DNS best practices

Best practices

Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server. This field is used by applications to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. While most Internet e-mail addresses contain the at sign (@) when used in e-mail applications, this symbol must be replaced with a period (.) when entering an e-mail address for this field. For example, instead of "administrator@microsoft.com", you would use "administrator.microsoft.com".

Be conservative in adding alias records to zones. Avoid using CNAME resource records (RRs) where they are not needed to alias a host name used in a host (A) resource record. Also, ensure that any alias names you use are not used in other RRs. DNS allows an owner name of a CNAME resource record to be used as the owner name of the other types of resource records, such as NS, MX, and TXT resource records.

When designing your DNS network use standard guidelines and, wherever possible, follow preferred practices for managing your DNS infrastructure. DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone.

If you are using Active Directory, use directory-integrated storage for your DNS zones for increased security, fault tolerance, simplified deployment and management. By integrating zones, you can simplify network planning. For example, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. This can simplify planning and troubleshooting DNS and Active Directory replication problems because the same server computers are used in both topologies. If you are using directory-integrated storage for your zones, you may select from the different replication scopes that replicate your DNS zone data throughout the directory. If your DNS infrastructure must support Windows 2000 DNS servers, you will use the directoryPage 1 of 165

integrated storage method that replicates DNS zone data to all domain controllers in a domain. If your DNS infrastructure is composed of DNS servers running Windows Server 2003 only, you may also select from replication scopes that replicate your DNS zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified Active Directory domain, or all domain controllers specified in a custom replication scope. Any DNS server hosting a directory-integrated zone is a primary DNS server for that zone. This enables a multimaster model where multiple DNS servers may update the same zone data. A multimaster model eliminates a single point of failure associated with a conventional single-master DNS topology, where updates may only be done to a single DNS server for a given zone. One of the important benefits of directory integration is the support for secure dynamic update of the names within a zone. For more information, see Dynamic update.

Consider the use of secondary zones to assist in off-loading DNS query traffic wherever it makes sense. Secondary servers can be used as backups for DNS clients. This allows you to use secondary servers as a means to load balance DNS query traffic on your network and reserve your DNS-enabled primary servers for use only by those clients that need them to perform dynamic registration and updates of their A and PTR RRs.

If you are planning a large DNS design, such as for a large Internet service provider (ISP) that supports the use of DNS, review the following Request for Comments (RFC) documents published by the Internet Engineering Task Force (IETF). RFC Title 191 Common DNS Operational and 2 Configuration Errors 218 Selection and Operation of Secondary 2 DNS Servers 221 Use of DNS Aliases for Network Services 9

You can obtain these RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.

How to...
Page 2 of 165

• • • • • • • • • •

Install and Configure Servers Install and Configure Clients Manage Servers Optimize Servers Monitor Servers Add and Remove Zones Configure Zone Properties Manage Zones Manage Resource Records Use Aging and Scavenging

Install and configure servers
• • •

Install a DNS server Configure a DNS server for use with Active Directory Verify DNS registration for domain controllers using the nslookup command Configure a new DNS server Modify security for the DNS Server service on a domain controller Add a secondary server for an existing zone Install a caching-only DNS server Restrict a DNS server to listen only on selected addresses Configure a DNS server to use forwarders Create the default DNS application directory partitions Create a DNS application directory partition Enlist a DNS server in a DNS application directory partition Remove a DNS server from a DNS application directory partition

• • • • • • • • • •

To install a DNS server
Page 3 of 165

and then click Add/Remove Windows Components. you must be a member of the Administrators group on the local computer. see Related Topics. The DNS console and the DNS command-line tool. a list of components that need to be configured is displayed. consider using Run as to perform this procedure. 4. click Start. Required files are copied to your hard disk. If the DNS server is configured to use DHCPassigned dynamic addresses.1. dnscmd. If prompted. Once you begin using console-based or command-line management of these files. and then click OK. As a security best practice. or you must have been delegated the appropriate authority. In Components. If the computer is joined to a domain. click Components. select the Networking Services check box. select the Domain Name System (DNS) check box. the DNS clients configured to use that DNS server's previous IP address will be unable to resolve the previous IP address and locate the DNS server. 3. and then click Next. in Copy files from. when you click Add/Remove Windows Components. Notes • To perform this procedure. To start the Windows Components Wizard. you can decide how to administer it and its zones. 2. It is recommended that you manually configure the computer to use a static IP address. For more information. this method is not recommended. click OK. when the DHCP server assigns a new IP address to the DNS server. After you install a DNS server. In Subcomponents of Networking Services. Although you can use a text editor to make changes to server boot and zone files. Open Windows Components Wizard. To open the Windows Components Wizard. double-click Add or Remove programs. members of the Domain Admins group might be able to perform this procedure. If you installed one or more of these components but did not configure them. click Control Panel. manually editing them is not recommended. simplify maintenance of these files and should be used whenever possible. and then click Details. • • • • Page 4 of 165 . Certain Windows components require configuration before they can be used. type the full path to the distribution files.

To install Active Directory on this computer. see Related Topics.• DNS zones stored in Active Directory can be administered using the DNS console or the dnscmd command-line tool only. or you must have been delegated the appropriate authority. As a security best practice. If the computer is joined to a domain. use the Active Directory Installation Wizard. • • • Information about functional differences • Your server might function differently based on the version and edition of the operating system that is installed. If you uninstall a DNS server hosting standard DNS zones. If you create a new zone with the same name as an old zone. DNS servers use the Berkeley Internet Name Domain (BIND) file format recognized by legacy BIND 4 servers. these zones will be saved or deleted according to their storage type. the old zone file is replaced with the new zone file. the zone files will remain in the systemroot\system32\Dns directory. the zone data is stored on other domain controllers or DNS servers and will not be deleted unless the DNS server that you uninstall in the last DNS server hosting that zone. not the more recent BIND 8 format. but they will not be reloaded if the DNS server is reinstalled. These zones cannot be administered using a text editor. For all storage types. your account permissions. For more information. and your menu settings. To configure a DNS server for use with Active Directory • When Active Directory is installed using the Active Directory Installation Wizard. consider using Run as to perform this procedure. members of the Domain Admins group might be able to perform this procedure. For more information. see Viewing Help on the Web. the option to automatically install and configure a local DNS server for use is provided. If you uninstall a DNS server hosting Active Directory-integrated zones. Page 5 of 165 . you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. When writing DNS server boot and zone data to text files.

If the query failed. Open Command Prompt. Web Edition._tcp. Type: nslookup 3. continue troubleshooting dynamic update or DNS server related issues to determine the exact cause of the problem. review the registered SRV RRs returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses._msdcs. operating system. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed: o If the query succeeded. For more information. Web Edition. the DNS server is installed on the computer where you are running the wizard and the computer's preferred DNS server setting is configured to use the new local DNS server. After the previous command completes. at the nslookup (">") prompt type: set q=rr_type 4. o Page 6 of 165 .dc. If member servers are used as DNS servers. You will also want to configure any other computers that will join this domain to use this DNS server's IP address as their preferred DNS server. • • To verify DNS registration for domain controllers using the nslookup command 1. see Overview of Windows Server 2003.Active_Directory_domain_name 5. 2. they are not integrated with Active Directory. type: _ldap.• This procedure only applies to server computers used as domain controllers. If you choose the Active Directory Installation Wizard option to automatically install and configure a local DNS server. After the previous command completes. This feature is not included on computers running the Microsoft® Windows Server® 2003.

Page 7 of 165 • .microsoft. as a security best practice._msdcs.Value nslookup Description The name of the command-line program. consider performing this task as a user without administrative credentials.com" domain. The resource record (RR) type to apply as a filter for subsequent lookups. at a command prompt._tcp. To view the complete syntax for this command. This happens when reverse lookup is not configured for DNS servers servicing the same DNS domain as your Active Directory domain. type: set q=srv Notes • set q= rr_type Performing this task does not require you to have administrative credentials. The DNS name configured for use with your Active Directory domain and any of its associated domain controllers. point to All programs. if the DNS domain name of your Active_Directory_domain_n Active Directory domain is ame example.microsoft.dc. point to Accessories.c om._tcp. type: _ldap. For example. The command to send the query to the root server. you might see several time-outs reported. in this instance. type: nslookup. _ldap.example. when performing the above procedure.dc. the two domain controllers are dc1 and dc2 and are registered for the "example._msdcs. used to verify service location (SRV) resource records that are registered by domain controllers. In this example.com. because you want to limit subsequent name queries to filter and return only service location (SRV) RRs that use a specified name.microsoft. For example. click Start. Therefore. press Enter and then type help • • • In some cases. and then click Command prompt. To open a command prompt. The following is an example of command-line output for an Nslookup session.

15 The nslookup command is a standard command-line tool provided in most DNS service implementations. are correctly added to zones.microsoft. you might need to manually add or verify registration of the service location (SRV) resource records used to support Windows Server 2003 domain controllers. look for the following records: _ldap.dc.microsoft.com _ldap.com internet address = 10.Active_Directory_domain_name IN SRV 0 0 389 domain_controller_name Page 8 of 165 .• • • • • • • • • • • • • • • • • • • • C:\nslookup Default Server: dc1.com Server: dc1.com Address: 10._tcp.microsoft. Verify that resource records used to register services and critical hosts.example. In some cases._tcp.dc.com Address: 10._tcp. and debugging other server-related problems. To add the SRV resource records that have been created for a domain controller.example.14 _ldap.dc.14 set type=srv _ldap.microsoft._msdcs.example._msdcs. It offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output. This information is useful in troubleshooting name resolution problems.example._tcp.0.example.0. It can be found at: systemroot\System32\Config\Netlogon.0.microsoft.example.microsoft. open and view the Netlogon. created by the Active Directory Installation wizard when a server computer is promoted to a domain controller.microsoft.0.example.example.microsoft._tcp.0.dc. such as domain controllers.com dc1. When verifying these records.com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc1.14 dc2.dns • • The resource records used in this file are listed in RFC-compliant text-file format.0.0.example._msdcs.com internet address = 10.com SRV service location: priority =0 weight =0 port = 389 svr hostname = dc2.Active_Directory_domain_name IN SRV 0 0 389 ldap_server_name _ldap.microsoft. verifying that resource records (RRs) are added or updated correctly in a zone._msdcs.dns file.0.

To learn more about these records and how Net Logon updates DNS. obtain additional technical information on DNS available from the Microsoft Web site. members of the Domain Admins group might be able to perform this procedure. as appropriate. 3. If the computer is joined to a domain. click Start. As a security best practice. such as enabling dynamic updates for its zones or adding resource records to its zones. click the applicable DNS server. double-click Administrative Tools. In the console tree. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. click Configure a DNS Server.In some cases. Open DNS. For more information. Where? o DNS/Applicable DNS server 4. When you finish configuring the server. 2. click Control Panel. and then double-click DNS. • The Net Logon service on each domain controller registers. On the Action menu. Follow the instructions in the Configure a DNS Server Wizard. use the checklist for installing a new DNS server. To configure a new DNS server • • Using the Windows interface Using a command line Using the Windows interface 1. If needed. you might need to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a non-domain controller as an LDAP server for your network. If the DNS server is running locally. add and connect to the applicable server in the console. you might need to complete additional tasks. To open DNS. For more information. see Related Topics. As a best practice. Notes • To perform this procedure. see Related Topics. or you must have been delegated the appropriate authority. a number of different DNS resource records with DNS servers. Page 9 of 165 • • • • . you do not need to perform step 2. 5.

). To view the complete syntax for this command. To open a command prompt. You can also type the IP address of the DNS ServerName server.. For a list of the available properties. type: dnscmd/Config/help • • • Page 10 of 165 . Specifies the DNS host name of the DNS server. at the command prompt. To specify the DNS server on the local computer. and then click Command prompt.AllZones} Property {1|0} Value Description dnscmd Specifies the name of the command-line tool. There are different properties available for Property servers and zones. at a command prompt. To {ZoneName|. Sets configuration options to either 1 (on) or 0 (off). Open Command Prompt. Specifies the name of the zone to be configured. type . see Related Topics. 2. consider using Run as to perform this procedure. click Start.Using a command line 1. or you must have been delegated the appropriate authority. you can also type a period (. point to Accessories. Notes • To perform this procedure. This procedure requires the Dnscmd Windows support tool.. Type: dnscmdServerName/Config {ZoneName|. {1|0} Note that some server and zone properties must be reset as part of a more complex operation. If the computer is joined to a domain. /Config Specifies the configuration command.AllZ apply the configuration for all zones hosted by the ones} specified DNS server. Required. As a security best practice. For information about installing Windows support tools.AllZones. members of the Domain Admins group might be able to perform this procedure.. point to All programs. type: dnscmd /Config /help. you must be a member of the Administrators group on the local computer. Specifies the server property or zone property to be configured.

The security settings determine who can administer the server. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. consider using Run as to perform this procedure. such as enabling dynamic updates for its zones or adding resource records to its zones. To apply security settings for DNS zones and resource records. Notes • To perform this procedure. and then double-click DNS. but do not affect the ACLs for the zones and resource records hosted on the server. click Control Panel. see Related Topics. click Start. 2. Default groups. 3. and then click Properties. double-click Administrative Tools. For more information. right-click the applicable server. use the checklist for installing a new DNS server provided in the online Help. see Related Topics. To modify security for the DNS Server service on a domain controller 1. and Using Run as. Web Edition. Open DNS. When you finish configuring the server. Web Edition. For more information.• • As a best practice. This feature is not included on computers running the Microsoft® Windows Server® 2003. In the console tree. or you must have been delegated the appropriate authority. • • • • To add a secondary server for an existing zone • • Using the Windows interface Using a command line Page 11 of 165 . you might need to complete additional tasks. Active Directory access control lists (ACLs) are only supported for the DNS Server service when it is running on a domain controller. see Overview of Windows Server 2003. For more information. modify the list of member users or groups that are allowed to administer the applicable server. To open DNS. see Default local groups. On the Security tab. operating system. As a security best practice.

click the applicable DNS server. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed. Open DNS. If the DNS server is running locally. 2. you can also type a period (. click New Zone. To open DNS. and then double-click DNS. As a security best practice.). The master server acts as the source for zone data. select Secondary zone as the zone type. Page 12 of 165 . you do not need to perform step 2. Required. or you must have been delegated the appropriate authority.. click Start. Follow the instructions in the New Zone Wizard.Using the Windows interface 1.. • • • Using a command line 1. Type: dnscmdServerName /ZoneAdd ZoneName /Secondary MasterIPaddress. click Control Panel. You can also type the IP address of the DNS server. double-click Administrative Tools. you need to have network access to the server acting as the master server for this server and its use of the zone. To specify the DNS server on the local computer. In order to add a secondary server for an existing zone.[/file FileName] Value Description dnscmd ServerName Specifies the name of the command-line tool. On the Action menu. you must be a member of the Administrators group on the local computer. Specifies the DNS host name of the DNS server. 2. consider using Run as to perform this procedure. Open Command Prompt. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. When adding the zone. Notes • To perform this procedure. 4. In the console tree. Where? o DNS/Applicable DNS server 3.

from which it copies ss.. Specifies the fully qualified domain name (FQDN) of the secondary zone you are adding. To install a caching-only DNS server 1. This procedure requires the Dnscmd Windows support tool. Adds a secondary zone type. For information about installing Windows support tools. or you must have been delegated the appropriate authority. you must be a member of the Administrators group on the local computer. Notes Page 13 of 165 . To open a command prompt. at a command prompt. members of the Domain Admins group might be able to perform this procedure. /Secondary Required. /file Specifies the command to use a file. Required. consider using Run as to perform this procedure. type: dnscmd/ZoneAdd /help • • • • To add a secondary server for an existing zone.. install a DNS server on the server computer. point to All programs. 3. and then click Command prompt. If the computer is joined to a domain. Specifies the name of the file to use for creating the FileName secondary zone. For more information. 2. The master server acts as the source for zone data. click Start. zone data. As a security best practice. Do not configure the DNS server (as you might normally) to load any zones. point to Accessories. Adds a zone. The zone name ZoneName must be the same as the primary zone from which the secondary zone is created. see Related Topics./ZoneAdd Required. you need to have network access to the server acting as the master server for this server and its use of the zone. see Related Topics. It is contacted periodically to assist in renewing the zone and to transfer zone updates whenever they are needed. Required. Verify server root hints are configured or updated correctly. To install a caching-only DNS server. Notes • To perform this procedure. Specifies one or more IP addresses for the MasterIPaddre master servers of the secondary zone. To view the complete syntax for this command.

On the Action menu. you manually configure TCP/IP and use a static IP address. repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server. As needed. Caching-only DNS servers do not host any zones and are not authoritative for a particular domain. click Properties. and then click Add. click Only the following IP addresses. you must be a member of the Administrators group on the local computer. Open DNS. It is strongly recommended that. This information is then available from its cache when answering subsequent client queries. In IP address.• To perform this procedure. As a security best practice. when operating the computer as a DNS server. or you must have been delegated the appropriate authority. 5. A caching-only DNS server can be valuable at a site where DNS functionality is needed locally but it is not administratively desirable to create a separate domain or zone for that location. In the console tree. 4. • • • To restrict a DNS server to listen only on selected addresses • • Using the Windows interface Using a command line Using the Windows interface 1. If the computer is joined to a domain. Where? o DNS/applicable DNS server 3. 2. Page 14 of 165 . If you need to remove an IP address from the list. click the applicable DNS server. On the Interfaces tab. type an IP address for the DNS server to be enabled for use. 6. click it and then click Remove. members of the Domain Admins group might be able to perform this procedure. They are DNS servers that build a local server cache of names learned while performing recursive queries on behalf of their clients. consider using Run as to perform this procedure.

consider using Run as to perform this procedure. By default... By default. double-click Administrative Tools.). update this list accordingly. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet.Notes • To perform this procedure. As a security best practice. will have access to the server. / Required. and then double-click DNS. If the computer is joined to a domain. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server. Specifies the DNS host name of the DNS server. DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. Open Command Prompt. 2. the ListenAddress. You can also type the IP address of the DNS server. click Control Panel. or hosts with a router that connects them to that same segment. esses Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. Page 15 of 165 . you must be a member of the Administrators group on the local computer. Server IP addresses that are added here need to be statically managed. Resets the IP addresses of the interfaces on ResetListenAddr which the DNS server listens. you can also type a period (. you need to stop and restart the DNS server to apply the new list. To open DNS.. Required. or you must have been delegated the appropriate authority. After you update or revise the list of restricted interfaces. To specify the DNS server on the local computer. the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. members of the Domain Admins group might be able to perform this procedure. Type: dnscmd ServerName /ResetListenAddresses [ListenAddress .. click Start.] Value Description dnscmd ServerName Specifies the name of the command-line tool. • • • • • Using a command line 1.

In the console tree. or hosts with a router that connects them to that same segment. To view the complete syntax for this command. 5. point to Accessories.Notes • To perform this procedure. click Edit. type: dnscmd ServerName /ResetListenAddresses /help • • • • Server IP addresses that are added here need to be statically managed. Open the DNS snap-in. point to All programs. you need to stop and restart the DNS server to apply the new list. update this list accordingly. at a command prompt. Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet. 4. click Properties. After you update or revise the list of restricted interfaces. • • To configure a DNS server to use forwarders • • Using the Windows interface Using a command line Using the Windows interface 1. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server. Type the IP address for the fully qualified domain name (FQDN) of a forwarder. On the Forwarders tab. click the applicable Domain Name System (DNS) server. you must be a member of the Administrators group on the local computer. members of the Domain Admins group might be able to perform this procedure. Where? o DNS/applicable DNS server 3. For information about installing Windows support tools. will have access to the server. If the computer is joined to a domain. Page 16 of 165 . As a security best practice. click Start. 2. consider using Run as to perform this procedure. To open a command prompt. see Related Topics. This procedure requires the Dnscmd Windows support tool. On the Action menu. or you must have been delegated the appropriate authority. and then click Command prompt. and then click OK.

If the computer is joined to a domain. click Control Panel. Adds a zone. you can also type a period (. members of the Domain Admins group might be able to perform this procedure. you can change the number of seconds the DNS server will wait. Type: dnscmdServerName/ZoneAddZoneName/ForwarderMasterIPaddress . Problems associated with forwarders often result from inefficient configurations and overuse. select the Do not use recursion for this domain check box. click Start. Page 17 of 165 . If you disable recursion on the DNS server. • Using a command line 1. In Number of seconds before forward queries time out. As a security best practice. By default.. double-click Administrative Tools. and then double-click DNS. To open DNS. You can disable recursion for the DNS server so that it will not perform recursion on any query. you will not be able to use forwarders on the same server. 2. or you must have been delegated the appropriate authority. You can also type the IP address of the DNS server.). • • • • Do not enter a forwarder's IP address more than once in a DNS server's forwarders list because it is a more reliable or geographically closer server. consider using Run as to perform this procedure. To specify the DNS server on the local computer. Required. Required. you must be a member of the Administrators group on the local computer. it will attempt standard recursion. see Related Links.. the DNS server will wait 5 seconds for a response from one forwarder IP address before trying another forwarder IP address. Specifies the DNS host name of the DNS server. that forwarder should be ordered first in the series of forwarder IP addresses. If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail. [/TimeOut Time] [/Slave] Value Description dnscmd ServerName /ZoneAdd Specifies the name of the command-line tool. For more information about disabling recursion on the DNS server. Open Command Prompt.Notes • To perform this procedure. When the server has exhausted all forwarders. If one of the forwarders is preferred.

see Related Links. Determines whether or not the DNS server uses recursion /Slave when querying for the domain name specified by ZoneName. Master servers may Page 18 of 165 .ZoneName Required. type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [ServerIPs] The /Local parameter sets the local master list for Active Directory– integrated forwarders. To view the complete syntax for this command. Specifies the timeout setting. If the computer is joined to a domain. Specifies a space-separated list of one or more IP MasterIPaddre addresses of the DNS servers where queries for ZoneName ss. and then click Command prompt. The value Time is in seconds.. you must be a member of the Administrators group on the local computer. you must use /Forwarder /DsForwarder in place of /Forwarder. When configuring forwarders on DNS servers running on Active Directory domain controllers. The default timeout is 5 seconds. Required. The timeout setting is the /TimeOut number of seconds before unsuccessful forward queries time out. /DsForwarder will replicate the forwarder setting to all DNS servers running on domain controllers in an Active Directory domain. Required.. and the ServerIPs parameter is the list of one or more IP addresses of master servers for the zone. Notes • To perform this procedure. Specifies the command to configure a forwarder. at a command prompt. To open a command prompt. Specifies the value for the /TimeOut parameter. Specifies the FQDN of the zone. As a security best practice. point to All programs. You may specify a list of space-separated IP addresses. use the following command: dnscmdServerName/ZoneInfoZoneName • To reset the forwarder IP addresses for a conditional forwarder domain name. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. type: dnscmd/ZoneAdd/help • • • • To view a zone added for use as only a conditional forwarder. consider using Run as to perform this procedure. click Start. For information about installing Windows support tools. This procedure requires the Dnscmd Windows support tool. are forwarded. point to Accessories.

