS infrastructure of your organization is fully exposed to the Internet. Standard DNS resolution is performed by all DNS servers in your network. All DNS servers are configured with root hints pointing to the root servers for the Internet. All DNS servers permit zone transfers to any server. All DNS servers are configured to listen on all of their IP addresses. Cache pollution prevention is disabled on all DNS servers. Dynamic update is allowed for all DNS zones. User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.

• • • • •

Medium-level security
Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.

The DNS infrastructure of your organization has limited exposure to the Internet. All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally. All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones. DNS servers are configured to listen on specified IP addresses.
Page 162 of 165

• • •

Cache pollution prevention is enabled on all DNS servers. Nonsecure dynamic update is not allowed for any DNS zones. Internal DNS servers communicate with external DNS servers through the firewall with a limited list of source and destination addresses allowed. External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet. All Internet name resolution is performed using proxy servers and gateways.

High-level security
High-level security uses the same configuration as medium-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required.

The DNS infrastructure of your organization has no Internet communication by internal DNS servers. Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal. DNS servers that are configured with forwarders use internal DNS server IP addresses only. All DNS servers limit zone transfers to specified IP addresses. DNS servers are configured to listen on specified IP addresses. Cache pollution prevention is enabled on all DNS servers. Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace. All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server. All DNS zones are stored in Active Directory. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.
Page 163 of 165

• • • •

• DACLs are configured on DNS resource records to only allow specific individuals to create.example. delete. For more information about DNS name resolution.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. which results in fewer failures due to DNS delays and misconfiguration. keep a DNS server hosting a parent zone aware of the authoritative DNS servers for its child zone and. domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered. 2005 Applies To: Windows Server 2003. For example. • New features for DNS Updated: January 21. which do not allow dynamic updates at all. Windows Server 2003 R2. • Improved domain controller name resolution In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers. • DNS zone replication in Active Directory Page 164 of 165 . Windows Server 2003 with SP2 New features for DNS The following new Domain Name System (DNS) features and feature enhancements are available with the Microsoft® Windows Server™ 2003 family. thereby. For more information. see Using forwarders. a DNS server can be configured to forward all the queries it receives for names ending with widgets. • Conditional forwarders Forward DNS queries according to the DNS domain name in the query using conditional forwarders. maintain DNS name resolution efficiency. or modify DNS data. see Understanding stub zones. see How DNS Support for Active Directory Works on the Microsoft Web site. Windows Server 2003 with SP1. Secure dynamic update is configured for DNS zones. For more information. • Stub zones Using stub zones. except the toplevel and root zones.

For more information. the DNS Client service. see Configuring round robin.Choose from four default replication options for Active Directoryintegrated DNS zone data. For more information. • Control automatic NS resource record registration on a server and a zone basis Page 165 of 165 . and DNS data. • Round robin all resource record (RR) types By default. the DNS Server service will perform round-robin rotation for all resource record (RR) types. the original DNS restriction for UDP packet size (RFC 1035). see Using server debug logging options. For more information. For more information. • Enhanced debug logging Use the enhanced DNS Server service debug logging settings to troubleshoot DNS problems. see Using Extension Mechanisms for DNS (EDNS0). • EDNS0 Enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 octets. For more information. • Enhanced DNS security features DNS provides greater precision in its security administration for the DNS Server service. For more information. see Using DNS Security Extensions (DNSSEC). see DNS zone replication in Active Directory. • DNSSEC DNS provides basic support of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. see Security information for DNS.

Sign up to vote on this title
UsefulNot useful