• You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary. right-click the applicable DNS server. or stub zone for that domain name. Notes • By default. Such a configuration would make the forwardering path cyclical. Problems associated with forwarders often result from inefficient configurations and overuse.com. • To reset the standard. o o Where? DNS/applicable DNS server 3.. 4. nonconditional forwarder for a DNS server. The /Slave parameter sets the DNS server as a subordinate server. type: dnscmdServerName/ResetForwarders [IPAddress .com (hosts the primary zone for that domain name).. meaning that it will perform recursion. 2. In the console tree. For example.microsoft.microsoft. you cannot configure that DNS server with a conditional forwarder for example. Follow the instructions to create the DNS application directory partitions.] [ /[No]Slave ] [/TimeOut Time] The parameter IPAddress is the IP address where the DNS server will forward unsolvable DNS queries. • To create the default DNS application directory partitions Using the Windows interface Using a command line Using the Windows interface 1. Page 19 of 165 . The /NoSlave parameter (default setting) sets the DNS server as a nonsubordinate server. The /Timeout and Time parameters are described in the table above. secondary. Click Create Default Application Directory Partitions. but they should not include DNS server IP addresses in such a way that two DNS servers hosting copies of a zone use each other as master servers.include DNS servers that host primary or secondary copies of the zone. if a DNS server is authoritative for the domain name example. Open DNS. only members of the Enterprise Admins group can create a DNS application directory partition.

Once the default DNS application directory partitions are created. • • Option Partition name Description Create a single application DNS application directory directory partition for each domain in partition that the forest. If the default DNS application directory partitions are currently available in Active Directory. By default. the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. double-click Administrative Tools. the administrator can manually create the application directory partitions using this procedure. the option to create the default application directory partitions in the DNS console will not be available. The following table describes the options available when creating the DNS default application directory partitions. Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain controller hosting the default DNS application directory partitions. DNS zones stores DNS zone DomainDnsZones. click Control Panel. It contains all the directory DNS servers running on the partition that domain controllers in the stores DNS zone ForestDnsZones.• • To open DNS.DnsForestN forest. Notes • By default. click Start. and then double-click DNS. domain DNS application directory Create a single partition for the entire application forest. If the DNS Server service is unable to do this. the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. DNS zones stored in data and ame this application directory replicates that partition are replicated to data to all DNS all DNS servers running on servers in the domain controllers in the forest forest.DnsDomai stored in this application data and nName directory partition are replicates that replicated to all DNS data to all DNS servers running on domain servers in the controllers in the domain. Page 20 of 165 .

Using a command line 1. Required. Required.). You can also type the IP address of the DNS server. you can also type a period (.• For more information about creating and deleting an application directory partition. Creates a default application directory partition. type /Forest. Specifies which default application directory partition to create. type /Domain. Type: dnscmd ServerName /CreateBuiltinDirectoryPartitions {/Domain|/Forest|/AllDomains} Value Description dnscmd ServerName / CreateBuiltinDirectoryP artitions {/Domain|/Forest|/AllDo mains} Specifies the name of the command-line tool. To specify the DNS server on the local computer. type /AllDomains. see Related Topics. Specifies the DNS host name of the DNS server. Required. The computer on which this command is run must be joined to a domain in the forest where you want to create all of the default domain-wide application directory Page 21 of 165 . Do one of the following: To create a default domain-wide DNS application directory partition for the Active Directory domain where the specified DNS server is located. 2. Open Command Prompt. To create a default domain-wide DNS application directory partitions on a DNS server in each domain in the Active Directory forest where the user running this command is logged on. To create a default forest-wide DNS application directory partition for the Active Directory forest where the specified DNS server is located. The ServerName parameter is ignored for /AllDomains.

partitions. at a command prompt. see Related Topics. To open DNS. If the default DNS application directory partitions are currently available in Active Directory.DnsDomai stored in this application nName directory partition are replicated to all DNS servers running on domain controllers in the domain. the administrator can manually create the application directory partitions using this procedure. ForestDnsZones. DNS zones DomainDnsZones.DnsForestN DNS application directory ame partition for the entire forest. • • Option Partition name Description Create a single application directory partition that stores DNS zone data and replicates that data to all DNS servers in the domain Create a single application directory partition that stores DNS zone data and replicates that DNS application directory partition for each domain in the forest. the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. This procedure requires the Dnscmd Windows support tool. the option to create the default application directory partitions in the DNS console will not be available. The following table describes the options available when creating the DNS default application directory partitions. If the DNS Server service is unable to do this. only members of the Enterprise Admins group can create a DNS application directory partition. For information about installing Windows support tools. and then double-click DNS. click Start. double-click Administrative Tools. type: dnscmd /CreateDirectoryPartition /? By default. To view the complete syntax for this command. Notes • • • • • • By default. DNS zones stored in this application directory Page 22 of 165 . It contains all the DNS servers running on the domain controllers in the forest. click Control Panel.

Creates a DNS application directory CreateDirectoryPa partition. For more information about creating and deleting an application directory partition. rtition Required. Required. You can also type the IP address of the DNS server. Specifies the DNS host name of the DNS server.). • To create a DNS application directory partition 1. Specifies the name of the new DNS FQDN application directory partition.data to all DNS servers in the forest Notes • partition are replicated to all DNS servers running on domain controllers in the forest. Notes Page 23 of 165 . you can also type a period (. / Required. Type: dnscmd ServerName /CreateDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line tool. 2. Open Command Prompt. Net Logon will register domain controller locator (Locator) DNS resource records on behalf of the domain hosting the default DNS application directory partitions. By default. Once the default DNS application directory partitions are created. the Net Logon service registers domain controller locator (Locator) DNS resource records for any application directory partitions hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for any domain hosted on a domain controller. see Related Topics. You must use a DNS fully qualified domain name (FQDN). To specify the DNS server on the local computer.

As a security best practice. and then click Command prompt. or you must have been delegated the appropriate authority. To open a command prompt. Open Command Prompt. click Start. point to Accessories. To view the complete syntax for this command. This procedure requires the Dnscmd Windows support tool. point to All programs. Required. tition Required. point to All programs.). Notes • To perform this procedure. / Required. Page 24 of 165 • . see Related Topics. and Using Run as. Specifies the DNS host name of the DNS server. Specifies the fully qualified domain name FQDN (FQDN) of the DNS application directory partition. at a command prompt. For information about installing Windows support tools. Enlists a DNS server in a DNS application EnlistDirectoryPar directory partition. To open a command prompt. you can also type a period (. You can also type the IP address of the DNS server. To specify the DNS server on the local computer. see Default local groups. For more information. and then click Command prompt. only members of the Enterprise Admins group can create a DNS application directory partition. consider using Run as to perform this procedure. type: dnscmd /CreateDirectoryPartition /? • • • To enlist a DNS server in a DNS application directory partition 1. Type: dnscmdServerName/EnlistDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line program.• By default. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. point to Accessories. Default groups. click Start. 2.

click Start. Removes a DNS server from a DNS UnenlistDirectoryPa application directory partition. Required. members of the Domain Admins group might be able to perform this procedure. To specify the DNS server on the local computer.). at a command prompt. or you must have been delegated the appropriate authority. / Required. 2. see Related Topics. see Related Topics. you must be a member of the Administrators group on the local computer. To view the complete syntax for this command. point to All programs. To remove a DNS server from a DNS application directory partition 1. Specifies the DNS host name of the DNS server. As a security best practice. you can also type a period (. You can also type the IP address of the DNS server. point to Accessories. type: dnscmd /EnlistDirectoryPartition /? • • For more information about creating and deleting an application directory partition. rtition Required. and then click Command prompt. To open a command prompt. consider using Run as to perform this procedure. Specifies the fully qualified domain name (FQDN) of the DNS application directory partition FQDN from which you are removing the DNS server specified by ServerName. Page 25 of 165 • . For information about installing Windows support tools. Open Command Prompt. If the computer is joined to a domain.• This procedure requires the Dnscmd Windows support tool. Notes • To perform this procedure. Type: dnscmdServerName/UnenlistDirectoryPartitionFQDN Value dnscmd ServerName Description Specifies the name of the command-line program.

A list of DNS suffixes to be appended for use in completing unqualified DNS names. which are used for searching and submitting DNS queries at the client for resolution. you likely need to configure the following: 1. Notes Page 26 of 165 . type: dnscmd /UnenlistDirectoryPartition /? • • For more information about creating and deleting an application directory partition. 3. Install and configure clients • • • • • • • Configure DNS for static clients Enable DNS for DHCP-enabled clients Configure the primary DNS suffix for a client computer Preload the client resolver cache Display and view a client resolver cache using the ipconfig command Flush and reset a client resolver cache using the ipconfig command Renew DNS client registration using the ipconfig command To configure DNS for static clients • To configure DNS for clients with statically configured IP addresses. 2. To view the complete syntax for this command. such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server. see Related Topics. at a command prompt. 4. Connection-specific dynamic update and registration behavior. For information about installing Windows support tools. DNS host name (or names) for the client computer. see Related Topics.• This procedure requires the Dnscmd Windows support tool. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names.

• • • To enable DNS for DHCP-enabled clients • To configure DNS for clients with dynamically configured IP addresses provided by a DHCP server. configure TCP/IP manually for DNS configuration. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for these clients. the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. A list of DNS suffixes to be appended for use in completing unqualified DNS names used for searching and submitting DNS queries at the client for resolution. By default. Any zone named with a single-label name is considered a TLD zone. the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. For DHCP clients.• Performing this task does not require you to have administrative credentials. blank. DNS host name (or names) for the client computer. To configure additional DNS suffixes. 3. you generally need to configure the following at either the DHCP server or applicable clients: 1. Therefore. you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. for example. 2. see Related Topics. com. you can use the Update Top Level Domain Zones policy setting or modify the registry. To modify this configuration. By default. mycompany. consider performing this task as a user without administrative credentials. edu. this can be set by assigning the DNS domain name option (option 15) and providing single DNS suffix for the client to append and use in searches. For DHCP clients. this must be set at the client computer or assigned during unattended setup. For more information. To configure the DNS client to allow the dynamic update of TLD zones. For DHCP clients. Page 27 of 165 . For more information about how to configure DNS for static clients not running Windows XP. as a security best practice. this can be set by assigning the DNS server option (option 6) and providing a configured list of ordered IP addresses for the DNS servers that the client is configured to use. Primary and alternate DNS servers that the client uses to assist in resolving DNS domain names.

the default is for client connections to register their configured IP addresses with a DNS server. mycompany. 4. To modify this configuration. specify the DNS suffix Page 28 of 165 . Click the Computer Name tab. and then click More.4. com. do the following: For Primary DNS suffix of this computer. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor. For more information. you can use the Update Top Level Domain Zones policy setting or modify the registry. For more information on how to configure other DNS for DHCP clients. To configure the DNS client to allow the dynamic update of TLD zones. the DNS client does not attempt dynamic update of toplevel domain (TLD) zones. 3. By default. the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. Connection-specific dynamic update and registration behavior. and a brief description of the computer. To modify this behavior at the client. Therefore. This tab displays the computer name. edu. • • • To configure the primary DNS suffix for a client computer 1. For DHCP clients. for example. configure TCP/IP manually for DNS configuration. Open System in Control Panel. you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. see Related Topics. as a security best practice. such as whether specific network adapters installed at the client dynamically register their configured IP addresses with a DNS server. blank. Any zone named with a single-label name is considered a TLD zone. By default. the workgroup or domain to which it belongs. consider performing this task as a user without administrative credentials. Click Change. In DNS Suffix and NetBIOS Computer Name. Notes • Performing this task does not require you to have administrative credentials. 2.

the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. 5. as a security best practice. Therefore. By default. Notes • Performing this task does not require you to have administrative credentials.0.0. see the applicable TCP/IP or DNS documentation provided by the appropriate vendor for your other clients. click Start. you might add: Page 29 of 165 . open Command Prompt. double-click System. add additional host name-toaddress mappings on separate lines to be preloaded into the resolver cache of the client. To open System.1). 6. see Related Topics. For more information about how to configure the primary DNS suffix for other clients and servers. In Control Panel.to be appended to the name of this computer when completing its fully qualified domain name (FQDN). verify that zone authority records are updated. consider performing this task as a user without administrative credentials. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP). Using the default entry in the file (a mapping for the local host to the loopback IP address. To allow different primary DNS suffixes. substituting the new FQDN to replace the single label name previously in use. After applying these changes. These include the start of authority (SOA) and name server (NS) resource records. For example. type the following command: notepad %systemroot%\system32\drivers\etc\hosts 3. point to Settings. For more information. If the computer has been previously installed and configured as a DNS server. At the client computer. 2. 127. and then click Control Panel. • • • To preload the client resolver cache 1. a domain administrator can create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. At the command prompt. restart the computer to initialize it with its new DNS domain name.

example. Every line in the Hosts file should contain an IP address followed by one or more host names. To open a command prompt. members of the Domain Admins group might be able to perform this procedure.example. As a security best practice. you must be a member of the Administrators group on the local computer. 5. and then click Notepad. To open Notepad. or you must have been delegated the appropriate authority. point to All programs.0.com 4. Entries you add are always answered first from the local resolver cache and not sent to the DNS query when queries are made locally to resolve these names to host (A) resource records.example. point to Accessories.microsoft.com 10.1 host-a. consider using Run as to perform this procedure. Notes • To perform this procedure. For example.com Likewise.com hostb. If the DNS Client service is not running. As an option.0. and then click Command prompt.microsoft.0.3 host-a.microsoft.com 10.0. click Save.example.2 host-a.0.microsoft.0.1 host-a host-a.microsoft.1 host-a host-a. point to Accessories.0. the DNS Client service must be running for all entries to be returned or used in answering queries. you can verify that your changes have been updated in the resolver cache by viewing its contents. only the first entry in the file is used to resolve the query. click Start.example.0.0.10. you could add lines for the following multi-homed or multi-addressable DNS host computer: 10. If the computer is joined to a domain. a single DNS host name can correspond to more than one IP address if each of the addresses is mapped and used in separate lines.1) that maps to more than one DNS host name: 10. and then Exit.0. On the File menu. For example. you could add a line such as the following with an IP address (10. click Start.example2.0. point to All programs.microsoft.com • • • • • When multiple names or IP addresses are used in the file. Page 30 of 165 .0.

ns Notes • Value Performing this task does not require you to have administrative credentials. This is because these mappings typically exist in the default (unmodified) contents of the local Hosts file. type: ipconfig /help • • • To pause the display of the command output to one screen at time. 2.To display and view a client resolver cache using the ipconfig command 1. Type: ipconfig /displaydns Description The name of the command-line ipconfig program. Open Command Prompt. and then click Command prompt.0. When the ipconfig /displaydns command is used to display current resolver cache contents. The ipconfig /displaydns command provides you with a means to view the contents of the DNS client resolver cache. consider performing this task as a user without administrative credentials. which includes entries preloaded from the local Hosts file. as a security best practice. To view the complete syntax for this command. type ipconfig /displaydns|more. at a command prompt. the resultant output generally includes the local host and loopback IP address (127. This information is used by the DNS Client service to quickly resolve frequently queried names before it queries its configured DNS servers. To open a command prompt.1) mappings. point to Accessories. / The command to display a client displayd resolver cache. Therefore. Page 31 of 165 • • .0. as well as any recently obtained resource records for name queries resolved by the system. point to All programs. click Start.

consider performing this task as a user without administrative credentials. The resolver cache can also support negative caching of unresolved or non-valid DNS names. click Start. Type: ipconfig /flushdns Value Description ipconfi The name of the command-line program. Open Command Prompt. or Windows Server 2003 operating systems. During DNS troubleshooting.• After you can add host mapping entries to the local Hosts file and save the file. these entries are added to the displayed output of this command. Page 32 of 165 • . The negative result is cached for a short period of time so that it is not again queried. as a security best practice. g / The command to flush and reset a client flushd resolver cache. These entries are added by the DNS Client service when it receives a negative answer from a DNS server for a queried name. and then click Command prompt. Therefore. 2. To open a command prompt. point to Accessories. see Related Topics. which could cause query performance problems. For more information. see Related Topics. To flush and reset a client resolver cache using the ipconfig command 1. ns Notes • Performing this task does not require you to have administrative credentials. For more information. Windows XP. you can flush and reset the cache to discard negative entries from the cache and any other dynamically added entries that were not preloaded. the /displaydns option is only available for use on computers running Windows 2000. • • Although the ipconfig command is provided for earlier versions of Windows. point to All programs.

To eliminate those entries from the cache. Therefore. • Page 33 of 165 . ns Notes • Value Performing this task does not require you to have administrative credentials. if necessary. point to All programs. For more information. you can use this procedure to discard negative cache entries from the cache. see Related Topics. type: ipconfig /help • The ipconfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. Although the ipconfig command is provided for earlier versions of Windows.• To view the complete syntax for this command. or Windows Server 2003 operating systems. the /flushdns option is only available for use on computers running Windows 2000. / The command to renew DNS client registerd registration. During DNS troubleshooting. any other dynamically added entries. • • To renew DNS client registration using the ipconfig command 1. Type: ipconfig /registerdns Description The name of the command-line ipconfig program. click Start. To open a command prompt. consider performing this task as a user without administrative credentials. 2. and then click Command prompt. remove them from this file. as a security best practice. Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. as well as. point to Accessories. Open Command Prompt. Windows XP. at a command prompt.

Page 34 of 165 • • • • • . regardless of whether the computer uses a DHCP server or static configuration to obtain its IP address. or Windows Server 2003 operating systems. 2. • The ipconfig /registerdns command provides you with a means to manually initiate dynamic registration for the DNS names and IP addresses configured at a computer. If you are troubleshooting a failed DNS dynamic registration for a client computer and its DNS names. or Windows Server 2003 operating systems. at a command prompt. do not specify any additional parameters). Windows XP. first type the ipconfig command by itself (that is. the DHCP Client service is used to perform dynamic registrations and updates. The DNS servers that the client is configured to use do not support or recognize the DNS dynamic update protocol.• To view the complete syntax for this command. Windows XP. The command output displays all adapters by name that are available for use at the computer. the /registerdns option is only available for use on computers running Windows 2000. By default. the ipconfig /registerdns command refreshes all DHCP address leases and registers all related DNS names configured and used by the client computer. To learn the names of adapters that you can optionally specify with this command. type: ipconfig /help • An additional command to /registerdns is to type: ipconfig /registerdns [adapter] Where adapter is the name of a specific network adapter installed on the computer for which you want to renew or update registrations. The zone where the client requires update or registration is not able to accept dynamic updates. Although the ipconfig command is provided for earlier versions of Windows. This option can assist in troubleshooting a failed DNS name registration or in resolving a dynamic update problem between a client and the DNS server without restarting the client. it might help to verify that the cause is not related to one of the following commonly known causes for such failures: 1. On computers running Windows 2000.

consider using Run as to perform this procedure. double-click Administrative Tools. The primary (or directory-integrated) DNS server for the zone refused the update request. This can most likely occur because the client is not permitted under current zone or resource records security sufficient access rights to update its own name. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. As a security best practice. Notes • To perform this procedure. • Page 35 of 165 .3. Manage servers • • • • • • • • • • Open the DNS console Start or stop a DNS server Add a server to the DNS console Remove a server from the DNS console Manually update server data files Change the boot method used by the DNS server Change the name-checking method used by the DNS server Restrict NS resource record registration Allow NS record creation for specific domain controllers Restrict DNS resource records updated by Netlogon To open the DNS console • Open DNS. you must be a member of the Administrators group on the local computer. To open DNS. such as a network or server failure. click Control Panel. or you must have been delegated the appropriate authority. and then double-click DNS. The server or zone is not available because of other problems. click Start. 4.

or you must have been delegated the appropriate authority. you must be a member of the Administrators group on the local computer. In the console tree. click Stop. When using registry-based configuration. To stop the service. click Pause. click Start. you can click Resume to immediately resume service. on the Action menu. As a security best practice. In these cases. Open DNS. members of the Domain Admins group might be able to perform this procedure. To open DNS. in All Tasks. For more information. 2. After you pause or stop the service. click Start. click the applicable DNS server. click Restart.• The DNS console is an administrative tool for managing DNS servers running Windows Server 2003 family operating systems only. consider using Run as to perform this procedure. To stop and then automatically restart the service. and then double-click DNS. see Related Topics. if a DNS value is manually changed directly in the Page 36 of 165 • • • . Notes • To perform this procedure. changes are applied to DNS servers only when the DNS Server service is re-initialized. To start or stop a DNS server 1. Where? o DNS/Applicable DNS server 3. point to All Tasks and then click one of the following: o o o o To start the service. double-click Administrative Tools. On the Action menu. click Control Panel. To interrupt the service. If the computer is joined to a domain.

click either: o This computer. click Control Panel. As a security best practice. In Connect to DNS Server. members of the Domain Admins group might be able to perform this procedure. any new features will not be available when viewing the Windows 2000 DNS server. Page 37 of 165 . The DNS console is a Microsoft Management Console (MMC) administrative tool for managing DNS servers running Windows Server 2003 operating systems only. For more information. o If you choose to connect to a remote server. If the computer is joined to a domain. The following computer. and then double-click DNS. the DNS Server service must always be restarted for the new value to be used. click Start. 3.registry. If you use the Windows Server 2003 DNS console to administer a Windows 2000 DNS server. • • • To remove a server from the DNS console 1. 4. click Connect To DNS Server. consider using Run as to perform this procedure. double-click Administrative Tools. On the Action menu. specify either its DNS computer name or its IP address. 2. Select the Connect to the specified computer now check box. To add a server to the DNS console 1. if the server you want to connect to and manage is located on the same computer you are using to manage it. and then click OK. or you must have been delegated the appropriate authority. if the server you want to connect to and manage is located on a remote computer. see Related Topics. To open DNS. Open DNS. Notes • To perform this procedure. Open DNS. you must be a member of the Administrators group on the local computer.

If the computer is joined to a domain. Where? o DNS/applicable DNS server 3. 4. To open DNS. consider using Run as to perform this procedure. Where? o DNS/applicable DNS server 3. As a security best practice. 2. On the Action menu. When prompted to confirm you want to delete this server from the list. click Start. If the computer is joined to a domain. On the Action menu. and then double-click DNS. Open DNS. click Update Server Data Files. click Delete. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. In the console tree. and then double-click DNS. members of the Domain Admins group might be able to perform this procedure. As a security best practice. click Start. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. click OK. double-click Administrative Tools.2. click the applicable DNS server. click the applicable DNS server. or you must have been delegated the appropriate authority. • To manually update server data files • • Using the Windows interface Using a command line Using the Windows interface 1. you must be a member of the Administrators group on the local computer. click Control Panel. To open DNS. Notes • To perform this procedure. Notes • To perform this procedure. In the console tree. double-click Administrative Tools. Page 38 of 165 • . click Control Panel.

and then click Command prompt. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. point to All programs. • Using a command line 1. Notes • To perform this procedure. you can also type a period (. You can also type the IP address of the DNS server. point to Accessories. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating. at a command prompt. Open Command Prompt. This procedure requires the Dnscmd Windows support tool. As a security best practice. To update Active Directory-integrated zones.• For standard primary zones. or you must have been delegated the appropriate authority. Normally these changes are only written at predefined update intervals and when the DNS server is shut down. Type: Dnscmd ServerName /ZoneUpdateFromDs ZoneName Value Description dnscmd ServerName Specifies the name of the command-line tool. To view the complete syntax for this command. type: dnscmd/ZoneUpdateFromDs/help • • • Page 39 of 165 . / Required.). consider using Run as to perform this procedure. Updates the zone file with data from Active ZoneUpdateFro Directory. To specify the DNS server on the local computer. mDs Required. Required. click Start. 2. For information about installing Windows support tools. you must be a member of the Administrators group on the local computer. this procedure does not apply. see the command-line procedure below. see Related Topics. For Active Directory-integrated zones. Specifies the DNS host name of the DNS server. this procedure causes the DNS server to immediately write its in-memory changes out to disk for storage with the zone file. To open a command prompt.

Open DNS. or From Active Directory and registry. If you use the file method. or you must have been delegated the appropriate authority. DNS servers use information stored in the registry to initialize for service and load any zone data for use at the server. Multibyte (UTF8). you must be a member of the Administrators group on the local computer. then click Properties. 2. select From registry. you can configure the DNS server to boot from a file or. Non RFC (ANSI). the file used must be a text file named Boot. click Control Panel. Page 40 of 165 . By default. Click the Advanced tab. Click the Advanced tab. members of the Domain Admins group might be able to perform this procedure. see the Windows interface procedure above. 4. For standard zones. Open DNS. in Active Directory environments. In the console tree. double-click Administrative Tools.• The command-line procedure updates Active Directory-integrated zones only. 4. consider using Run as to perform this procedure. As added options. To open DNS. In the Load zone data on startup list. 3. or All names. 2. right-click the applicable DNS server. click Start. 3. right-click the applicable DNS server. • • To change the name-checking method used by the DNS server 1. As a security best practice. From file. select Strict RFC (ANSI). In the Name checking list. you can supplement local registry data with zone data retrieved for directory-integrated zones stored in the Active Directory database. located on this computer in the systemroot\Windows\System32\Dns folder. To change the boot method used by the DNS server 1. If the computer is joined to a domain. In the console tree. Notes • To perform this procedure. and then double-click DNS. then click Properties.

to be used with the DNS server. such as names that use ASCII characters but are not compliant with RFC host naming requirements. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. The DNS Server service supports different possible methods for checking the names it receives and processes during normal operations: o • • Strict RFC (ANSI) This method strictly enforces RFCcompliant naming rules for all DNS names that the server processes. double-click Administrative Tools. You can also use the Last Known Good Page 41 of 165 . click Control Panel. and Multibyte (UTF8) naming conventions. If the computer is joined to a domain. click Start. By default. Caution o Incorrectly editing the registry may severely damage your system. the server uses Multibyte (UTF8) to check names. or you must have been delegated the appropriate authority. you should back up any valued data on the computer. Open Registry Editor. and then double-click DNS. which is a proposed RFC draft. members of the Domain Admins group might be able to perform this procedure. Strict RFC (ANSI). Non RFC (ANSI) This method allows names that are not RFCcompliant to be used with the DNS server. Before making changes to the registry. Names that are not RFC-compliant are treated as erred data by the server. As a security best practice.Notes • To perform this procedure. To restrict NS resource record registration • • Using the Windows interface Using a command line Using the Windows interface 1. o o o All names Allows Non RFC (ANSI). Multibyte (UTF8) This method allows names that use the Unicode 8-bit translation encoding scheme. To open DNS.

you must be a member of the Administrators group on the local computer. This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry. As a security best practice. If the computer is joined to a domain. To open Registry Editor. and then click OK. query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server. Add the following REG_DWORD value: DisableNSRecordsAutoCreation 4. members of the Domain Admins group might be able to perform this procedure. Open Command Prompt. The REG_DWORD value is a local DNS server setting and applies to DNS zones for which this DNS server is authoritative. Regardless of the settings of these registry entries. 2. Assign a value of 0x1. If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones.Configuration startup option if you encounter problems after manual changes have been applied. click Start. This procedure restricts NS resource records registered for Active Directory domain controllers only. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone. consider using Run as to perform this procedure. In Registry Editor. The registry key entry described here does not exist by default and must be created and configured according to this procedure. Caution Page 42 of 165 . Notes • To perform this procedure. or you must have been delegated the appropriate authority. any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted. • • • • • • Using a command line 1. type regedit. you may assign a value of 0x0 or enter no value (default setting). navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. click Run.

Before making changes to the registry. point to Accessories. For information about installing Windows support tools. To specify the DNS server on the local computer. click Start. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. at a command prompt. Incorrectly editing the registry may severely damage your system. consider using Run as to perform this procedure. type a value of 0x0. you can also type a period (. You can also type the IP address of the DNS ServerName server. / Determines the local DNS server configuration DisableNSRecordsAutoC for registering NS resource records for reation authoritative zones. Notes • To perform this procedure.o In this procedure you will be editing the registry. members of the Domain Admins group might be able to perform this procedure. 2. you must be a member of the Administrators group on the local computer. see Related Topics. type: Page 43 of 165 • • • • . This procedure requires the Dnscmd Windows support tool. Type: dnscmdServerName/Config/DisableNSRecordsAutoCreation 0x1 Value Description dnscmd Specifies the name of the command-line tool. and then click Command prompt. you should back up any valued data on the computer. As a security best practice. Specifies the DNS host name of the DNS server.). To view the complete syntax for this command. or you must have been delegated the appropriate authority. If the computer is joined to a domain. To open a command prompt. This procedure restricts NS resource records registered for Active Directory domain controllers only. point to All programs. /Config Specifies the configuration command. Specifies that the DNS server specified in ServerName should not add NS resource records for authoritative zones. 0x1 To specify that the DNS server should add NS resource records for all its authoritative zones.

query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are authoritative. Regardless of the settings above. Important o This procedure applies to domain controller name server (NS) resource records in Active Directory-integrated DNS zones that are hosted on DNS servers configured to not add these resource records for their authoritative zones. For more information. To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone. Page 44 of 165 . • • • • To allow NS resource record creation for specific domain controllers 1. Type: dnscmdServerName /Config ZoneName /AllowNSRecordsAutoCreation IpAddresses. This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry. see Related Topics. Regardless of a NS resource record registration setting. If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones.. any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted.dnscmd /config /? • • The DWORD value is a local DNS server setting and applies to authoritative DNS zones hosted on this DNS server. you may assign a value of 0x0 or enter no value (default setting). The registry key entries described here do not exist by default and must be created and configured using this procedure. query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.. 2. Open Command Prompt.

see Default local groups. Required. specified in ZoneName. and then click Command prompt. click Start. For more information. NS resource records that reation were previously registered for this zone are not affected. Specifies the fully qualified ZoneName domain name (FQDN) of the zone.0 192.. type: dnscmd /Config /? • • • • If any domain controllers in the specified zone are not listed for IpAddresses..0. point to All programs. their names will be deleted from the NS resource records for the zone specified in ZoneName. or to clear the list of allowed DNS server IP Page 45 of 165 .168. This procedure requires the Dnscmd Windows support tool. Specifies the configuration /Config command. To specify that all domain controllers are allowed to add their names to NS resource records for the zone. Therefore..0. To view the complete syntax for this command. To specify the DNS server on the local computer. Specifies that domain controllers entered for Value will add their names to / NS resource records for the zone specified AllowNSRecordsAutoC in ZoneName. You can also type the IP ServerName address of the DNS server. consider using Run as to perform this procedure. For information about installing Windows support tools. at a command prompt.0.0. Required.16. Default groups.. you can also type a period (. Required.. 10.0. Specifies the DNS host name of the DNS server. Type a spaceseparated list of the IP addresses of the DNS servers. see Related Topics. To open a command prompt. Required. As a security best practice. point to Accessories. you must remove them manually if you do not want them. dnscmd Additional considerations • To perform this procedure.0 172. Specifies the IP addresses of the domain controllers that will add their names in NS resource records for the zone IpAddresses.). Required. and Using Run as.Value Description Specifies the name of the command-line program. For example. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory.

addresses._tcp._sites. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service._tcp. Caution o Incorrectly editing the registry may severely damage your system.. navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N etlogon\Parameters 3.<DnsDomainName> _ldap._msdcs. query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers. The list of data include: Resou rce Data Value Recor DNS Resource Record d Type LdapIpAddre A <DnsDomainName> ss Ldap SRV _ldap. In Registry Editor.pdc._sites..<SiteName>.gc.: dnscmdServerName/ConfigZoneName/AllowNSRecordsAutoCreation • Regardless of the settings above._msdcs. Add the following multi-string value (REG_MULTI_SZ) value: DnsAvoidRegisterRecords 4.<DnsForestName> GcAtSite SRV _ldap. you should back up any valued data on the computer.<DnsDomainNa LdapAtSite SRV me> Pdc SRV _ldap._tcp._tcp.<SiteName>. Open Registry Editor. Before making changes to the registry._msdcs. In this value._tcp.gc.<DnsF Page 46 of 165 . 2. type the command and omit IpAddresses.<DnsDomainName> Gc SRV _ldap. To restrict the DNS resource records updated by the Net Logon service 1.

<DnsDomain SRV tSite Name> GenericGc SRV _gc._msdcs. then appropriate DNS updates may take place with a short delay._sites. click Start._msdcs.dc._tcp.<DnsForestName> E Kdc SRV _kerberos.dc. type regedit.<DnsDomainName> Kpwd Important • orestName> _ldap._msdcs.<D nsForestName> gc.<DnsDomainName> _kerberos. Page 47 of 165 • • . As a security best practice. consider using Run as to perform this procedure.<DnsForestName> Site Rfc1510Udp SRV _kerberos.<SiteName>.dc._tcp. click Run.<DnsDomainName> Rfc1510KdcA _kerberos._sites._sites. Notes • To perform this procedure. To open Registry Editor. and then click OK. or you must have been delegated the appropriate authority.<DnsForestName> This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.dc.<DomainGuid>._msdcs. however. If the computer is joined to a domain.<DnsDomainName> Kdc Rfc1510Kpw SRV _kpasswd._tcp._sites._tcp._tcp. members of the Domain Admins group might be able to perform this procedure._udp._tcp. you must be a member of the Administrators group on the local computer.<SiteName>.DcByGuid SRV GcIpAddress A CNAM DsaCname <DsaGuid>._msdcs. the delay is no later than 15 minutes after the Net Logon service starts.<SiteName>._msdcs. Restart of the Net Logon service is not required to make the changes to this value effective._tcp._msdcs.<DnsForestName> GenericGcAt SRV _gc._tcp._tcp.domains.<Dns DcAtSite SRV DomainName> Rfc1510Kdc SRV _kerberos.<DnsDomainName> d Rfc1510Udp SRV _kpasswd.<DnsDomainName> _ldap._udp.<SiteName>._tcp. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started.< KdcAtSite SRV DnsDomainName> Dc SRV _ldap.

Page 48 of 165 . Where? o DNS/applicable DNS server 3. click Properties. Open DNS. 4. Click the Advanced tab. To enable or disable fast transfer format during zone transfers using the Windows interface 1. click the applicable DNS server.Optimize servers • • • • • • • • • • • • Enable or disable fast transfer format during zone transfers Prevent loading of a zone when bad data is found Disable round-robin rotation for multihomed names Disable local subnet prioritization for multihomed names Restore server default preferences Disable recursion on the DNS server Update root hints on the DNS server Secure server cache against names pollution Clear the server names cache Modify DNSSEC configuration Modify EDNS0 configuration Modify UDP message size To enable or disable fast transfer format during zone transfers • • Using the Windows interface Using a command line Using the Windows interface You can enable or disable fast transfer format during zone transfers using the Windows interface. On the Action menu. In the console tree. 2.

Type: dnscmd ServerName /Config /BindSecondaries {1|0} Value Description dnscmd ServerName /Config / Specifies the name of the command-line tool. and then double-click DNS. click Control Panel. in the Server options list. If the computer is joined to a domain. consider using Run as to perform this procedure. clear the BIND secondaries check box.5. and it is enabled by default. DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation prior to version 4. in the Server options list. The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations.4. To open DNS. select the BIND secondaries check box.4 do not support the fast transfer format. and then click OK. Specifies use of fast transfer format used by legacy Page 49 of 165 . click Start. Specifies the DNS host name of the DNS server. As a security best practice. To disable the fast transfer format. and then click OK. you must be a member of the Administrators group on the local computer. you can also type a period (.) Specifies the configuration command. double-click Administrative Tools.9. Zone transfers between Windows-based DNS servers always use the fast transfer format. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. Open Command Prompt. You should enable the Bind secondaries option if you are transferring zones to BIND servers running versions earlier than 4. The procedure title 1. o Notes • To perform this procedure. To specify the DNS server on the local computer. • • • Using a command line You can enable or disable fast transfer format during zone transfers using a command line. 2. Do one of the following: o To enable the fast transfer format (the default). You can also type the IP address of the DNS server.9.

DNS servers running versions of the BIND server implementation earlier than version 4. For information about installing Windows support tools.9. To open a command prompt. To enable fast transfer format. and it is enabled by default. • To prevent loading of a zone when bad data is found 1. Page 50 of 165 . On the Action menu. In the console tree. click Properties. 4. As a security best practice. To view the complete syntax for this command. members of the Domain Admins group might be able to perform this procedure. point to Accessories.9. Click the Advanced tab. Open DNS. and then click Command prompt. type: dnscmdServerName/Config/help • • • • The fast transfer format optimizes zone transfers between Windows-based DNS servers and other DNS server implementations. point to All programs. Where? o DNS/applicable DNS server 3. You should set BindSecondaries to 1 if you are transferring zones to BIND servers running versions earlier than 4. ries To disable fast transfer format when transferring a zone to {1|0} legacy BIND DNS servers. click Start. see Related Topics. 2. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority.BindSeconda Berkeley Internet Name Domain (BIND) servers. consider using Run as to perform this procedure. type 0 (off).4 do not support the fast transfer format. This procedure requires the Dnscmd Windows support tool. click the applicable DNS server. Zone transfers between Windows-based DNS servers always use the fast transfer format. type 1 (on). at a command prompt. Notes • To perform this procedure.4.

Open DNS. As a security best practice. or you must have been delegated the appropriate authority. In Server options. If the computer is joined to a domain. double-click Administrative Tools. consider using Run as to perform this procedure. click Properties. members of the Domain Admins group might be able to perform this procedure. and then double-click DNS. • To disable round-robin rotation for multihomed names • • Using the Windows interface Using a command line Using the Windows interface 1. 4. clear the Enable round robin check box. On the Action menu.5. Click the Advanced tab. double-click Administrative Tools. Where? o DNS/applicable DNS server 3. click the applicable DNS server. Notes • To perform this procedure. and then click OK. 5. In Server options. • Page 51 of 165 . Notes • To perform this procedure. click Control Panel. and then double-click DNS.. and then click OK. click Start. 2. In the console tree. click Start. click Control Panel. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. select the Fail on load if bad zone data check box. you must be a member of the Administrators group on the local computer. To open DNS. As a security best practice. If the computer is joined to a domain. consider using Run as to perform this procedure. To open DNS.

Type: dnscmdServerName/Config/RoundRobin {1|0} Value Description dnscmd Specifies the name of the command-line tool. Notes • To perform this procedure. This procedure requires the Dnscmd Windows support tool. at a command prompt. To open a command prompt. see Related Topics. Open Command Prompt. For information about installing Windows support tools. /Config Specifies the configuration command. You can also ServerNam type the IP address of the DNS server. To disable round robin. type: dnscmd/Config/help • • • Page 52 of 165 . click Start. To specify the DNS e server on the local computer. you must be a member of the Administrators group on the local computer. point to All programs. or you must have been delegated the appropriate authority. and then click Command prompt. If the computer is joined to a domain.). 2. bin To enable round robin. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. type {1|0} 0 (off). point to Accessories. To view the complete syntax for this command. you can also type a period (. As a security best practice. / RoundRo Configures round robin rotation. Specifies the DNS host name of the DNS server. type 1 (on).Using a command line 1.

As a security best practice. members of the Domain Admins group might be able to perform this procedure. 4. click Control Panel. or you must have been delegated the appropriate authority. You can Page 53 of 165 . 5. and then click OK. click Properties. If the computer is joined to a domain. click Start. 2. Open Command Prompt. On the Action menu. 2. clear the Enable netmask ordering check box. Where? o DNS/applicable DNS server 3. In the console tree. In Server options. Click the Advanced tab. To open DNS. Type: dnscmdServerName/Config/LocalNetPriority {1|0} Value Description dnscmd ServerName Specifies the name of the command-line tool. Notes • To perform this procedure. Open DNS. and then double-click DNS.To disable local subnet prioritization for multihomed names • • Using the Windows interface Using a command line Using the Windows interface 1. click the applicable DNS server. • Using a command line 1. Specifies the DNS host name of the DNS server. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. double-click Administrative Tools.

see Related Topics. To open a command prompt. Specifies the configuration command. Page 54 of 165 • . click Start. you must be a member of the Administrators group on the local computer. click Start. If the computer is joined to a domain. consider using Run as to perform this procedure. Click the Advanced tab. Notes • To perform this procedure. or you must have been delegated the appropriate authority. type 0 (off). double-click Administrative Tools. To disable {1|0} netmask ordering. Notes • also type the IP address of the DNS server.). 2. 4. To view the complete syntax for this command./Config / LocalNetPrio Configures netmask ordering. click Control Panel. rity To enable netmask ordering. you must be a member of the Administrators group on the local computer. This procedure requires the Dnscmd Windows support tool. and then double-click DNS. and then click Command prompt. and then click OK. point to All programs. at a command prompt. and then click Properties. In the console tree. you can also type a period (. or you must have been delegated the appropriate authority. Click Reset to Default. type 1 (on). As a security best practice. type: dnscmd/Config/help • • • To restore server default preferences 1. Open DNS. 3. point to Accessories. To perform this procedure. right-click the applicable DNS server. As a security best practice. To open DNS. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. To specify the DNS server on the local computer. members of the Domain Admins group might be able to perform this procedure. For information about installing Windows support tools.

As a security best practice. Property Disable recursion BIND secondaries Fail on load if bad zone data Enable round robin Enable netmask ordering Secure cache against pollution Name checking Load zone data on startup Enable automatic scavenging of stale records Setting Off On Off On On On Multibyte (UTF8) From Active Directory and registry Off To disable recursion on the DNS server • • Using the Windows interface Using a command line Using the Windows interface 1. These setting are displayed in the table below. In Server options. then click Properties. select the Disable recursion check box. 4. Page 55 of 165 • • . double-click Administrative Tools. In the console tree. or you must have been delegated the appropriate authority. members of the Domain Admins group might be able to perform this procedure. Open DNS. you will not be able to use forwarders on the same server. 3. and then double-click DNS. If you disable recursion on the DNS server. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. and then click OK. If the computer is joined to a domain. click Start. Click the Advanced tab. To open DNS. click Control Panel.• Clicking Reset to Default configures the DNS server with the initial configuration it had following installation. right-click the applicable DNS server. 2. Notes • To perform this procedure.

Notes • To perform this procedure. on Required. Required. Type: dnscmdServerName/Config/NoRecursion {1|0} Value Description dnscmd Specifies the name of the command-line tool. To specify the e DNS server on the local computer. To view the complete syntax for this command. consider using Run as to perform this procedure. see Related Topics. type 1 (off). To update root hints on the DNS server 1. Open DNS. Open Command Prompt. Page 56 of 165 . This procedure requires the Dnscmd Windows support tool. By default. Specifies the DNS host name of the DNS server. 2. point to All programs.Using a command line 1. / NoRecursi Required. click Start. Specifies the command to disable recursion. at a command prompt. To disable recursion. point to Accessories. You ServerNam can also type the IP address of the DNS server.). As a security best practice. members of the Domain Admins group might be able to perform this procedure. For information about installing Windows support tools. Specifies the configuration command. type 0 (on). you can also type a period (. type: dnscmd/Config/help • • • • If you disable recursion on the DNS server. recursion is enabled. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. you will not be able to use forwarders on the same server. /Config Required. and then click Command prompt. To enable {1|0} recursion. If the computer is joined to a domain. To open a command prompt.

and then click Remove. and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. click Copy from server. 5. As a security best practice. you must be a member of the Administrators group on the local computer. In the console tree. double-click Administrative Tools. In the console tree. click Edit. To remove a root server from the list. To open DNS. 2. To copy root hints from a DNS server. members of the Domain Admins group might be able to perform this procedure. 4. click Control Panel. select it in the list. click Properties. Modify server root hints as follows: o To add a root server to the list. If the computer is joined to a domain. Open DNS. or you must have been delegated the appropriate authority.2. On the Action menu. and then specify the name and IP address of the server to be modified in the list. consider using Run as to perform this procedure. and then specify the name and IP address of the server to be added to the list. These root hints will not overwrite any existing root hints. click the applicable DNS server. o o o Notes • To perform this procedure. To modify a root server in the list. • To secure server cache against names pollution 1. and then double-click DNS. Where? o DNS/applicable DNS server Page 57 of 165 . click Add. Where? o DNS/applicable DNS server 3. click the applicable DNS server. Click the Root Hints tab. click Start.

click the applicable DNS server. In the console tree. Click the Advanced tab. or you must have been delegated the appropriate authority. 2. As a security best practice. click Properties. you must be a member of the Administrators group on the local computer. and then double-click DNS. consider using Run as to perform this procedure. click Start. Notes • To perform this procedure. If the computer is joined to a domain. Open DNS. double-click Administrative Tools. As a security best practice. click Start. click Clear Cache. Notes • To perform this procedure. click Control Panel. To open DNS. To open DNS. • • To clear the server names cache • • Using the Windows interface Using a command line Using the Windows interface 1. select the Secure cache against pollution check box. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. and then click OK. or you must have been delegated the appropriate authority. On the Action menu. 5. 4. • Page 58 of 165 . double-click Administrative Tools. click Control Panel. The Secure cache against pollution option is enabled by default. members of the Domain Admins group might be able to perform this procedure. On the Action menu. you must be a member of the Administrators group on the local computer.3. consider using Run as to perform this procedure. In Server options. Where? o DNS/applicable DNS server 3. and then double-click DNS.

or you must have been delegated the appropriate authority. click Start. Before making changes to the registry. In Registry Editor. you must be a member of the Administrators group on the local computer. Specifies the command to clear the DNS server cache. Open Command Prompt. see Related Topics. consider using Run as to perform this procedure. 2. As a security best practice. you should back up any valued data on the computer. and then click Command prompt. he Notes • To perform this procedure.Using a command line 1. Specifies the DNS host name of the DNS server. navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters Page 59 of 165 .). Required. 2. If the computer is joined to a domain. Caution o Incorrectly editing the registry may severely damage your system. This procedure requires the Dnscmd Windows support tool. You ServerNa can also type the IP address of the DNS server. To open a command prompt. To specify the me DNS server on the local computer. Open Registry Editor. Type the following command and then press ENTER: Dnscmd ServerName /clearcache Value Description dnscmd Specifies the name of the command-line program. For information about installing Windows support tools. members of the Domain Admins group might be able to perform this procedure. • • To modify DNSSEC configuration 1. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. you can also type a period (. point to Accessories. / clearcac Required. point to All programs.

or you must have been delegated the appropriate authority. KEY or NXT resource records. assign a value of 0x2. click Run. Before making changes to the registry. and then click OK. assign a value of 0x1 or do not create the value at all.3. you should back up any Page 60 of 165 . assign a value of 0x0. If the computer is joined to a domain. To open Registry Editor. • • To modify EDNS0 configuration • • Using the Windows interface Using a command line Using the Windows interface 1. o o Notes • To perform this procedure. type regedit. you must be a member of the Administrators group on the local computer. Do one of the following: o To exclude DNSSEC resource records in query responses other than responses to requests for SIG. click Start. As a security best practice. or NXT resource records only. To include the DNSSEC resource records in all query responses (according to RFC 2535). The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry. Appropriate resource records will be included in responses to requests for SIG. consider using Run as to perform this procedure. Add the following DWORD entry: EnableDnsSec 4. Caution o Incorrectly editing the registry may severely damage your system. Open Registry Editor. KEY. members of the Domain Admins group might be able to perform this procedure. To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671). The value of the registry entry EnableDnsSec determines whether the DNS server will include or exclude DNSSEC resource records when it receives queries.

valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. 2. In Registry Editor, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Paramete rs 3. Add the following DWORD entry: EDNSCacheTimeout 4. To change the cache timeout, type a value in seconds between 3600 (1 hour) and 15724800 (182 days). 5. In the same registry subkey (Parameters), add the following DWORD entry: EnableEDNSProbes 6. To configure the DNS server to include an OPT resource record only in response to EDNS0 requests containing OPT resource records, type 0x1 (DWORD). 7. Restart DNS server.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK. The value of the registry key EDNSCacheTimeout determines how long the DNS server will keep information about the EDNS versions supported by other DNS servers that have responded to a query with a OPT resource record.

• •

Using a command line
• •

Open Command Prompt. Type one of the following:
o o

dnscmdServerName/Config/EDNSCacheTimeoutValue dnscmdServerName/Config/EnableEDNSProbesValue

Page 61 of 165

Value

Description

dnscmd ServerName /Config / EDNSCacheTim eout / EnableEdnsPro bes

Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). Required. Specifies the command to configure the DNS server. Required. Specifies the length of time the DNS server remembers the EDNS parameters remote servers report. Required. Specifies whether or not the DNS server probes other DNS servers to determine if they support EDNS. Required. For /EDNSCacheTimeout, type a value in between 3600 (1 hour) and 15724800 (182 days). For /EnableEDNSProbes, type 1 to configure the DNS server to probe other DNS servers and determine if they support EDNS. Type 0 to configure the DNS server to not probe remote servers for EDNS support. If you type 0, the DNS server will continue to use EDNS if other servers request it.

Value

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config help

• • •

For information about the current registry setting, type one of the following:
o o

dnscmd /Info /EDNSCacheTimeout dnscmd /Info /EnableEDNSProbes

To modify UDP message size
Page 62 of 165

1. Open Registry Editor.

Caution
o

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

2. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par ameters
3. Add the following DWORD entry:

MaximumUdpPacketSize 4. Type a maximum UDP packet size value in bytes. The default value is 1280 bytes. The value must be between 512 and 16384 in decimal format (200 and 4000 in hexadecimal format). 5. Restart DNS server.

Caution

When configuring the UDP packet size to be larger than 512 bytes, remember UDP packets must travel through devices other than UDP hosts, such as routers, and these devices may not support UDP packets larger than 512 bytes. It is recommended that you establish the maximum UDP packet length support for all devices, and the path's MTU, if possible, and configure your UDP hosts according to this maximum.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Page 63 of 165

members of the Domain Admins group might be able to perform this procedure. In the console tree. Notes • To perform this procedure. and then double-click DNS. 3. double-click Administrative Tools. Click the Debug Logging tab." Monitor servers • • • • • • • • Select and enable debug logging options on the DNS server Disable debug logging options on the DNS server Test a simple query on the DNS server Test a recursive query on the DNS server Enable automatic query testing on the DNS server View the DNS server system event log View a DNS server debug log file Verify DNS server responsiveness using the nslookup command To select and enable debug logging options on the DNS server 1. As a security best practice. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. If the computer is joined to a domain. To set the debug logging options. 2. you must first select Log packets for debugging. click Control Panel.• For information on discovering the maximum transmission unit (MTU) of an arbitrary Internet path. see Request for Comment (RFC) 1191. and then select the events that you want the DNS server to record for debug logging. or you must have been delegated the appropriate authority. To open DNS. then click Properties. click Start. right-click the applicable DNS server. "Path MTU Discovery. Page 64 of 165 • • . Open DNS. 4. Select Log packets for debugging.

As a security best practice. 4. To open DNS. consider using Run as to perform this procedure. In the console tree.• To get useful debug logging output you need to select a Packet direction. Notes • To perform this procedure. Clear the Log packets for debugging check box. and then click OK. In addition to selecting events for the DNS debug log file. or you must have been delegated the appropriate authority. all debug logging options are disabled by default. you must be a member of the Administrators group on the local computer. click Start. Using debug logging options slows DNS server performance. double-click Administrative Tools. • • To disable debug logging options on the DNS server 1. 2. Click the Debug Logging tab. 2. For this reason. members of the Domain Admins group might be able to perform this procedure. On the Action menu. Open DNS. click Properties. • To test a simple query on the DNS server 1. Where? o DNS/applicable DNS server Page 65 of 165 . 5. Open DNS. and then double-click DNS. click Control Panel. If the computer is joined to a domain. click the applicable DNS server. a Transport protocol and at least one more option. Where? o DNS/applicable DNS server 3. location. click the applicable DNS server. In the console tree. and maximum file size for the file. you can specify the file name.

Open DNS. Select the A simple query against this DNS server check box. or you must have been delegated the appropriate authority. 5. double-click Administrative Tools. Results of the query test appear in Test results. As a security best practice. • • To test a recursive query on the DNS server 1. click Properties. Notes • To perform this procedure. double-click Administrative Tools. consider using Run as to perform this procedure. As a security best practice. click Control Panel. To open DNS. 4. Click Test Now. 6. If the computer is joined to a domain. or you must have been delegated the appropriate authority. 2. 6. Click the Monitoring tab. and then double-click DNS. you must be a member of the Administrators group on the local computer. On the Action menu. click Control Panel. Click the Monitoring tab. click Start. members of the Domain Admins group might be able to perform this procedure. Click Test Now. Where? o DNS/applicable DNS server 3. members of the Domain Admins group might be able to perform this procedure. Select the A recursive query to other DNS servers check box. click the applicable DNS server.3. and then double-click DNS. you must be a member of the Administrators group on the local computer. 4. Notes • To perform this procedure. If the computer is joined to a domain. To open DNS. click Start. Page 66 of 165 • . click Properties. consider using Run as to perform this procedure. 5. In the console tree. On the Action menu.

As a security best practice. click Control Panel. or you must have been delegated the appropriate authority. Where? o DNS/applicable DNS server 3. On the Action menu. you must be a member of the Administrators group on the local computer. To open DNS. and then double-click DNS. In the console tree. 4. You can select one of both of the following: o o A simple query against this DNS server A recursive query to other DNS servers 6. click the applicable DNS server. Notes • To perform this procedure. 7. Open DNS. If the computer is joined to a domain. 2. 5. click Start. The query tests that you select are performed at regular intervals based on the value of the interval you specify. Click the Monitoring tab. double-click Administrative Tools. click Properties. Select the Perform automatic testing at the following interval check box. Results of automated query tests appear in Test results and are updated after each test interval. consider using Run as to perform this procedure. To enable automatic query testing on the DNS server 1. Set the Test interval to be used. The default polling interval is 1 minute. members of the Domain Admins group might be able to perform this procedure. • • To view the DNS server system event log Page 67 of 165 . Select the type of testing to be used during automatic query testing.• Results of the query test appear in the Test results list box.

1. If the DNS server for which you want to view the log is located on another computer. Where? o DNS/applicable DNS server/Event Viewer/DNS Events Notes • To perform this procedure. click Start. or you must have been delegated the appropriate authority. for File name. click DNS Events. 2. double-click Administrative Tools. click DNS. Open WordPad. 4. As a security best practice. the file and path are as follows: systemroot\System32\Dns\Dns. click Open to view the log file. members of the Domain Admins group might be able to perform this procedure. Open DNS. By default. If the computer is joined to a Page 68 of 165 . you must be a member of the Administrators group on the local computer.log 5. 3. 2. or you must have been delegated the appropriate authority. click Open. Stop the DNS Server service. In the console tree. In Open. specify the path to the DNS server debug log file. in the console tree. and then double-click DNS. and then specify the name or IP address of the remote computer. you must be a member of the Administrators group on the local computer. click Control Panel. click Connect to DNS Server. consider using Run as to perform this procedure. and then on the Action menu. if the applicable DNS server is running locally. Click The following computer. To open DNS. • • To view a DNS server debug log file 1. If the computer is joined to a domain. After you specify the correct path and file. On the File menu. Notes • To perform this procedure.

the name "localhost" is returned.0. and then click Command prompt. The location of the DNS. see Related Topics.1 Notes • To open a command prompt. As a security best practice. and then click WordPad.1 3.1 127. click Start. members of the Domain Admins group might be able to perform this procedure. Debug logging slows DNS server performance and should only be enabled for temporary use.log file. the Dns. you would type: nslookup 10.domain. see Related Topics. To specify the name and location of the DNS. server_ip_addr For example.log file is managed using the DNS console. point to Accessories. To stop the DNS Server service. Open Command Prompt.0. If the server is responding. point to All programs. If the server does not respond. point to Accessories. Page 69 of 165 . For more information. 2. point to All programs.0. The IP address of the DNS server at which you are verifying its responsiveness.0. Type: nslookupserver_ip_address127. continue troubleshooting the DNS server. Value nslookup Description The name of the command-line program. if the IP address of your DNS server is ess 10.1.0.0.0. see Related Topics. • • • • To verify DNS server responsiveness using the nslookup command 1. consider using Run as to perform this procedure.0. click Start.log file is empty if you have not previously enabled debug logging options. By default. • To open WordPad.

double-click Administrative Tools. press Enter and then type help Add and remove zones • • • • • • Add a forward lookup zone Add a reverse lookup zone Add a stub zone Delete a zone Pause a zone Start a zone To add a forward lookup zone • • Using the Windows interface Using a command line Using the Windows interface 1. 3. Follow the instructions to create a new primary. Type: Page 70 of 165 . consider using Run as to perform this procedure. 2. and then double-click DNS. right-click a DNS server. • Using a command line 1. or you must have been delegated the appropriate authority. click Start. Open Command Prompt. click Control Panel. at a command prompt. members of the Domain Admins group might be able to perform this procedure. or stub zone. secondary. and then click New Zone to open the New Zone Wizard. As a security best practice. To open DNS. type: nslookup. you must be a member of the Administrators group on the local computer.• To view the complete syntax for this command. 2. Notes • To perform this procedure. If the computer is joined to a domain. Open DNS. In the console tree.

) /ZoneAdd Required. This parameter does not apply to /DsPrimary. Adds an administrator e-mail /a address for the zone. Specifies a file for the new zone. Required. You may also use one of the following: dsncmd • /DP /domain For domain directory partition (replicates Page 71 of 165 . Specifies the DNS host name of the DNS server. /DsPrimary and /DsStub Primary|/DsPrimary|/Secondary|/Stu specify an Active Directoryb|/DsStub integrated zone type. Specifies the fully ZoneName qualified domain name (FQDN) of the zone. Required for /Primary. you can also type a period (. This FileName parameter is invalid for the /DsPrimary zone type. /DP Adds the zone to an application directory partition. Required for /Primary. If this parameter is not /load specified. Required. This /file parameter is invalid for the /DsPrimary zone type. You can also type the IP address of the ServerName DNS server. Specifies the name of the zone file. default zone records are created automatically. Required. Loads an existing file for the zone. Loads an existing file for the zone. To specify the DNS server on the local computer. Specifies the type of / zone. Specifies the administrator email AdminEmail name for the zone.dnscmdServerName/ZoneAddZoneName {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN] Value Description Specifies the name of the command-line tool. Adds a zone.

This setting supports domains using legacy Windows 2000 Server domain controllers. and then click Command prompt. see Related Topics. In the console tree. members of the Domain Admins group might be able to perform this procedure. point to Accessories. you must be a member of the Administrators group on the local computer. • /DP /forest For forest directory partition (replicates to all DNS server in the forest). at a command prompt. To perform this procedure. To view the complete syntax for this command. For information about installing Windows support tools. If the computer is joined to a domain. Page 72 of 165 . To open a command prompt. This procedure requires the Dnscmd Windows support tool. consider using Run as to perform this procedure. /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). As a security best practice.to all DNS servers in the domain). click Start. point to All programs. and then click New Zone to open the New Zone Wizard. Open DNS. or you must have been delegated the appropriate authority. 2. right-click a DNS server. • FQDN Notes • Specifies the fully qualified domain name of the directory partition. type: dnscmd/ZoneAdd/help • • • To add a reverse lookup zone • • Using the Windows interface Using a command line Using the Windows interface 1.

If this parameter is not specified. Loads an existing file for the zone. you can also type a period (. This parameter does not apply to /DsPrimary. To specify the DNS server on the local computer. Specifies a file for the new zone. default zone records are created automatically. Specifies the administrator e-mail name for the zone. Adds the zone to an application directory partition.arpa domain for the zone. To specify an Active Directory-integrated zone. double-click Administrative Tools.192. click Control Panel. If the computer is joined to a domain. and then double-click DNS. you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure. This parameter is invalid for the /DsPrimary zone type.in-addr. Specifies the fully qualified domain name (FQDN) of the in-addr. Required for /Primary. Specifies the name of the zone file. 20. For example. Required. click Start. Required. Required for /Primary. You can also type the IP address of the DNS server.) Required. members of the Domain Admins group might be able to perform this procedure. Type: dnscmd ServerName /ZoneAdd ZoneName {/Primary|/DsPrimary} [/file FileName] [/load] [/a AdminEmail] [/DP FQDN] Value Description dnscmd ServerName /ZoneAdd ZoneName / Primary|/DsPri mary /file FileName Specifies the name of the command-line tool. Notes • To perform this procedure. Open Command Prompt. Required. or you must have been delegated the appropriate authority. Adds a zone. You Page 73 of 165 /load /a AdminEmail /DP . Loads an existing file for the zone.168. type /DsPrimary. Specifies the type of zone.3. Adds an administrator e-mail address for the zone. Follow the instructions to create a new reverse lookup zone..1. To open DNS.arpa. Specifies the DNS host name of the DNS server. • Using a command line 1. 2. As a security best practice. This parameter is invalid for the /DsPrimary zone type.

For information about installing Windows support tools. To view the complete syntax for this command. 2. As a security best practice. see Related Topics. To open a command prompt.may also use one of the following: • • /DP /domain For domain directory partition (replicates to all DNS servers in the domain). at a command prompt. Notes Page 74 of 165 . If the computer is joined to a domain. and then click Command prompt. Open DNS. and then click New Zone to open the New Zone Wizard. click Start. point to Accessories. /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). or you must have been delegated the appropriate authority. type: dnscmd /ZoneAdd /help • • • To add a stub zone • • Using the Windows interface Using a command line Using the Windows interface 1. point to All programs. • FQDN Notes • Specifies the fully qualified domain name of the directory partition. Follow the instructions to create a new stub zone. members of the Domain Admins group might be able to perform this procedure. This setting supports domains using legacy Windows 2000 Server domain controllers. right-click a DNS server. 3. To perform this procedure. In the console tree. /DP /forest For forest directory partition (replicates to all DNS server in the forest). consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. This procedure requires the Dnscmd Windows support tool.

Specifies the DNS host name of the DNS server.) /ZoneAdd Required. Specifies the type of zone.• To perform this procedure. 2. type /DsStub. consider using Run as to perform this procedure. rather than have the DNS server use the master servers list stored in Active Directory.. If you want the DNS server hosting a stub zone to use a local list of master servers. Required. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method). ServerName Required. Page 75 of 165 .. /Stub|/DsStubRequired. members of the Domain Admins group might be able to perform this procedure. As a security best practice. you will need the IP addresses of the local master servers. /file Adds a file for the new zone. Type: dnscmdServerName /ZoneAdd ZoneName {/Stub|/DsStub} MasterIPaddress. Specifies the fully qualified domain name (FQDN) of the zone. you can also type a period (.. click Control Panel. MasterIPaddress. If you want to use a local master servers list. To open DNS. Open Command Prompt. [/file FileName] [/load] [/DP FQDN] ValueDescription dnscmd Specifies the name of the command-line tool. • • • • Using a command line 1. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. ZoneName Required. Specifies one or more IP addresses for the master servers of the stub zone.. click Start. You can also type the IP address of the DNS server. To specify the DNS server on the local computer. double-click Administrative Tools. see Related Topics. The stub zone cannot be hosted on a DNS server that is authoritative for the same zone. To specify an Active Directory-integrated stub zone. and then double-click DNS. from which it copies zone data. you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records. If the computer is joined to a domain. Adds a zone.

If the computer is joined to a domain. FQDN Specifies the fully qualified domain name of the directory partition. you will need the IP addresses of the local master servers. or you must have been delegated the appropriate authority. /load Loads an existing file for the zone. you must be a member of the Administrators group on the local computer. Page 76 of 165 • . point to Accessories. type: dnscmd/ZoneAdd /help • • • • • The stub zone cannot be hosted on a DNS server that is authoritative for the same zone. /DP /legacy For legacy directory partition (replicates to all domain controllers in the domain). and then click Command prompt. you have the option to specify that the DNS server hosting the stub zone use a local list of master servers when updating the stub zone's resource records. If you want the DNS server hosting a stub zone to use a local list of master servers. If you choose to integrate the stub zone into Active Directory (using Active Directory as the stub zone's storage method). To view the complete syntax for this command. rather than have the DNS server use the master servers list stored in Active Directory. Notes • To perform this procedure. If this parameter is not specified. You may also use one of the following: • • • /DP /domain For domain directory partition (replicates to all DNS servers in the domain). members of the Domain Admins group might be able to perform this procedure. For information about installing Windows support tools. /DP /forest For forest directory partition (replicates to all DNS server in the forest). This procedure requires the Dnscmd Windows support tool. see Related Topics. This setting supports domains using legacy domain controllers running Windows 2000 Server. /DP Adds the zone to an application directory partition. As a security best practice. click Start. To open a command prompt. If you want to use a local master servers list. default zone records are created automatically. point to All programs. see Related Topics. consider using Run as to perform this procedure.FileName Specifies the name of the zone file. at a command prompt.

2. This procedure is most often used to delete a secondary copy of a zone. Caution • Deleting an Active Directory-integrated zone effectively deletes the zone and eliminates its use at all other DNS servers using the same directory store of zone data. see Related Topics. Type: dnscmdServerName/ZoneDeleteZoneName [/DsDel] [/f] Page 77 of 165 . you must be a member of the Administrators group on the local computer.To delete a zone • • Using the Windows interface Using a command line Using the Windows interface 1. unless you are redesigning your DNS namespace and the zone is no longer needed or used. click OK. although it can also be used to delete a primary zone. For more information. Deleting a standard primary zone is usually unnecessary. In the console tree. you can change the zone type if you only want to modify the zone. click Start. If the computer is joined to a domain. or you must have been delegated the appropriate authority. In most cases. click Delete. consider using Run as to perform this procedure. Open Command Prompt. To open DNS. Open DNS. • • • Using a command line 1. click Control Panel. members of the Domain Admins group might be able to perform this procedure. On the Action menu. click the applicable zone. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. As a security best practice. Notes • To perform this procedure. double-click Administrative Tools. 4. 2. When asked to confirm that you want to delete the zone. and then double-click DNS.

Open DNS. or you must have been delegated the appropriate authority. In the console tree. To specify the me DNS server on the local computer. Specifies the command to delete the zone specified ZoneDele by ZoneName. For information about installing Windows support tools. you must be a member of the Administrators group on the local computer. te ZoneNam Required. Performs the command without asking for confirmation. consider using Run as to perform this procedure.Value Description dnscmd Specifies the name of the command-line tool. To view the complete syntax for this command. you are prompted to confirm the deletion of the resource record. type: dnscmd /ZoneDelete /help • • • To pause a zone • • Using the Windows interface Using a command line Using the Windows interface 1. click the applicable zone. Specifies the DNS host name of the DNS server. point to All programs. 2. Notes • To perform this procedure. see Related Topics. at a command prompt. members of the Domain Admins group might be able to perform this procedure. /DsDel Deletes a the zone from Active Directory. Where? Page 78 of 165 . click Start. and then click Command prompt. Required. you can also type a period (. point to Accessories.) / Required. Specifies the fully qualified domain name (FQDN) of e the zone you are deleting. To open a command prompt. If the computer is joined to a domain. If you /f omit this parameter. As a security best practice. This procedure requires the Dnscmd Windows support tool. You ServerNa can also type the IP address of the DNS server.

Required. you must restart the zone before it is available for servicing clients or zone updates. you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. members of the Domain Admins group might be able to perform this procedure. Open Command Prompt. 4. Type: dnscmdServerName/ZonePauseZoneName Value Description dnscmd Specifies the name of the command-line program. Pauses the zone. click Pause. Once you use this procedure to pause a zone. and then double-click DNS.o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. click Start. By default. As a security best practice. you can also type a period (. and then click OK. se ZoneNam Required. Specifies the fully qualified domain name (FQDN) of e the zone. you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. On the Action menu. members of Page 79 of 165 . To open DNS. If the computer is joined to a domain. If the computer is joined to a domain.) / ZonePau Required. click Control Panel. • • Using a command line 1. click Properties. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. Specifies the DNS host name of the DNS server. or you must have been delegated the appropriate authority. You ServerNa can also type the IP address of the DNS server. 2. To specify the me DNS server on the local computer. double-click Administrative Tools. On the General tab. zones are started when created or loaded at the server.

you must be a member of the Administrators group on the local computer. click Start. To start a zone • • Using the Windows interface Using a command line Using the Windows interface 1. double-click Administrative Tools. point to Accessories. To open DNS.the Domain Admins group might be able to perform this procedure. Open DNS. By default. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. • • Using a command line 1. click Control Panel. For information about installing Windows support tools. If the computer is joined to a domain. consider using Run as to perform this procedure. see Related Topics. and then click Command prompt. zones are started when created or loaded at the server. and then click OK. click Properties. This procedure requires the Dnscmd Windows support tool. click Start. Open Command Prompt. • • To open a command prompt. In the console tree. On the General tab. click Start. and then double-click DNS. click the applicable zone. Notes • To perform this procedure. Page 80 of 165 . As a security best practice. As a security best practice. On the Action menu. consider using Run as to perform this procedure. point to All programs. 2. 4. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. Only zones that have previously been paused need to be restarted.

you can also type a period (. me Required. To specify the e DNS server on the local computer. Configure zone properties • • • • • • • • • • Change the zone type Change a zone file name Change zone replication scope Modify the start of authority (SOA) record for a zone Modify zone transfer settings Create and manage a notify list for a zone Create a zone delegation Verify a zone delegation using the nslookup command Configure a stub zone for local master servers Specify other DNS servers as authoritative for a zone Page 81 of 165 . point to All programs. Required. point to Accessories. and then click Command prompt. click Start. For information about installing Windows support tools. Specifies the fully qualified domain name (FQDN) of ZoneName the zone resuming operation. zones are started when created or loaded at the server. Resumes the hosting of the zone by the DNS server. Type: dnscmdServerName/ZoneResumeZoneName Value Description dnscmd Specifies the name of the command-line tool.) / ZoneResu Required. see Related Topics. Only zones that have previously been paused need to be restarted. Notes • • • To open a command prompt.2. This procedure requires the Dnscmd Windows support tool. You ServerNam can also type the IP address of the DNS server. Specifies the DNS host name of the DNS server. By default.

Open DNS. Additional considerations • To perform this procedure. Page 82 of 165 • • • . 4. click Start. In Change Zone Type. To open DNS. click Control Panel. and then click Change. If the computer is joined to a domain. When selecting the secondary or stub zone types. the option to change the zone type to Active Directory-integrated is available. Secondary zone. You can select from Primary zone. members of the Domain Admins group might be able to perform this procedure. As a security best practice. If the DNS server computer is operating as a domain controller. select a zone type other than the current one. 2. or Stub zone. right-click the applicable zone. This option is not otherwise available. 3. and then double-click DNS. On the General tab. In the console tree. and then click Properties. When this zone type is selected for use. you must specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. you must be a member of the Administrators group on the local computer. zone data is stored and replicated as part of the Active Directory database. consider using Run as to perform this procedure.• • • Update the master server for a secondary zone Enable DNS to use WINS resolution Verify WINS as the source for answering a DNS query To change the zone type • • Using the Windows interface Using a command line To change the zone type using the Windows interface 1. double-click Administrative Tools. or you must have been delegated the appropriate authority. and then click OK. note the current zone type.

2. Required. secondary. including management of dynamic updates and zone transfers and the use of DNS notify lists to notify other servers about changes in the zone.) Required. Type the following command. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones. Changing DNS zone type or storage can be time-consuming for large zones. For more information. or stub) and the method for storing the zone at the same time.. One of the following zone types: • /Primary Standard primary zone. • Changing a zone from secondary to primary type can affect other zone activities. Specifies the Domain Name System (DNS) host name of the DNS server. see Related Topics. Required. If the zone is not Page 83 of 165 . Open Command Prompt. • /DsPrimary Active Directory Domain Services (AD DS)– integrated primary zone.] [/file FileName] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition FQDN} Value Description dnscmd ServerName ZoneName Property Specifies the name of the command-line tool. You must perform the two operations separately. you can also type a period (. The /fileFileName option is required. Specifies the fully qualified domain name (FQDN) of zone. To specify the DNS server on the local computer. • • To change the zone type using a command line 1. You can also type the IP address of the DNS server.. and then press ENTER: dnscmd ServerName /ZoneResetType ZoneName Property [MasterIPaddress.Note You cannot change the zone type (primary.

Required for /Secondary. • /Stub Stub zone. / /OverWrite_Ds overwrites Active Directory OverWrite_Mem|/OverWrit data with data in DNS. you must convert it to a primary zone (using /Primary) before you use this option to integrate the zone with AD DS. /Stub and /DsStub. /OverWrite_Mem overwrites exisiting DNS data using the data in Active Directory. for the master servers of the secondary or stub zone. This parameter is not valid for the /DsPrimary zone type. Specifies one or more IP addresses MasterIPaddress. You must specify at least one MasterIPaddress.co m.. from which it copies zone data. you must convert it to a stub zone (using /Stub) before using this option to integrate the zone with AD DS. /file FileName Page 84 of 165 . such /DirectoryPartition FQDN as DomainDnsZones. you must use /DsStub to convert it to an AD DS– integrated stub zone before using this option. • /Secondary Secondary zone.microsoft.. You must specify at least one MasterIPaddress. /DirectoryPartition e_Ds| stores the new zone in the application directory partition specified by FQDN.example. If the zone is not already a stub zone. Specifies the name of a file for the new zone.corp. If the zone is an AD DS– integrated primary zone.already a primary zone. Required for /Primary. You must specify at least one MasterIPaddress. • /DsStub Active Directory-integrated stub zone.

the option to change the zone type to Active Directory-integrated is available. secondary or stub zone. and the use of DNS notify lists to notify other servers about changes in the zone. Changing a zone from stub to primary type or vice versa is not recommended due to the purpose of stub zones. and then click Command prompt. including management of dynamic updates and zone transfers. click Start. When this zone type is selected for use. To view the complete syntax for this command. To open a command prompt. click the applicable zone. If the DNS server computer is operating as a domain controller. As a security best practice. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone Page 85 of 165 . 2. Open DNS. type: dnscmd/ZoneResetType/help • • • • You can select from primary. you must be a member of the Administrators group on the local computer. zone data is stored and replicated as part of the Active Directory database. When selecting the secondary or stub zone type. If the computer is joined to a domain.Additional considerations • To perform this procedure. members of the Domain Admins group might be able to perform this procedure. point to Accessories. Changing a zone from secondary to primary type can affect other zone activities. • • • To change a zone file name 1. This procedure requires the Dnscmd Windows support tool. This option is not otherwise available. at a command prompt. you need to specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone. consider using Run as to perform this procedure. In the console tree. point to All programs. or you must have been delegated the appropriate authority.

On the General tab. be sure to update Zone file name on other DNS servers that maintain this zone. double-click Administrative Tools. Page 86 of 165 . members of the Domain Admins group might be able to perform this procedure. The zone file name is not used for Active Directory-integrated zones because these zones store zone data in the Active Directory database and not a text file on the DNS server computer. 2. right-click the applicable zone. As a security best practice. The name of the zone file changes. type the new file name for this zone. in the Zone file name text box. not the name of the zone. click Properties. This can occur in the following situations: o o The zone type is primary on this server. and then double-click DNS. Otherwise. Click OK when you have finished entering the new zone file name. The zone type is secondary on this server and this server acts as a source or master server for this zone to other DNS servers that host secondary copies of this zone. If the computer is joined to a domain. To open DNS. or you must have been delegated the appropriate authority. Open DNS. consider using Run as to perform this procedure.3. In the console tree. 4. 5. you must be a member of the Administrators group on the local computer. You can use Windows Explorer to view or verify the new zone file name. click Start. • • • To change zone replication scope • • Using the Windows interface Using a command line Using the Windows interface 1. click Control Panel. Caution • If the zone file name is changed. subsequent zone transfers and updates might fail. Notes • To perform this procedure. On the Action menu. and then click Properties.

consider using Run as to perform this procedure. Open Command Prompt. Only Active Directory-integrated primary and stub forward lookup zones can change their replication scope. To specify the DNS server on the local computer. click Start. you must be a member of the Administrators group on the local computer. see Overview of Windows Server 2003. For more information. Specifies the fully qualified domain ZoneName name (FQDN) of the zone. Secondary forward lookup zones cannot change their replication scope. members of the Domain Admins group might be able to perform this procedure. Required. On the General tab. Select a replication scope for the zone. and then click Change. you can also type a period (. You can also type the IP address of the DNS server. or you must have been delegated the appropriate authority.3. The FQDN of the DNS application NewPartitionName directory partition where the zone will be stored. To open DNS. Web Edition. • • • Using a command line 1. and then double-click DNS. Page 87 of 165 . If the computer is joined to a domain. note the current zone replication type. click Control Panel.) / ZoneChangeDirectoryP Required. operating system. double-click Administrative Tools. Type: dnscmdServerName/ZoneChangeDirectoryPartitionZoneNameNewPar titionName Value Description dnscmd ServerName Specifies the name of the command-line program. artition Required. Notes • To perform this procedure. 2. Changes a zone's replication scope. As a security best practice. Required. Specifies the DNS host name of the DNS server. Web Edition. 4. This feature is not included on computers running the Microsoft® Windows Server® 2003.

operating system. For information about installing Windows support tools. • To modify the start of authority (SOA) record for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. type: dnscmd /ZoneChangeDirectoryPartition /? • • • • Only Active Directory-integrated primary forward lookup zones and Active Directory-integrated stub zones can change their replication scope. As a security best practice. In the console tree. members of the Domain Admins group might be able to perform this procedure. right-click the applicable zone. As needed. Open DNS. Click the Start of Authority (SOA) tab. To open a command prompt. at a command prompt. you must be a member of the Administrators group on the local computer. click Start. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. Web Edition. To view the complete syntax for this command. If the computer is joined to a domain. 4. Page 88 of 165 . and then click Command prompt. Secondary forward lookup zones cannot change their replication scope. see Overview of Windows Server 2003. or you must have been delegated the appropriate authority.Notes • To perform this procedure. This feature is not included on computers running the Microsoft® Windows Server® 2003. Web Edition. point to Accessories. As a security best practice. point to All programs. This procedure requires the Dnscmd Windows support tool. consider using Run as to perform this procedure. If the computer is joined to a domain. modify properties for the start of authority (SOA) record. and then click Properties. you must be a member of the Administrators group on the local computer. For more information. Notes • To perform this procedure. members of the Domain Admins group might be able to perform this procedure. 2. see Related Topics. 3.

and then double-click DNS.example. Specifies the Time to Live (TTL) setting for the resource record. Using a command line 1. Specifies the name of the DNS administrator for the Admin zone. Specifies that this resource record is able to be aged and scavenged.com. double-click Administrative Tools. 2. which specifies the zone's root node.place. click Control Panel. you can also type a period (. For more information. only administrators may modify the new record. For example. Required. Specifies the fully qualified domain name (FQDN) of e the zone.) / RecordA Required.place. You ServerNa can also type the IP address of the DNS server. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. Specifies that new records are open to modification by any user. You can also type the node e name relative to the ZoneName or @. Open Command Prompt. To specify the me DNS server on the local computer.microsoft. Specifies the type of resource record you are SOA modifying. The settings applied for the start of authority (SOA) record affect how zone transfers are made between servers. /OpenAcl Without this parameter. Required.• • To open DNS. Required. Page 89 of 165 .nameserver. postmaster. nameserver. the resource record /Aging remains in the DNS database unless it is manually updated or removed. If this parameter is not used. Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. Required. dd ZoneNam Required. Adds or modifies a resource record.com. Ttl (The default TTL is defined in SOA resource record). Required. Specifies the DNS host name of the DNS server. For example. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. click Start. see Related Topics.microsoft.example.

do one of the following: o To disable zone transfers. This procedure requires the Dnscmd Windows support tool. The standard setting is 3600 (one hour). consider using Run as to perform this procedure. 2. you must be a member of the Administrators group on the local computer. members of the Domain Admins group might be able to perform this procedure. Required. If the computer is joined to a domain. Specifies the retry interval for the zone. The standard setting is 86400 (one day). To modify DNS zone transfer settings • • Using the Windows interface Using a command line Using the Windows interface 1. On the Zone Transfers tab. point to All programs. 3. To open a command prompt. Right-click a DNS zone. or you must have been delegated the appropriate authority. The standard setting is 3600 (one hour). see Related Topics. Required. click Start. Specifies the expire interval for the zone. Required. Specifies the version information for the zone. As a security best practice. point to Accessories. at a command prompt. To view the complete syntax for this command. and then click Command prompt. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. Open DNS. and then click Properties. Page 90 of 165 . Specifies the minimum Time to Live (TTL) value. Required. type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). The standard setting is 600 (ten minutes). Notes • To perform this procedure. clear the Allow zone transfers check box. Specifies the refresh interval for the zone.Serial#\ Refresh Retry Expire MinTTL Required. For information about installing Windows support tools.

or you must have been delegated the appropriate authority. you can also type a period (. zone transfers should only be allowed for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. click Start. double-click Administrative Tools. If you allowed zone transfers.]} Value Description dnscmd ServerName ZoneName Specifies the name of the command-line tool. select the Allow zone transfers check box. click Control Panel.o To allow zone transfers. To open DNS. • • Using a command line 1. consider using Run as to perform this procedure. You can also type the IP address of the DNS server. To specify the DNS server on the local computer. members of the Domain Admins group might be able to perform this procedure. If the computer is joined to a domain.. Required. click To any server. If you allow any DNS server to perform a zone transfer. and then double-click DNS. To improve the security of your DNS infrastructure. click Only to servers listed on the Name Servers tab. 4. and then add the IP address of one or more DNS servers. Type: dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress. Page 91 of 165 .). 2.. you must be a member of the Administrators group on the local computer. Specifies the DNS host name of the DNS server. do one of the following: o o To allow zone transfers to any server. To allow zone transfers only to the DNS servers listed on the Name Servers tab. Specifies the fully qualified domain name (FQDN) of zone. To allow zone transfers only to specific DNS servers. click Only to the following servers. you are allowing internal network information to be transferred to any host that can contact your DNS server. o Notes • To perform this procedure. As a security best practice. Open Command Prompt. Required.

4. Permits zone transfers only to DNS servers listed in the /SecureNs zone using name server (NS) resource records. members of the Domain Admins group might be able to perform this procedure. Open DNS. at a command prompt. you must be a member of the Administrators group on the local computer. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. see Related Topics. As a security best practice. Required. you are allowing internal network information to be transferred to any host that can contact your DNS server. point to All programs. A list of one or more SecondaryIPAdd IP addresses for DNS servers that are permitted to obtain ress zone transfers. point to Accessories. This procedure requires the Dnscmd Windows support tool. Permits zone transfers only to DNS servers specified by /SecureList SecondaryIPAddress. On the Action menu. consider using Run as to perform this procedure. and then click Command prompt. To view the complete syntax for this command. if /SecureList is specified. If the computer is joined to a domain. click Properties. Notes • To perform this procedure. Click the Zone Transfers tab. zone transfers should only be allowed for either the DNS servers in the NS resource records for a zone or for specified DNS servers. Permits zone transfers to any DNS server. If you allow any DNS server to perform a zone transfer. type: dnscmd /ZoneResetSecondaries /? • • • • To improve the security of your DNS infrastructure./NoXfr /NonSecure Disables zone transfers for the zone. click the applicable zone. In the console tree. To open a command prompt. Page 92 of 165 . To create and manage a notify list for a zone 1. For information about installing Windows support tools. 2. click Start. or you must have been delegated the appropriate authority.

If you selected The following servers in the previous step." By default. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. Select the method to be used for creating a list for notifying other DNS servers when changes to the zone occur. you must be a member of the Administrators group on the local computer. Changes to the notify list properties are only available on primary zones. members of the Domain Admins group might be able to perform this procedure. click the server IP address in the list box and click Remove. Verify that the Automatically notify check box is checked. click Start. these properties are read-only. click Control Panel. Select The following servers if you want to specify a different notify list to be used instead. to permit only those servers that appear by IP address on the Name Servers tab to be included in the notify list. o 8. Click Notify. To open DNS. type its IP address in the IP address field and click Add. If the computer is joined to a domain. 6. consider using Run as to perform this procedure. o Notes • To perform this procedure. For secondary zones. and then double-click DNS.5. To remove a server from the notify list. DNS Notify is an RFC-compliant extension of the DNS standard defined in RFC 1996. add or remove server IP addresses to form the notify list as needed: o To add a server to the notify list. Your options are: o Use the default. As a security best practice. 7. Servers listed on the Name Servers tab. "A Mechanism for Prompt Notification of Zone Changes. double-click Administrative Tools. or you must have been delegated the appropriate authority. • • • Page 93 of 165 .

2. Type: dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN} Value Description dnscmd ServerName Specifies the name of the command-line tool. or you must have been delegated the appropriate authority. 2. • • Using a command line 1. Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain. right-click the applicable subdomain. click Control Panel. see Related Topics. As a security best practice. All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation as described here. and then double-click DNS. To open DNS. Open Command Prompt. As necessary. members of the Domain Admins group might be able to perform this procedure. double-click Administrative Tools. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. use the DNS console to first add domains to the zone before completing this procedure. and then click New Delegation. 3. click Start. In the console tree. You can also type the IP address of the DNS server. For more information. Required. To Page 94 of 165 .To create a zone delegation • • Using the Windows interface Using a command line Using the Windows interface 1. Open the DNS console. Notes • To perform this procedure. If the computer is joined to a domain. Specifies the DNS host name of the DNS server.

which specifies the zone's root node.test.specify the DNS server on the local computer. HostName| Required. (The default TTL is defined in SOA resource record). If the computer is joined to a domain.com test MX 10 mailserver. See the following examples: dnscmd dnssvr1.com For more information. To view the complete syntax for this command. at a command prompt. you must be a member of the Administrators group on the local computer. Specifies the fully qualified domain name (FQDN) ZoneName of the zone. type: dnscmd /RecordAdd /help Page 95 of 165 • • • . Required. and then click Command prompt.com /recordadd test A 10. For information about installing Windows support tools. see Related Topics. Specifies that new records are open to modification by any /OpenAcl user. you can also type a period (. point to All programs. point to Accessories. only administrators may modify the new record. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. see Dnscmd Syntax. As a security best practice. consider using Run as to perform this procedure. Without this parameter. If this command is used. Notes • To perform this procedure. If this command is not used. Specifies that you are adding a name server (NS) NS resource record to the zone specified in ZoneName. the /Aging resource record remains in the DNS database unless it is manually updated or removed. This procedure requires the Dnscmd Windows support tool.contoso.5 dnscmd /recordadd test. Specifies the host name or FQDN of the new FQDN authoritative server.contoso. Required.0. To open a command prompt. You can also NodeName type the node name relative to the ZoneName or @. Required. this resource record is able to be aged and scavenged. members of the Domain Admins group might be able to perform this procedure. Specifies the Time-To-Live (TTL) setting for the resource Ttl record. click Start.) /RecordAdd Required. or you must have been delegated the appropriate authority.0.contoso. Specifies the command to add a resource record.

2. At the next prompt. a list of name server (NS) resource records for delegated servers should be returned in the response. Open Command Prompt. Use the trailing period (. For example. type set recurse and query individually for any of the A resource records of servers listed in the NS resource records. Then type: nslookup 4. type: set q=NS 6. 8. query for microsoft. If zone delegations are set correctly. if the failed name you used in the previous step was example. type q=ns and query again using the FQDN for the parent zone of the failed name. but no host (A) resource records. At the next prompt.To verify a zone delegation using the nslookup command 1.) when entering the name. you have a broken delegation. type: set norecurse 5.microsoft.com. Page 96 of 165 . Type the fully qualified domain name (FQDN) for the failed name. 7. Type: nslookupRootServerIpAddress 3. If the NS query response contains no names or IP addresses for delegated servers. If.com. If the response contains NS resource records. for each NS resource record you encounter in a zone. you do not find at least one valid IP address in an A resource record.

use it to repeat the delegation test described in the previous step. Therefore. On the General tab. press Enter and then type help • • To configure a stub zone to use local master servers • • Using the Windows interface Using a command line Using the Windows interface 1. consider performing this task as a user without administrative credentials. at a command prompt. To open a command prompt. If more than one A resource record or IP address is found. In the console tree. point to All programs. 2. type: nslookup. ress A command to instruct the root server to not perform set norecursion recursion on your query. To view the complete syntax for this command. root_server_ip_add The IP address of a valid root server for your network. add or update an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone. and then click Command prompt. Either fix the broken delegation or retry the delegation test described in the previous step using a different IP address. as a security best practice. right-click the stub zone.9. The command to send the query for NS resource set q=NS records to the root server. Value Description nslookup The name of the command-line tool. point to Accessories. click Start. Open DNS. modify the list to display the IP addresses of the local master servers that you want the DNS server to use Page 97 of 165 . To fix a delegation. Notes • Performing this task does not require you to have administrative credentials. and then click Properties. under IP address. 3.

and Using Run as. • • • • Using a command line 1. Required. the master servers list from Active Directory is applied and the local list of master servers is deleted. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] [MasterIPaddress. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone. consider using Run as to perform this procedure. and then click OK. click Start. you can also type a period (. Specifies the fully qualified domain name (FQDN) of the zone. Specifies the DNS host name of the DNS server. As a security best practice. 4. You can also type the IP address of the DNS server. click Control Panel. For more information. Open Command Prompt. 2. see Default local groups. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory.when loading and updating the stub zone. Default groups.) Required. To specify the DNS server on the local computer. Notes • To perform this procedure. Configures the local master list for Active DirectoryPage 98 of 165 . If the local list of master servers is cleared at a later date. and then double-click DNS.. the list of master servers for the stub zone is updated in Active Directory. or you must have been delegated the appropriate authority. To open DNS. The DNS server will keep the master servers list from Active Directory stored in memory. double-click Administrative Tools.] Value Description dnscmd ServerName ZoneName /Local Specifies the name of the command-line tool. Select the Use the list above as a local list of masters check box.. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server.

integrated zones. List of one or more IP addresses of master servers for this zone. Master servers may include the server hosting the primary zone or servers hosting other secondary copies for MasterIPaddre the zone. To clear the local list of masters, type the ss... command without entering any IP addresses. Ensure that the IP addresses of the local master servers are for only those authoritative DNS servers that should be queried to update the records of the stub zone on this server. Notes

To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/ZoneResetMasters/help

• • •

If the local list of master servers is cleared at a later date, the master servers list from Active Directory is applied and the local list of master servers is deleted. When modifications to the master servers list are made and applied on a domain controller hosting the stub zone, the list of master servers for the stub zone is updated in Active Directory. The DNS server will keep the master servers list from Active Directory stored in memory.

To specify other DNS servers as authoritative for a zone
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. Page 99 of 165

2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Name Servers tab. 4. Click Add. 5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. To add a name server to the list of authoritative servers for the zone, you must specify both the server's IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list. DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary zone added to the server.

• •

Using a command line 1. Open Command Prompt. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|DomainName}

Value

Description

dnscmd

Specifies the name of the command-line tool. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To ServerName specify the DNS server on the local computer, you can also type a period (.) /RecordAdd Required. Specifies the command to add a resource record.
Page 100 of 165

ZoneName NodeName

/Aging

/OpenAcl Ttl NS HostName| FQDN Notes

Required. Specifies the fully qualified domain name (FQDN) of the zone. Required. Specifies the FQDN of the node in the DNS namespace for which the SOA record is added. You can also type the node name relative to the ZoneName or @, which specifies the zone's root node. If this command is used, this resource record is able to be aged and scavenged. If this command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Without this parameter, only administrators may modify the new record. Specifies the Time-To-Live (TTL) setting for the resource record. (The default TTL is defined in SOA resource record). Required. Specifies that you are adding a name server (NS) resource record to the zone specified in ZoneName. Required. Specifies the host name or FQDN of the new authoritative server.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd/RecordAdd/help

• • •

DNS servers specified using this procedure are added to those server IP addresses already present for the existing name server (NS) resource record for the zone. Typically, you might only need to perform this procedure at the primary zone when adding DNS servers to act as secondary servers and also to specify that these servers are known to be authoritative when answering queries for zone data. DNS servers automatically add and perform initial configuration of the NS resource record for each new primary type added to the server.

Page 101 of 165

click Start.. click Control Panel. and then double-click DNS. or you must have been delegated the appropriate authority. 2. Type: dnscmdServerName/ZoneResetMastersZoneName [/Local] MasterIPaddress. To open DNS. Required. 3.To update the master server for a secondary zone • • Using the Windows interface Using a command line Using the Windows interface 1. in IP address. Value Description dnscmd ServerName Specifies the name of the command-line tool. Specifies the fully qualified domain name ZoneName (FQDN) of the zone you are updating. To specify the DNS server on the local computer. specify the IP address for a new master server. right-click the applicable secondary zone. • Using a command line 1. and then click Add to update the list. and then click Properties. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer.. As a security best practice. You can also type the IP address of the DNS server. Updates the master servers for a secondary ZoneResetMas zone.) / Required. In the console tree. On the General tab. Notes • To perform this procedure. consider using Run as to perform this procedure. If the computer is joined to a domain. Open Command Prompt. Specifies the DNS host name of the DNS server. Open DNS. 2. Page 102 of 165 . double-click Administrative Tools. you can also type a period (. ters Required.

then click Properties. point to All programs. The request may be denied because a zone must always have at least one master server. click Start. you are MasterIPaddress requesting the DNS server to reset the value to an empty . o 4. type the IP address of a WINS server to be used for resolution of names not found in DNS.Specifies the local master list for Active Directoryintegrated zones. members of the Domain Admins group might be able to perform this procedure. Select the Do not replicate this record check box for this WINS record. In Domain to append to returned name. In IP address.. To open a command prompt. Open DNS. If the applicable zone is a reverse lookup zone. list. To view the complete syntax for this command. at a command prompt. or you must have been delegated the appropriate authority. select the Use WINS forward lookup check box. In the console tree. and then click Add. on the WINS-R tab. right-click the applicable zone. 2. Required.. As a security best practice. MasterIPaddress. point to Accessories. see Related Topics.. For information about installing Windows support tools. 3. If you do not specify ServerIPs. consider using Run as to perform this procedure. on the WINS tab. if applicable.. Specifies the IP addresses of the master servers to be used by the DNS server when updating the specified secondary zones. and then click Command prompt. type: dnscmd /ZoneResetMasters /help • • • To enable DNS to use WINS resolution 1. /Local Notes • To perform this procedure. select the Use WINS-R lookup check box. If the computer is joined to a domain. Do one of the following: o If the applicable zone is a forward lookup zone. is required to clear the local master list for a zone. type a name. This procedure requires the Dnscmd Windows support tool. Page 103 of 165 . you must be a member of the Administrators group on the local computer.

double-click Administrative Tools. 2. members of the Domain Admins group might be able to perform this procedure. this is a critical option as BIND will not recognize WINS records. click Advanced to adjust advanced WINS lookup parameters. Page 104 of 165 . you must be a member of the Administrators group on the local computer. click Start. After the previous command completes. • • • To verify WINS as the source for answering a DNS query 1. specified WINS servers configured in this procedure are used for final referral of names not found in the applicable zone. As a security best practice. If this zone will be used in performing zone transfers to BIND servers. click this check box. Optionally. either type: set querytype=a if you are testing for a WINS forward lookup. click Control Panel. and then double-click DNS. This prevents these records from being replicated to these other servers during zone transfers. When this option is used. at the nslookup ("") prompt type: set debug 4. Type: nslookup 3. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority. or: set querytype=ptr if you are testing for a WINS-R reverse lookup. Notes • To perform this procedure.If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records. Next. If the computer is joined to a domain. Open Command Prompt. To open DNS.

9. note whether the server answered authoritatively or non-authoritatively.com. This mode is required to view query response information about whether the source for a query answer is: • • set debug authoritative (from a DNS zone or WINS server database) non-authoritative (cached data from previous queries made by the DNS server or loaded from root hints) set Changes the type of information query. type the appropriate fully qualified domain name (FQDN). If the reverse lookup you are tracing is for an IP address 10.10.microsoft.in-addr. providing extended information in the command output. type exit.com. For example.0. More information about Page 105 of 165 .example.microsoft.Respectively.1. 7. In the response.arpa.0. 5. Based on whether you are verifying possible WINS sourcing for either a forward or reverse lookup. repeat the same query you performed in step 4. note whether the TTL value decreased with the second query answer or if it remained consistent with the TTL value specified in the first query answer. If the TTL value decreased for an authoritatively answered query. To leave debug mode and return to the command prompt. type: host-a. these two commands can be used to set the query type to filter either by host (A) or pointer (PTR) resource records as appropriate for researching either a forward or reverse lookup.0. Value Description nslookup The name of the command-line program. 8. type: 1. the source of the query answer is a WINS server. 6. In the response. if the forward lookup you are tracing is for a domain name host-a.example. Enables the nslookup command to operate in debug mode.0. and note the Time-To-Live (TTL) value. If the server answered authoritatively.

querytyp types can be found in Request For Comment (RFC) 1035. type: nslookup. as a security best practice. it uses the set minimum or default TTL for the zone or the record-specific TTL value (if one is configured). To open a command prompt. where an answer received back from a WINS server is cached by the DNS server but is also considered to be authoritative data. at a command prompt. Manage zones • • • • • • • • Allow dynamic updates Allow only secure dynamic updates Initiate a zone transfer at a secondary server Reload or transfer a stub zone Adjust the refresh interval for a zone Adjust the retry interval for a zone Adjust the expire interval for a zone Modify security for a directory-integrated zone Allow dynamic updates Page 106 of 165 . To view the complete syntax for this command. press Enter and then type help • • • Normally. In this case. such as a cached record at the server. In so doing. the WINS sourced data is returned to clients as authoritative but ages while in the DNS server names cache. Therefore. e Notes • Performing this task does not require you to have administrative credentials. point to All programs. and then click Command prompt. causing the TTL used by the server to decrease over time. click Start. consider performing this task as a user without administrative credentials. point to Accessories. when a DNS server answers a query from its authoritative zone data. WINS lookups present an exceptional case. TTLs are decreased in answers the server returns if based on nonauthoritative data.

Page 107 of 165 . verify that the zone type is either Primary or Active Directory-integrated. 3.. Notes • To perform this procedure. 2005 Applies To: Windows Server 2003. The DNS update process is defined in RFC 2136. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. If the computer is joined to a domain. To open DNS." • • Using a command line 1. 2. and then double-click DNS. right-click the applicable zone. "Dynamic Updates in the Domain Name System (DNS UPDATES). 2. Open Command Prompt. click Nonsecure and secure. click Start.Updated: January 21. Windows Server 2003 with SP1. Windows Server 2003 with SP2 To allow dynamic updates • • Using the Windows interface Using a command line Using the Windows interface 1. click Control Panel. On the General tab.AllZones} /AllowUpdate {1|0} Value Description dnscmd Specifies the name of the command-line program. 4. Windows Server 2003 R2. Dynamic update is an RFC-compliant extension to the DNS standard. and then click Properties. In the console tree. consider using Run as to perform this procedure. As a security best practice. you must be a member of the Administrators group on the local computer. Open DNS. In Dynamic Updates. double-click Administrative Tools. Type: dnscmd ServerName /Config {ZoneName|.

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command. Configures dynamic update. To allow dynamic updates, 1|0 enter a value of 1. To not allow dynamic updates, enter a value of 0. Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help

• • •

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATES)."

To allow only secure dynamic updates
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Properties. 3. On the General tab, verify that the zone type is Active Directoryintegrated. Page 108 of 165

4. In Dynamic Updates, click secure only.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS. Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory integrate the zone prior to securing it for DNS dynamic updates. Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

• •

• •

Using a command line 1. Open Command Prompt. 2. Type: dnscmdServerName/Config {ZoneName|..AllZones} /AllowUpdate 2

Value

Description

dnscmd

Specifies the name of the command-line program. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS ServerName server. To specify the DNS server on the local computer, you can also type a period (.) /Config Required. Specifies the configuration command. Required. Specifies the fully qualified domain name ZoneName|..AllZ (FQDN) of the zone. To configure all zones hosted on the ones specified DNS server to allow dynamic updates, type ..AllZones. /AllowUpdate Required. Specifies the allow update command.
Page 109 of 165

2 Notes

Required. Configures server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt. This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics. To view the complete syntax for this command, at a command prompt, type: dnscmd /Config /help

• • •

Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." By default, the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This feature is not included on computers running the Microsoft® Windows Server® 2003, Web Edition, operating system. For more information, see Overview of Windows Server 2003, Web Edition.

• •

To initiate a zone transfer at a secondary server
• •

Using the Windows interface Using a command line

Using the Windows interface 1. Open DNS. 2. In the console tree, right-click the applicable zone and click Transfer from master.

Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the Page 110 of 165

Updates the secondary zone. members of the Domain Admins group might be able to perform this procedure. members of the Domain Admins group might be able to perform this procedure. • Using a command line 1. Notes • To perform this procedure. and then double-click DNS. Open Command Prompt.) / ZoneRefr Required. As a security best practice. esh ZoneName Required. Specifies the name of the secondary zone to update. then there is a zone transfer. double-click Administrative Tools. For information about installing Windows support tools. Required. consider using Run as to perform this procedure. If the computer is joined to a domain. • • To open DNS. 2. click Control Panel. you must be a member of the Administrators group on the local computer. then there is no zone transfer. You ServerNam can also type the IP address of the DNS server. If the SOA resource records are synchronized. Type: dnscmdServerName/ZoneRefreshZoneName Value Description dnscmd Specifies the name of the command-line tool. As a security best practice. consider using Run as to perform this procedure. see Related Topics. Specifies the DNS host name of the DNS server. To open a command prompt. or you must have been delegated the appropriate authority. To specify the e DNS server on the local computer. you can also type a period (. If the SOA resource records are not synchronized. click Start. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. This procedure requires the Dnscmd Windows support tool. By default. point to All programs. point to Accessories.appropriate authority. If the computer is joined to a domain. Page 111 of 165 • • . click Start. This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. and then click Command prompt.

click Start. • Page 112 of 165 . 2. then there is a zone transfer. consider using Run as to perform this procedure. double-click Administrative Tools. If the SOA resource records are not synchronized. In the console tree. and do one of the following: o o To reload the stub zone from storage. If the SOA resource records are synchronized. o Notes • To perform this procedure. To open DNS. click Control Panel. click Reload. click Transfer from Master. type: dnscmd /ZoneRefresh /help • This procedure checks to see if the start of authority (SOA) resource record in the secondary zone is the most recent version of the SOA resoure record in the primary zone. the DNS server will only allow a zone transfer to authoritative DNS servers listed in the name server (NS) resource records for the zone. Open DNS. right-click the applicable stub zone. If the computer is joined to a domain. As a security best practice. To perform a zone transfer from the stub zone's master server regardless of the serial number in the stub zone's SOA resource record. and then double-click DNS. then there is no zone transfer. at a command prompt. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer.• To view the complete syntax for this command. • To reload or transfer a stub zone • • Using the Windows interface Using a command line Using the Windows interface 1. or you must have been delegated the appropriate authority. By default. click Reload from Master. To have the DNS server determine if the serial number in the stub zone's SOA resource record has expired and then perform a zone transfer from the stub zone's master server.

) Reloads the stub zone. The DNS server will determine if the serial number in the stub zone's SOA resource /ZoneRefresh record has expired. For information about installing Windows support tools. type: dnscmd /ZoneReload /help or dnscmd /ZoneUpdateFromDs /help or dnscmd /ZoneRefresh /help. point to All programs. Specifies the DNS host name of the DNS server. click Start.Using a command line 1. 2. You can also type the IP address of the DNS server. To open a command prompt. you can also type a period (. Open Command Prompt. • • • Page 113 of 165 . To specify the DNS server on the local computer. mDs Refreshes the stub zone. see Related Topics. Notes • Specifies the name of the command-line program. consider using Run as to perform this procedure. at a command prompt. As a security best practice. If the computer is joined to a domain. Required. you must be a member of the Administrators group on the local computer. or you must have been delegated the appropriate authority. To view the complete syntax for this command. This procedure requires the Dnscmd Windows support tool. the DNS server will perform a zone transfer from the stub zone's master server. To perform this procedure. Type: dnscmdServerName {/ZoneReload|/ZoneUpdateFromDs|/ZoneRefresh} ZoneName Value Description dnscmd ServerName /ZoneReload / ZoneUpdateFro Reloads the stub zone from Active Directory. Required. members of the Domain Admins group might be able to perform this procedure. point to Accessories. Specifies the name of the stub zone you want ZoneName to reload or refresh. and then click Command prompt. If the serial number has expired.

• There is no dnscmd command to perform a zone transfer regardless of the SOA resource record's expiration date. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. click a time period in minutes. Open Command Prompt. 6. If the computer is joined to a domain. To perform this operation. click Control Panel. and type a number in the text box. 2. As a security best practice. you must be a member of the Administrators group on the local computer. Open DNS. consider using Run as to perform this procedure. double-click Administrative Tools. Notes • To perform this procedure. 3. 5. use the Windows interface procedure. click Start. and then double-click DNS. To adjust the refresh interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. hours. right-click the applicable zone and click Properties. or you must have been delegated the appropriate authority. In the console tree. Click OK to save the adjusted interval. 4. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone. • • Using a command line 1. members of the Domain Admins group might be able to perform this procedure. By default. the refresh interval for each zone is set to 15 minutes. verify that the zone type is either Primary or Active Directory-integrated. Click the Start of Authority (SOA) tab. In Refresh interval. To open DNS. 2. or days. Page 114 of 165 . On the General tab.

com. The standard setting is 3600 (one hour). nameserver. dd ZoneNam Required.) / RecordA Required.place. For example. consider using Run as to perform this procedure.microsoft. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. If this parameter is not used. Specifies the refresh interval for the zone. you must be a member of the Administrators group on the local computer. the resource record /Aging remains in the DNS database unless it is manually updated or removed. /OpenAcl Without this parameter. Notes • To perform this procedure. which specifies the zone's root node. As a security best practice.place. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added.Required. Required. Specifies that new records are open to modification by any user. Specifies that this resource record is able to be aged and scavenged. Required. Adds or modifies a resource record.microsoft. Ttl (The default TTL is defined in SOA resource record). The Refresh standard setting is 900 (15 minutes). Required. Required.example. You can also type the node e name relative to the ZoneName or @. Specifies the version information for the zone. or you must have been delegated the appropriate authority. If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. Specifies the fully qualified domain name (FQDN) of e the zone.example. Page 115 of 165 . You ServerNa can also type the IP address of the DNS server. postmaster. only administrators may modify the new record. Specifies the type of resource record you are SOA modifying. The Expire standard setting is 86400 (one day). The standard Retry setting is 600 (ten minutes). To specify the me DNS server on the local computer. Specifies the minimum Time-To-Live value. Serial#\ Required. Specifies the name of the DNS administrator for the Admin zone.com. Specifies the expire interval for the zone. Required. Required. Specifies the Time-To-Live (TTL) setting for the resource record. For example.nameserver. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Specifies the DNS host name of the DNS server. Specifies the retry interval for the zone. you can also type a period (. Required. Required.

and then double-click DNS. type: dnscmd /RecordAdd /help • To modify any specific SOA resource record's values using dnscmd. To open DNS. you must be a member of the Administrators group on the local computer. The refresh interval is used to determine how often other DNS servers that load and host the zone must attempt to renew the zone. click Start. • Page 116 of 165 . click Start. Open DNS. 3. 2. In the console tree. or days. or you must have been delegated the appropriate authority. To view the complete syntax for this command. This procedure requires the Dnscmd Windows support tool. consider using Run as to perform this procedure. In Retry interval. 4. hours. Notes • To perform this procedure. members of the Domain Admins group might be able to perform this procedure. As a security best practice. click an interval in minutes. click Control Panel. see Related Topics.• • • To open a command prompt. the refresh interval for each zone is set to 15 minutes. 6. verify that the zone type is either Primary or Active Directory-integrated. By default. Click OK to save the adjusted interval. point to Accessories. • To adjust the retry interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. If the computer is joined to a domain. and type a number in the text box. On the General tab. double-click Administrative Tools. For information about installing Windows support tools. at a command prompt. and then click Command prompt. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL). point to All programs. Click the Start of Authority (SOA) tab. 5. right-click the applicable zone and click Properties.

Page 117 of 165 . Specifies the version information for the zone. Specifies that this resource record is able to be aged and scavenged. Specifies the name of the DNS administrator for the Admin zone. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs.place. the retry interval for each zone is set at 10 minutes. Required. you can also type a period (. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. Required. Specifies the Time-To-Live (TTL) setting for the resource record. the resource record /Aging remains in the DNS database unless it is manually updated or removed. Open Command Prompt. Specifies that new records are open to modification by any user.microsoft. Required.) / RecordA Required. Specifies the type of resource record you are SOA modifying. If this parameter is not used.microsoft. For example. The Refresh standard setting is 3600 (one hour).nameserver. For example. postmaster.place.example. Using a command line 1.com. To specify the me DNS server on the local computer. Type: dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. Serial#\ Required. nameserver. dd ZoneNam Required.• By default. only administrators may modify the new record. Required. Required.com. You ServerNa can also type the IP address of the DNS server.example. You can also type the node e name relative to the ZoneName or @. Adds or modifies a resource record. Specifies the refresh interval for the zone. Required. Ttl (The default TTL is defined in SOA resource record). 2. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Specifies the DNS host name of the DNS server. Specifies the fully qualified domain name (FQDN) of e the zone. /OpenAcl Without this parameter. which specifies the zone's root node.

Required. at a command prompt. the retry interval for each zone is set at 10 minutes. and then click Command prompt. Specifies the minimum Time-To-Live value. To view the complete syntax for this command. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).Retry Expire MinTTL Required. Notes • To perform this procedure. Required. Open DNS. members of the Domain Admins group might be able to perform this procedure. By default. This is the length of time used by other DNS servers to determine how long to cache information for a record in the zone before expiring and discarding it. To open a command prompt. see Related Topics. type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. right-click the applicable zone and click Properties. The standard setting is 86400 (one day). click Start. or you must have been delegated the appropriate authority. point to All programs. The standard setting is 600 (ten minutes). The standard setting is 3600 (one hour). If the computer is joined to a domain. Specifies the expire interval for the zone. Specifies the retry interval for the zone. This procedure requires the Dnscmd Windows support tool. • To adjust the expire interval for a zone • • Using the Windows interface Using a command line Using the Windows interface 1. Page 118 of 165 . As a security best practice. For information about installing Windows support tools. point to Accessories. consider using Run as to perform this procedure. you must be a member of the Administrators group on the local computer. In the console tree. The retry interval is used to determine how often other DNS servers that load and host the zone are to retry a request for update of the zone each time the refresh interval occurs. 2.

you must be a member of the Administrators group on the local computer. You can also type the node e name relative to the ZoneName or @. Click OK to save the adjusted interval. you can also type a period (. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] SOA PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Value Description dnscmd Specifies the name of the command-line program. The expire interval is used by other DNS servers configured to load and host the zone to determine when zone data expires if not renewed. dd ZoneNam Required. Specifies the DNS host name of the DNS server. If the computer is joined to a domain. To specify the me DNS server on the local computer. Click the Start of Authority (SOA) tab. click Start. On the General tab. You ServerNa can also type the IP address of the DNS server. hours. If this parameter is not used. Notes • To perform this procedure. consider using Run as to perform this procedure. and then type a number in the text box. 2. To open DNS. Required. click Control Panel. the expire interval for each zone is set to 1 day. 6. Specifies the FQDN of the node in the DNS namespace NodeNam for which the SOA record is added. /Aging Specifies that this resource record is able to be aged and scavenged. or you must have been delegated the appropriate authority.) / RecordA Required. 4. click an interval in either minutes. 5. In Expires after. members of the Domain Admins group might be able to perform this procedure. Specifies the fully qualified domain name (FQDN) of e the zone. and then double-click DNS. verify that the zone type is either Primary or Active Directory-integrated. As a security best practice. • • Using a command line 1. the resource record Page 119 of 165 .3. Adds or modifies a resource record. or days. which specifies the zone's root node. Open Command Prompt. Required. double-click Administrative Tools. By default.

members of the Domain Admins group might be able to perform this procedure. Specifies the name of the DNS administrator for the Admin zone. Required. The Refresh standard setting is 3600 (one hour). The standard Retry setting is 600 (ten minutes). This procedure requires the Dnscmd Windows support tool. click Start. Specifies the FQDN name of the server that is the PrimSvr primary source for information about the zone. Specifies the type of resource record you are SOA modifying. at a command prompt.remains in the DNS database unless it is manually updated or removed. you must specify all of the SOA values (PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL).example. nameserver. This is the length of time used by other DNS servers to determine how long MinTTL to cache information for a record in the zone before expiring and discarding it. Specifies the minimum Time-To-Live value. Specifies the retry interval for the zone. As a security best practice.com. Specifies the expire interval for the zone. Required. Specifies the refresh interval for the zone.place. /OpenAcl Without this parameter.microsoft. postmaster. see Related Topics. you must be a member of the Administrators group on the local computer. Serial#\ Required.com. Required.example. The standard setting is 3600 (one hour).nameserver. or you must have been delegated the appropriate authority. To open a command prompt. point to Accessories. Specifies the version information for the zone. point to All programs.microsoft. To view the complete syntax for this command. Ttl (The default TTL is defined in SOA resource record). Required. Page 120 of 165 . Required. type: dnscmd /RecordAdd /help • • • • To modify any specific SOA resource record's values using dnscmd. Required. Required. For information about installing Windows support tools.place. Specifies that new records are open to modification by any user. For example. The Expire standard setting is 86400 (one day). Specifies the Time-To-Live (TTL) setting for the resource record. For example. and then click Command prompt. Notes • To perform this procedure. only administrators may modify the new record. If the computer is joined to a domain. consider using Run as to perform this procedure.

On the Action menu. click Properties. Open DNS. operating system. Default groups and Using Run as. but do not affect dynamic updates to the zone. On the General tab. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. click Start. To open DNS.To modify security for a directoryintegrated zone 1. On the Security tab. see Overview of Windows Server 2003. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory. modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed. see Related Topics. click Control Panel. double-click Administrative Tools. • • • • Manage resource records Page 121 of 165 . This feature is not included on computers running the Microsoft® Windows Server® 2003. Notes • To perform this procedure. verify that the zone type is Active Directory- integrated. Web Edition. Secure dynamic updates are only supported for zones stored in Active Directory. see Default local groups. As a security best practice. 4. Web Edition. For more information. To apply security settings for dynamic updates. In the console tree. and then double-click DNS. 5. The security settings determine who can administer the zone. click the applicable zone. For more information. consider using Run as to perform this procedure. 2.

5. 3. As a security best practice. double-click Administrative Tools. click Control Panel.• • • • • • • • • • Add a host (A) resource record to a zone Add a mail exchanger (MX) resource record to a zone Add an alias (CNAME) resource record to a zone Add a new domain to a zone Add a pointer (PTR) resource record to a reverse zone Add a resource record to a zone Modify an existing resource record in a zone Delete a resource record from a zone View unsupported resource records in a zone Modify security for a resource record To add a host (A) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. type the IP address for the new host. Notes • To perform this procedure. type the DNS computer name for the new host. 2. 4. Click Add Host to add the new host record to the zone. select the Create associated pointer (PTR) record check box to create an additional pointer record in a reverse zone for this host. and then double-click DNS. Page 122 of 165 • . right-click the applicable forward lookup zone and click New Host. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. 6. or you must have been delegated the appropriate authority. click Start. In the Name text box. Open DNS. To open DNS. As an option. consider using Run as to perform this procedure. based on the information you entered in Name and IP address. In the console tree. members of the Domain Admins group might be able to perform this procedure. In the IP address text box.

point to All programs. Specifies the Time-To-Live (TTL) setting for the resource record. click Start. or you must have been delegated the appropriate authority. Adds a new resource record. Specifies that new records are open to modification by any user. Required. dd ZoneNam Required. Specifies that this resource record is able to be aged and scavenged. /OpenAcl Without this parameter. / RecordA Required. To open a command prompt. Ttl (The default TTL is defined in SOA resource record). To specify the me DNS server on the local computer. Using a command line 1. As a security best practice. You ServerNa can also type the IP address of the DNS server. which specifies the zone's root node. 2. Required.). members of the Domain Admins group might be able to perform this procedure. Specifies the resource record type of the record you A are adding. IPAddress Required. Required. If the computer is joined to a domain. If this command is not used. only administrators may modify the new record. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] A IPAddress Value Description dnscmd Specifies the name of the command-line program. you can also type a period (.• PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted. The IP address for the host. Specifies the DNS host name of the DNS server. and then click Command prompt. point to Accessories. Specifies the FQDN of the node in the DNS NodeNam namespace. Specifies the fully qualified domain name (FQDN) of e the zone. the resource record /Aging remains in the DNS database unless it is manually updated or removed. Notes • To perform this procedure. You can also type the node name relative to the e ZoneName or @. Open Command Prompt. Page 123 of 165 • . you must be a member of the Administrators group on the local computer. consider using Run as to perform this procedure.

you must be a member of the Administrators group on the local computer. 5. • Page 124 of 165 . Open DNS. As an option. type: dnscmd /RecordAdd /help • PTR resource records are deleted automatically if the corresponding A resource record is deleted. 2. type the DNS host computer name of the mail exchanger or mail server host that delivers mail for the specified domain name. see Related Topics. To open DNS. 3. If the computer is joined to a domain. type the domain name for which this record is to be used to deliver mail.• • This procedure requires the Dnscmd Windows support tool. and then double-click DNS. Click OK to add the new record to the zone. Adjust the Mail server priority as needed for this zone. To add a mail exchanger (MX) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. In the Host or domain text box. Notes • To perform this procedure. In the console tree. or you must have been delegated the appropriate authority. at a command prompt. members of the Domain Admins group might be able to perform this procedure. click Control Panel. click Start. right-click the applicable forward lookup zone and click New Mail Exchanger. For information about installing Windows support tools. In the Mail server text box. 6. double-click Administrative Tools. To view the complete syntax for this command. consider using Run as to perform this procedure. 4. As a security best practice. you can click Browse to view the DNS namespace for mail exchanger hosts in this domain that have host (A) records already defined.

Specifies that this resource record is able to be aged and scavenged. Ttl Specifies the Time-To-Live setting for the resource record. Specifies the DNS host name of the DNS server. Notes • To perform this procedure. this resource record is /Aging able to be aged and scavenged. Required.Using a command line 1. Specifies the fully qualified domain name (FQDN) of ZoneName the zone in which you will add the new MX resource record. you must be a member of the Administrators group on the local computer. Specifies a numeric value (between 0 and 65535) that indicates the mail exchange server's priority with respect Preference to the other mail exchange servers. /RecordAdd Adds a new resource record. only administrators may modify the new record. the resource record remains in the DNS database unless it is manually updated or removed. members of the Domain Admins group might be able to perform this procedure. Page 125 of 165 . Required. You can also type the node name relative to the ZoneName or @. Specifies the MX resource record type for the MX record you are adding. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority. If this command is used. Open Command Prompt. which specifies the zone's root node. Required. Specifies the fully qualified domain name (FQDN) MXServerNa for a mail exchanger. Specifies the FQDN of the node in the DNS NodeName namespace. Required. Without this parameter. If the computer is joined to a domain.). Required. As a security best practice. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [Ttl] MX PreferenceMXServerName Value Description dnscmd Specifies the name of the command-line program. Lower numbers are given greater preference. Required. The value entered here must resolve to me a corresponding host (A) resource record in this zone. To specify the ServerName DNS server on the local computer. If this command is not used. You can also type the IP address of the DNS server. Specifies that new records are open to modification by any /OpenAcl user. you can also type a period (. 2.

Notes • To perform this procedure. type the fully qualified domain name of the DNS host computer for which this alias is to be used. 3. double-click Administrative Tools. type: dnscmd /RecordAdd /help To add an alias (CNAME) resource record to a zone • • Using the Windows interface Using a command line Using the Windows interface 1. click Start. click Start. 5. • Using a command line 1. you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined. In the Alias name text box. Open DNS. 4. members of the Domain Admins group might be able to perform this procedure. point to Accessories. and then double-click DNS. or you must have been delegated the appropriate authority. To open DNS. 2. and then click New Alias. click Control Panel. at a command prompt. and then click Command prompt. see Related Topics. consider using Run as to perform this procedure. In the console tree. To view the complete syntax for this command. right-click the applicable forward lookup zone.• • • To open a command prompt. Page 126 of 165 . type the alias name. Click OK to add the new record to the zone. As a security best practice. As an option. If the computer is joined to a domain. you must be a member of the Administrators group on the local computer. This procedure requires the Dnscmd Windows support tool. point to All programs. In the Fully qualified domain name (FQDN) for target host text box. Open Command Prompt. For information about installing Windows support tools.

You can also type the IP address of the DNS server. To perform this procedure. As a security best practice. Specifies the command to add a new resource record. To specify the DNS server on the local computer. Specifies that this resource record is aged and scavenged. and then click Command prompt. For information about installing Windows support tools. Specifies the Time-To-Live (TTL) setting for the resource record. Specifies the DNS host name of the DNS server. This procedure requires the Dnscmd Windows support tool. Specifies the FQDN of the node in the DNS namespace. the resource record remains in the DNS database unless it is manually updated or removed. If this parameter is not used. If the computer is joined to a domain. (The default TTL is defined in SOA resource record). Specifies the resource record type of the record you are adding. Page 127 of 165 • • . see Related Topics. You can also type the node name relative to the ZoneName or @.2. Without this parameter. Required. which specifies the zone's root node. Required. Required. Required. consider using Run as to perform this procedure. To open a command prompt. point to All programs. click Start. Specifies the name of the zone where this CNAME resource record will be added. only administrators may modify the new record. Specifies the FQDN of any valid DNS host or domain name in the namespace. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] CNAME HostName|DomainName Value Description dnscmd ServerName /RecordAdd ZoneName NodeName /Aging /OpenAcl Ttl CNAME HostName| DomainName Notes • Specifies the name of the command-line program. you can also type a period (. you must be a member of the Administrators group on the local computer. Specifies that new records are open to modification by any user. or you must have been delegated the appropriate authority.) is used to fully qualify the name. members of the Domain Admins group might be able to perform this procedure. Required. For FQDN's. point to Accessories.) Required. a trailing period (.

and then double-click DNS. or you must have been delegated the appropriate authority. you must be a member of the Administrators group on the local computer. Notes • To perform this procedure. at a command prompt. Click OK to add the new domain to the zone. and then type the name of the new domain without using periods. 4. As a security best practice. click Control Panel. click Start. Where? o DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone 3. click New Domain. 2.• To view the complete syntax for this command. In the console tree. double-click Administrative Tools. To open DNS. consider using Run as to perform this procedure. click the applicable zone. members of the Domain Admins group might be able to perform this procedure. Open DNS. If the computer is joined to a domain. • To add a pointer (PTR) resource record to a reverse zone • • Using the Windows interface Using a command line Page 128 of 165 . On the Action menu. type: dnscmd /RecordAdd /help To add a new domain to a zone 1.

If the computer is joined to a domain. members of the Domain Admins group might be able to perform this procedure. In the Host IP number text box. As a security best practice. /RecordAdd Required. ServerName Required. • • Using a command line 1. 5. 6. To specify the DNS server on the local computer. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] PTR HostName|DomainName ValueDescription dnscmd Specifies the name of the command-line tool.). Page 129 of 165 . right-click the applicable reverse lookup zone. you must be a member of the Administrators group on the local computer. 3. As an option. type the host IP address octet number. consider using Run as to perform this procedure. you can click Browse to search the DNS namespace for hosts in this domain that have host (A) records already defined.Using the Windows interface 1. 2. double-click Administrative Tools. Open DNS. Notes • To perform this procedure. type the fully qualified domain name for the DNS host computer for which this pointer record is to be used to provide reverse lookup (address-to-name resolution). On the Action menu. click Start. click Control Panel. To open DNS. 2. there is an option to create an associated PTR resource record automatically. 4. you can also type a period (. PTR resource records created automatically when adding an A resource record to a zone will be deleted automatically if the corresponding A resource record is deleted. or you must have been delegated the appropriate authority. Click OK to add the new record to the zone. Open Command Prompt. In the console tree. Adds a new resource record. When creating a new A resource record. and then double-click DNS. Specifies the DNS host name of the DNS server. In the Host name text box. click New Pointer. You can also type the IP address of the DNS server.

Specifies the fully qualified domain name (FQDN) of the zone. To open a command prompt. members of the Domain Admins group might be able to perform this procedure. the resource record remains in the DNS database unless it is manually updated or removed. If this command is used. only administrators may modify the new record. To view the complete syntax for this command. this resource record is able to be aged and scavenged. and then click Command prompt. which specifies the zone's root node. see Related Topics. Notes • To perform this procedure. consider using Run as to perform this procedure. Ttl Specifies the Time-To-Live setting for the resource record. This procedure requires the Dnscmd Windows support tool. point to All programs. Without this parameter. You can also type the node name relative to the ZoneName or @. you must be a member of the Administrators group on the local computer. HostName|DomainName Required. or you must have been delegated the appropriate authority. /Aging Specifies that this resource record is able to be aged and scavenged. As a security best practice. Specifies the FQDN of a resource record located in the DNS namespace. Specifies the FQDN of the node in the DNS namespace.ZoneName Required. If this command is not used. Specifies the resource record type. point to Accessories. For information about installing Windows support tools. The host you specify is used as the data for answering reverse lookups based on the address information specified by this pointer (PTR) resource record. NodeName Required. type: dnscmd /RecordAdd /help • • • • PTR resource records are deleted automatically if the corresponding A resource record is deleted. If the computer is joined to a domain. click Start. To add a resource record to a zone • • Using the Windows interface Using a command line Page 130 of 165 . PTR Required. /OpenAcl Specifies that new records are open to modification by any user. at a command prompt.

Specifies the DNS host name of the DNS server. Required. Adds a new resource record. or you must have been delegated the appropriate authority. 3. 5. you can also type a period (. click OK to add the new record to the zone. Specifies the fully qualified domain name (FQDN) of e the zone. members of the Domain Admins group might be able to perform this procedure. 6. To open DNS. You can also type the node name relative to the Page 131 of 165 . consider using Run as to perform this procedure. 4. and then double-click DNS. Specifies the FQDN of the node in the DNS e namespace.Using the Windows interface 1. To specify the DNS server on the local computer. / RecordAd Required. double-click Administrative Tools.). right-click the applicable zone and click Other New Records. you must be a member of the Administrators group on the local computer. You can also type the IP address of the DNS server. select the type of resource record you want to add. click Control Panel. As a security best practice. • Using a command line 1. 2. Notes • To perform this procedure. Open DNS. In New Resource Record. Click Create Record. In Select a resource record type list box. Open Command Prompt. If the computer is joined to a domain. click Start. d ZoneNam Required. enter the information needed to complete the resource record. NodeNam Required. 2. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData Value Description dnscmd ServerNa me Specifies the name of the command-line tool. In the console tree. After you specify all of the necessary information for the resource record.

RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service. Specifies the transmission protocol: UDP or TCP.MR MX.. Ttl Specifies the Time-To-Live setting for the resource record. this resource record is able /Aging to be aged and scavenged.MB. the resource record remains in the DNS database unless it is manually updated or removed.255. 255. If this command is used. Resource record type Resource record data A NS. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress ipv6Address Protocol Service HostName| Specifies a standard IP address. only administrators may modify the new record.X25.ZoneName or @. MapFlag LookupTimeout CacheTimeout IPAddress. If this command is not used. Required.255. Specifies a standard IPv6 address. For example.. domain.RT.AFSDB SRV SOA AAAA TXT...ISDN MINFO. Specifies the FQDN of a resource record located in the Page 132 of 165 . which specifies the zone's root node.M G. Without this parameter. For example. Specifies that this resource record is able to be aged and scavenged.PTR.HINFO. Specifies the type of resource record to add.MD. Specifies that new records are open to modification by any /OpenAcl user.255. 1:2:3:4:5:6:7:8. For RRData information about each resource record type see the Resource records reference.CNAME. followed RRType by the data to be contained in the resource record. smtp.MF. For example. Specifies a standard service.

255. domain. To perform this procedure. you must be a member of the Administrators group on the local computer. at a command prompt. Specifies the transmission protocol: UDP or TCP. see Related Topics. Specifies a standard IPv6 address. To modify an existing resource record in a zone • • Using the Windows interface Using a command line Using the Windows interface 1. Specifies a standard service. point to Accessories. Specifies the FQDN of a resource record located in the DNS namespace. choices separated by pipe (|). and then click Command prompt. Open DNS. point to All programs. Example: {even|odd} Courier font Optional items Set of choices from which the user must choose only one Code or program output IPAddress ipv6Address Protocol Service HostName| DomainName Specifies a standard IP address. For example. click Start. click the applicable zone. 2. This procedure requires the Dnscmd Windows support tool.DomainName Notes • DNS namespace. For information about installing Windows support tools. members of the Domain Admins group might be able to perform this procedure. For example.255. Page 133 of 165 . type: dnscmd /RecordAdd /help • • • Between brackets ([]) Between braces ({}). To view the complete syntax for this command. To open a command prompt. 1:2:3:4:5:6:7:8. In the console tree. smtp. consider using Run as to perform this procedure. or you must have been delegated the appropriate authority. If the computer is joined to a domain.255. As a security best practice. 255. For example.

and then click Properties. members of the Domain Admins group might be able to perform this procedure. You can also type the IP address of the DNS server. RRType Required. on the View menu. In Properties. • • Using a command line 1. which specifies the zone's root node. You can also type the node name relative to the ZoneName or @. you can modify additional settings for an existing resource record. you must be a member of the Administrators group on the local computer. right-click the resource record you want to modify. As a security best practice.3. followed Page 134 of 165 . or you must have been delegated the appropriate authority. To open DNS. Open Command Prompt. To display advanced properties. In the details pane. 5. edit the properties that can be modified. and then double-click DNS. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Specifies the type of resource record to add.). 4. Required. 2. click Advanced. Specifies the FQDN of the node in the DNS NodeName namespace. double-click Administrative Tools. To specify the DNS server on the local computer. / RecordAd Required. Type: dnscmd ServerName /RecordAdd ZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] RRType RRData Value Description dnscmd ServerNa me Specifies the name of the command-line program. you can view and modify advanced resource record properties for the DNS console. consider using Run as to perform this procedure. If the computer is joined to a domain. such as its record-specific Time to Live (TTL). If necessary. you can also type a period (. click Control Panel. Specifies the DNS host name of the DNS server. Click OK when you have finished modifying the record. click Start. d Required. Required. Notes • To perform this procedure. Adds a new resource record. When Advanced view options are enabled.

you must be a member of the Administrators group on the local computer. click Start.255.CNAME. MapFlag LookupTimeout CacheTimeout IPAddress. domain. For example.. point to All programs.HINFO..AFSDB SRV SOA AAAA TXT. consider using Run as to perform this procedure. Page 135 of 165 • .M G. Specifies a standard service. For information about each resource record type see the Resource records reference.MR MX. 255. As a security best practice.PTR..X25. members of the Domain Admins group might be able to perform this procedure.MF. 1:2:3:4:5:6:7:8. For example.MB. Resource record type Resource record data A NS.RRData by the data to be contained in the resource record.RT. smtp. and then click Command prompt. Specifies the FQDN of a resource record located in the DNS namespace.255. If the computer is joined to a domain.ISDN MINFO. To perform this procedure. To open a command prompt.255.. point to Accessories. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress ipv6Address Protocol Service HostName| DomainName Notes • Specifies a standard IP address.MD. For example.RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service. Specifies the transmission protocol: UDP or TCP. or you must have been delegated the appropriate authority. Specifies a standard IPv6 address.

If the computer is joined to a domain. • • Using a command line 1. click Control Panel. type: dnscmd /RecordAdd /help To delete a resource record from a zone • • Using the Windows interface Using a command line Using the Windows interface 1. 3. 2. 4. click Start. and then double-click DNS. members of the Domain Admins group might be able to perform this procedure. or you must have been delegated the appropriate authority. To view the complete syntax for this command. 2. see Related Topics. at a command prompt. For information about installing Windows support tools. When you are asked to confirm that you want to delete the selected resource record. consider using Run as to perform this procedure. Notes • To perform this procedure. right-click the resource record you want to delete. Open Command Prompt. you must be a member of the Administrators group on the local computer. double-click Administrative Tools. click the applicable zone. PTR resource records are deleted automatically if the corresponding A resource record is deleted. In the details pane. To open DNS. As a security best practice. Type: dnscmdServerName/RecordDeleteZoneNameNodeNameRRTypeRRData [/f] Value Description Page 136 of 165 . and then click Delete. Open DNS.• • This procedure requires the Dnscmd Windows support tool. In the console tree. click OK.

255. you can also type a period (. You can also type the IP address of the DNS server.AFSDB SRV SOA AAAA TXT. Required. / RecordDel Required.MR MX. MapFlag LookupTimeout CacheTimeout RstDomainName Value Description IPAddress Specifies a standard IP address. RRData For information about each resource record type see the Resource records reference. which specifies the zone's root node.M G..X25.. To specify the ServerName DNS server on the local computer. For example. Specifies the DNS host name of the DNS server.RT. Resource record type Resource record data A NS. ete Required. Required.MD.HINFO. Specifies the FQDN of the node in the DNS NodeName namespace. RRType followed by the data to be contained in the resource record.).RP WKS WINS WINSR IPAddress HostName|DomainName Preference ServerName Priority Weight Port HostName PrimSvr Admin Serial#\ Refresh Retry Expire MinTTL Ipv6Address String [String] MailboxName ErrMailboxName Protocol IPAddress Service. Required. 255.MB.MF. Page 137 of 165 . Specifies the fully qualified domain name (FQDN) of ZoneName the zone. Specifies the type of resource record (RR) to add. MapFlag LookupTimeout CacheTimeout IPAddress..PTR..255.ISDN MINFO.dnscmd Specifies the name of the command-line program. Deletes a resource record. You can also type the node name relative to the ZoneName or @.CNAME.255.

you must be a member of the Administrators group on the local computer. members of the Domain Admins group might be able to perform this procedure.ipv6Address Protocol Service HostName| DomainName /f Specifies a standard IPv6 address. all resource records of the same type are deleted. If the computer is joined to a domain. type: dnscmd /RecordDelete /help • • • • • If the variable RRData is not specified. This procedure requires the Dnscmd Windows support tool. click Start. domain. or you must have been delegated the appropriate authority. For example. For information about installing Windows support tools. Specifies the transmission protocol: UDP or TCP. all resource record types matching the previous criteria are deleted. As a security best practice. If you omit this parameter. Important • If the parameter RRData is not specified. smtp. For example. To view the complete syntax for this command. 1:2:3:4:5:6:7:8. see Related Topics. To open a command prompt. Specifies the FQDN of a resource record located in the DNS namespace. Specifies that the command is executed without asking for confirmation. and then click Command prompt. consider using Run as to perform this procedure. Page 138 of 165 . Notes • To perform this procedure. PTR resource records are deleted automatically if the corresponding A resource record is deleted. point to All programs. Specifies a standard service. point to Accessories. you are prompted to confirm the deletion of the resource record. at a command prompt.

When you have finished viewing the record. members of the Domain Admins group might be able to perform this procedure. In Properties. Notes Page 139 of 165 . click Properties. consider using Run as to perform this procedure.To view unsupported resource records in a zone 1. On the Security tab. click the record you want to view. right-click the record you want to view. 2. click OK. 2. 5. click the applicable zone. such as DNS servers running versions of BIND. 4. The DNS console allows you to view unsupported resource records (RRs) in secondary zones that are obtained from other DNS server implementations. Open DNS. then click Properties. In the console tree. modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed. In the details pane. • • To modify security for a resource record 1. click Start. Open DNS. or you must have been delegated the appropriate authority. and then double-click DNS. you must be a member of the Administrators group on the local computer. To open DNS. view properties specific to this record. 3. click the applicable zone. such as mail forwarder (MF) and mail domain (MD) resource records (RRs). In the console tree. In the details pane. If the computer is joined to a domain. 5. click Control Panel. On the Action menu. 3. double-click Administrative Tools. 4. As a security best practice. These types of records include legacy records. These records are not used by DNS servers running Windows Server 2003 and cannot be managed through the DNS console. Notes • To perform this procedure.

click Control Panel. For more information. This feature is not included on computers running the Microsoft® Windows Server® 2003. Security settings applied to resource records only affect dynamic updates. or you must have been delegated the appropriate authority. operating system. These security settings do not affect who may administer the zone where these resource records are located. For information on the security settings that affect who may administer a zone. Resource records with the same name share the same resource record security settings. and then double-click DNS. To open DNS. Secure dynamic updates are only supported or configurable for resource records in zones stored in Active Directory. see Default local groups. For more information. see Related Topics. click Start. Default groups. The names of resource records are listed in the Name column of the DNS console.• To perform this procedure. Web Edition. consider using Run as to perform this procedure. see Overview of Windows Server 2003. • • • • • Use aging and scavenging • • • • • • Set aging/scavenging properties for the DNS server Set aging/scavenging properties for a zone Enable automatic scavenging of stale resource records Start immediate scavenging of stale resource records View when a zone can start scavenging stale records Reset scavenging and aging properties for a specified resource record To set aging/scavenging properties for the DNS server • • Using the Windows interface Using a command line Page 140 of 165 . Web Edition. and Using Run as. As a security best practice. double-click Administrative Tools. you must be a member of the DnsAdmins or the Domain Admins group in Active Directory.

Regardless of whether the Scavenge stale resource records check box is selected as described in step 4. 2. click Start. and then click Set Aging/Scavenging for all zones. Required. Open DNS. Aging and scavenging properties configured by this procedure act as server defaults that apply only toward Active Directory-integrated zones. Open Command Prompt. this feature is disabled unless manually enabled at the applicable zone. You can also type the IP address of the DNS Page 141 of 165 . If needed. click Control Panel. members of the Domain Admins group might be able to perform this procedure. you can also apply your changes to existing Active Directory-integrated zones. As a security best practice. or you must have been delegated the appropriate authority. the DNS console prompts you to confirm. Modify other aging and scavenging properties as needed. you must set the appropriate properties at the applicable zone. you must be a member of the Administrators group on the local computer. • • • • Using a command line 1. Notes • To perform this procedure. You then have the option to apply your changes to new Active Directory-integrated zones only. Once you apply changes for server aging/scavenging settings. consider using Run as to perform this procedure. For standard primary zones. 4. 2.Using the Windows interface 1. 3. Select the Scavenge stale resource records check box. Type: dnscmdServerName/Config {/ScavengingInterval Value|/DefaultAgingState Value|/DefaultNoRefreshInterval Value|/DefaultRefreshInterval Value} Value Description dnscmd ServerName Specifies the name of the command-line program. In the console tree. and then double-click DNS. Specifies the DNS host name of the DNS server. right-click the applicable DNS server. If the computer is joined to a domain. double-click Administrative Tools. To open DNS. for standard primary zones.

type 1 to enable aging for new zones when they are created. you must be a member of the Administrators group on the local computer. Required. Required. type a value in hours. or you must have been delegated the appropriate authority. point to Accessories. members of the Domain Admins group might be able to perform this procedure. at a command prompt. terval / Sets the default Refresh interval for scavengingDefaultRefreshInter enabled zones. Type 0 to disable Value aging for new zones. The default is 168 (one week). Sets the default No-refresh interval for DefaultNoRefreshIn scavenging-enabled zones. The default is 168 (one week). Specifies the configuration command. consider using Run as to perform this procedure. val For /ScavengingInterval. click Start. point to All programs. To specify the DNS server on the local computer. For information about installing Windows support tools. To view the complete syntax for this command. you can also type a period (. type: dnscmd /Config /help • • • To set aging/scavenging properties for a zone • • Using the Windows interface Using a command line Page 142 of 165 . and then click Command prompt. If the computer is joined to a domain.server. To open a command prompt.) /Config Required. For /DefaultNoRefreshInterval. For /DefaultAgingState. / Required. As a security best practice. Sets the default aging configuration for all /DefaultAgingState zones on the server. The default is 168 (one week). For /DefaultRefreshInterval. see Related Topics. type a value in hours. Sets the frequency by which the server /ScavengingInterval will perform scavenging for all scavenging-enabled zones. Notes • To perform this procedure. type a value in hours. This procedure requires the Dnscmd Windows support tool.

2. Modify other aging and scavenging properties as needed. 3.. Required. Type: dnscmdServerName/Config {ZoneName|. Specifies the configuration command.AllZones. Open Command Prompt..AllZ want to set aging and scavenging. You can also type the IP address of the DNS ServerName server. or you must have been delegated the appropriate authority. and then double-click DNS.. double-click Administrative Tools. • Using a command line 1. Open DNS. Specifies the Refresh interval for a Page 143 of 165 . To specify the DNS server on the local computer. then click Properties. As a security best practice. 4. click Start. /Aging Required. In the console tree. Required. right-click the applicable zone. Specifies the DNS host name of the DNS server. If the computer is joined to a domain.Using the Windows interface 1. On the General tab. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. To apply the ones operation to all zones. Notes • To perform this procedure. Specifies the name of the zone to which you ZoneName|. click Control Panel. you can also type a period (.AllZones} {/AgingValue|/RefreshInterval Value|/NoRefreshInterval Value} Value Description dnscmd Specifies the name of the command-line program.) /Config Required. use . /RefreshInterval Required. 5. 2. Enables aging for zones. To open DNS. Select the Scavenge stale resource records check box. you must be a member of the Administrators group on the local computer. click Aging.

type a value in seconds. or you must have been delegated the appropriate authority. consider using Run as to perform this procedure. The standard setting is 3600 (one hour). Notes • To perform this procedure. 4. In the console tree. / Required. members of the Domain Admins group might be able to perform this procedure. you must be a member of the Administrators group on the local computer. For /RefreshInterval. you must be a member of the Administrators group on the local computer. at a command prompt. Specifies the No-refresh interval for a NoRefreshInter scavenging-enabled zone. If the computer is joined to a domain. click Start. To view the complete syntax for this command. then click Properties. 2. To adjust the Scavenging period. For /Aging. right-click the applicable DNS server. Open DNS. 3. select from the drop-down list an interval in either hours or days. If the computer is joined to a domain. point to Accessories. To open a command prompt. or you must have been delegated the appropriate authority. val Required. The default setting is 168 hours (one week). and then type a number in the text box. Select the Enable automatic scavenging of stale records check box. Notes • To perform this procedure.scavenging-enabled zone. type 1 to enable aging. point to All programs. type a value in Value hours. Type 0 to disable aging. type: dnscmd /Config /help • • To enable automatic scavenging of stale resource records 1. and then click Command prompt. As a security best practice. Click the Advanced tab. 5. For /NoRefreshInterval. members of the Domain Admins group might be able to Page 144 of 165 .

or you must have been delegated the appropriate authority. click Control Panel. Open DNS. 2. you must be a member of the Administrators group on the local computer. then click Scavenge Stale Resource Records. If the computer is joined to a domain. Open Command Prompt. Type: dnscmdServerName/StartScavenging Value Description dnscmd ServerName Specifies the name of the command-line tool. To start immediate scavenging of stale resource records • • Using the Windows interface Using a command line Using the Windows interface 1. click OK. To Page 145 of 165 . • To open DNS. As a security best practice. As a security best practice. double-click Administrative Tools. and then double-click DNS. members of the Domain Admins group might be able to perform this procedure. click Control Panel. double-click Administrative Tools. Specifies the DNS host name of the DNS server. and then double-click DNS.perform this procedure. right-click the applicable DNS server. You can also type the IP address of the DNS server. 3. • Using a command line 1. To open DNS. consider using Run as to perform this procedure. In the console tree. click Start. Notes • To perform this procedure. consider using Run as to perform this procedure. Required. When asked to confirm that you want to scavenge all stale resource records on the server. click Start. 2.

and then click Command prompt.specify the DNS server on the local computer. click Advanced. 4. point to All programs. Initiates resource record scavenging. you must be a member of the Administrators group on the local computer. 5. see Related Topics. click Aging. click Start. To open a command prompt. Under Refresh interval. ging Notes • To perform this procedure. Open DNS.) / StartScaven Required. type: dnscmd /StartScavenging /help • • • To view when a zone can start scavenging stale records • • Using the Windows interface Using a command line Using the Windows interface 1. then click Properties. On the View menu. at a command prompt. As a security best practice. view when the zone is first eligible to be scavenged for stale resource records. point to Accessories. If the computer is joined to a domain. 3. Right-click the applicable zone. you can also type a period (. This procedure requires the Dnscmd Windows support tool. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. For information about installing Windows support tools. or you must have been delegated the appropriate authority. 2. To view the complete syntax for this command. Notes Page 146 of 165 . On the General tab.

click Start. Specifies the configuration property that displays RefreshInt when the zone is first eligible to be scavenged for stale erval resource records. To view the complete syntax for this command. type: Page 147 of 165 . Required. 2. point to All programs. Notes • • • To open a command prompt. Required. click Control Panel. Specifies the DNS host name of the DNS server. As a security best practice. and then click Command prompt. scavenging for the zone cannot be performed. For information about installing Windows support tools. you can also type a period (. or you must have been delegated the appropriate authority. This procedure requires the Dnscmd Windows support tool. If the computer is joined to a domain. Open Command Prompt. The start scavenging date and time stamp are used to determine when zone scavenging starts. To specify ServerName the DNS server on the local computer.) /ZoneInfo Required. members of the Domain Admins group might be able to perform this procedure. scavenging can occur only if the Scavenge stale resource records check box is selected. and then double-click DNS. point to Accessories.• To perform this procedure. You can also type the IP address of the DNS server. click Start. at a command prompt. For more information. see Related Topics. Type: dnscmdServer/ZoneInfoZoneNameRefreshInterval Value Description dnscmd Specifies the name of the command-line tool. see Related Topics. • • • Using a command line 1. double-click Administrative Tools. The output value is in hours. After the start scavenging date and time stamp are reached. you must be a member of the Administrators group on the local computer. Specifies the fully qualified domain name (FQDN) of ZoneName the zone. The default setting is 168 hours (one week). Required. To open DNS. Displays configuration information. consider using Run as to perform this procedure. If the check box is cleared.

3. Open DNS. you must be a member of the Administrators group on the local computer. you can clear the Delete this record when it becomes stale check box to prevent its aging or potential removal during the scavenging process. To open DNS. excluding it from the scavenging process. and then double-click DNS. double-click the resource record for which you want to reset scavenging and aging properties. click the applicable zone. double-click Administrative Tools. not the properties for the resource record. you can select Delete this record when it becomes stale check box to permit its aging or potential removal during the scavenging process. This procedure is only necessary for resource records that are dynamically registered. 2. do one of the following: o If the record was added dynamically using dynamic update. Scavenging and aging properties for NS and SOA resource records are reset in the properties for the zone. members of the Domain Admins group might be able to perform this procedure. If dynamic updates to this record continue to occur. In the details pane. or you must have been delegated the appropriate authority. For records that you manually add to a zone. Depending on the how the resource record was originally added to the zone. o Notes • To perform this procedure. 4. a time stamp value of zero always applies to the record. Page 148 of 165 • • • . consider using Run as to perform this procedure. the DNS server will always reset this check box so that the dynamically updated record can be deleted. click Control Panel. As a security best practice. If the computer is joined to a domain.dnscmd /ZoneInfo /help To reset scavenging and aging properties for a specified resource record • • Using the Windows interface Using a command line Using the Windows interface 1. In the console tree. If you added the record statically. click Start.

This procedure requires the Dnscmd Windows support tool. you must be a member of the Administrators group on the local computer. 2. and then click Command prompt.AllZones} /ScavengingInterval Value Value Description dnscmd Specifies the name of the command-line program. Value specified in hours.) /Config Required. see Related Topics. To open a command prompt. Specifies the fully qualified domain name ZoneName|. To configure all zones hosted on the ones specified DNS server to allow dynamic updates.Using a command line 1. Sets the scavenging interval. The default is 168 (one week). members of the Domain Admins group might be able to perform this procedure. Required. Specifies the DNS host name of the DNS server. as well as details about Page 149 of 165 . you can also type a period (. Notes • To perform this procedure. You can also type the IP address of the DNS ServerName server. consider using Run as to perform this procedure. Type: dnscmd ServerName /Config {ZoneName|. Open Command Prompt. The new value for the scavenging interval. Required. type . Specifies the configuration command. As a security best practice. To specify the DNS server on the local computer. / ScavengingInte Required.AllZones... or you must have been delegated the appropriate authority. at a command prompt. For information about installing Windows support tools. rval Required. point to Accessories. point to All programs.AllZ (FQDN) of the zone.. type: dnscmd /Config /help • • • Concepts This section provides general background information about Domain Name System (DNS) and the DNS Server service. click Start. To view the complete syntax for this command. If the computer is joined to a domain.

For example. such as the Internet. DNS services can resolve the name to other information associated with the name.com to locate a computer such as a mail or Web server Page 150 of 165 . When a user enters a DNS name in an application. DNS naming is used in TCP/IP networks. a system for naming computers and network services that is organized into a hierarchy of domains. most users prefer a friendly name such as example. Windows Server 2003 R2.microsoft. such as an IP address.supporting software provided for DNS clients running under Microsoft operating systems. 2005 Applies To: Windows Server 2003. Windows Server 2003 with SP1. • • • • • DNS Overview Understanding DNS Deploying DNS Administering DNS DNS Resources DNS Overview Updated: January 21. to locate computers and services through user-friendly names. Windows Server 2003 with SP2 DNS overview This section covers: • • • • • • DNS defined DNS tools Server features Client features Security information for DNS New features for DNS DNS defined DNS is an abbreviation for Domain Name System.

see Understanding DNS.example. a client computer queries a DNS server. DNS tools There are a number of utilities for administering. Page 151 of 165 . The following figure shows a basic use of DNS.microsoft.com. asking for the IP address of a computer configured to use host-a. and troubleshooting both DNS servers and clients.example. The example shows a simple DNS query between a single client and DNS server. Because the DNS server is able to answer the query based on its local database. which is a host (A) resource record that contains the IP address information for host-a. Command-line utilities. see How DNS query works. name systems such as DNS provide a way to map the user-friendly name for a computer or service to its numeric address. which is part of Administrative Tools. it replies with an answer containing the requested information. These utilities include: • • The DNS console.com as its DNS domain name.microsoft. monitoring. which is finding the IP address of a computer based on its name. For more information. which can be used to troubleshoot DNS problems. Note • For additional background information about other DNS concepts. such as Nslookup. However. computers communicate over a network by using numeric addresses. A friendly name can be easier to learn and remember. DNS queries can be more involved than this and include additional steps not shown here.on a network. In practice. In this example. To make the use of network resources easier.

Windows Management Instrumentation (WMI). such as statistical counters to measure and monitor DNS server activity with System Monitor. you can also use the DNS console to perform the following tasks: • Perform maintenance on the server. You can use the DNS console to perform these basic administrative server tasks: 1. removing. 4. Modifying how servers process queries and handle dynamic updates. Modifying security for specific zones or resource records. Monitor the contents of the server cache and. or remote DNS servers on other computers. which can be viewed using the DNS console or Event Viewer. File-based logs can also be used temporarily as an advanced debugging option to log and trace selected service events. Modifying how zones are stored and replicated between servers. 2.• Logging features. You can start. such as the DNS server log. 6. pause. Performing initial configuration of a new DNS server. stop. Adding. The DNS console can only be used after DNS is installed on the server. 3. or manually update server data files. • • • The DNS console The primary tool that you use to manage DNS servers is the DNS console. which is located in the Administrative Tools folder in the Start menu's Programs folder. a standard technology for accessing management information in an enterprise environment. or resume the server. 5. Performance monitoring utilities. Tune advanced server options. clear it. 7. Page 152 of 165 • • . In addition. as needed. Platform Software Developer Kit (SDK). Adding and removing forward and reverse lookup zones as needed. and updating resource records in zones. further integrating DNS administration into your total network management. The DNS console can be used on its own or as a Microsoft Management Console (MMC) . Connecting to and managing a local DNS server on the same computer.

For more information. see Flush and reset a client resolver cache using the ipconfig command or Renew DNS client registration using the ipconfig command. This utility is useful in scripting batch files to help automate routine DNS Dnscmd management tasks. A command-line interface for managing DNS servers. Notes • The DNS console provides new ways to perform familiar DNS administrative tasks previously performed in Microsoft® Windows® NT Server 4. see New ways to do familiar DNS tasks. Event monitoring utilities Page 153 of 165 . see Nslookup. For more information. see Server administration using Dnscmd. This command is used to view and modify IP configuration details used by the computer. or to perform simple unattended setup and configuration of new DNS servers on your network. • • Command-line utilities There are several command-line utilities you can use to manage and troubleshoot DNS servers and clients. such as one running Microsoft® Windows® XP Professional. The following table describes each of these utilities. Important • The DNS console can only be used to manage DNS servers running Microsoft® Windows® and cannot be used to manage other DNS servers.0 using DNS Manager. Additional command-line options are included with this utility to provide help in troubleshooting and Ipconfig supporting DNS clients. For p more information. you must install the Windows Server 2003 Administration Tools Pack For information on installing DNS. To use the DNS console from another non-server computer.• Configure and perform aging and scavenging of stale resource records stored by the server. For more information. see Install a DNS server. such as BIND. which can be run either by typing them at a command prompt or by entering them in batch files for scripted use. Comma Description nd Nslooku Used to perform query testing of the DNS domain namespace.

which can be viewed using the DNS console or Event Viewer. These counters are accessible through System Monitor. These can be further studied and analyzed to determine if additional server tuning is needed. For more information. Performance monitoring utilities Performance monitoring for DNS servers can be done using additional service-specific counters that measure DNS server performance. When using System Monitor. the DNS server log. The DNS server log contains events logged by the DNS Server service. Page 154 of 165 . For more information. • Optional debug options for trace logging to a text file on the DNS server computer. see View the DNS server system event log. For example. You can use Event Viewer to view and monitor client-related DNS events. Dns. see Windows interface administrative tool reference A-Z: Event Viewer. a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here. The file created and used for this feature. is stored in the systemroot\System32\Dns folder. For more information. which is provided in the Performance console. The event types logged by DNS servers can be changed using the DNS console. You can also use the DNS console to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity.log. when the DNS server starts or stops.The Windows Server 2003 family includes two options for monitoring DNS servers: • Default logging of DNS server event messages to the DNS server log. you can create charts and graphs of server performance trends over time for any of your DNS servers. such as when the server starts but cannot locate initializing data. These appear in the System log and are written by the DNS Client service at any computers running Windows (all versions). DNS server event messages are separated and kept in their own system event log. see DNS server log reference. such as zones or boot information stored in the registry or (in some cases) Active Directory.

For more information. and other managed components in an enterprise environment. Programmable DNS components are designed for use by C/C++ programmers. it is possible to determine performance benchmarks and decide if further adjustments can be made to optimize the system. • Interoperability with other DNS server implementations Page 155 of 165 . Server features The Domain Name System (DNS) Server service provides the following: • An RFC-compliant DNS server DNS is an open protocol and is standardized by a set of Request for Comments (RFCs). Note • For more information about manageability. such as programmatically making DNS queries. as well as the DNS protocol and how DNS operates. Microsoft supports and complies with these standard specifications. Platform Software Developer Kit (SDK) Computers running a product in the Windows Server 2003 family provide functions that enable application programmers to use DNS. For more information about Windows Management Instrumentation. devices. networks. Familiarity with networking and with DNS is required. For more information. comparing records. Windows Management Instrumentation (WMI) WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM). which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. see Management Strategies and Tools. see DNS RFCs. WMI uses the Common Information Model (CIM) industry standard to represent systems. applications. see Monitoring DNS server performance. and looking up names. see the Microsoft Platform SDK Web site. Programmers should be familiar with the IP protocol suite.By measuring and reviewing server metrics over a period of time.

3. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the dynamic update protocol (RFC 2136). however. at this point in the process. 5. the wizard tests for the following: 1. In general. You can. it queries to find the primary authoritative server for the DNS name of the Active Directory domain you specified earlier in the wizard. such as those that use the Berkeley Internet Name Domain (BIND) software. see Interoperability issues. a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory. you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. it can successfully work with most other DNS server implementations. First. If a preferred DNS server is available.Because the DNS Server service is RFC-compliant and can use standard DNS data file and resource record formats. the use of the Windows Server 2003 DNS Server service is strongly recommended for the best possible integration and support of Active Directory and enhanced DNS server features. the IP address for the current preferred DNS server is used to configure a forwarder on the local DNS server. Based on its TCP/IP client configuration. 4. use another type of DNS server to support Active Directory deployment. see Page 156 of 165 . you are provided with the option to install the DNS Server service locally. Later in the installation process. • Support for Active Directory DNS is required for support of the Active Directory® directory service. When using other types of DNS servers. consider additional issues related to DNS interoperability. it checks to see whether a preferred DNS server is configured for its use. If you install Active Directory on a server. If. This configuration maintains any existing resolution to an Internet Service Provider (ISP). you can automatically install and configure a DNS server if a DNS server that meets the Active Directory requirements cannot be located. If you choose to install the DNS Server service locally. For more information. in the Active Directory Installation Wizard. For more information. 2.

Note. Page 157 of 165 . Note o This feature is not included on computers running the Microsoft® Windows Server® 2003. A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. the set of domain controllers between which that zone's data will be replicated. Web Edition. Web Edition. Web Edition. see Overview of Windows Server 2003. For more information. operating system.example. that this replication efficiency is at the expense of resolution efficiency because the server hosting the stub zone is not authoritative for the zone and so must refer all queries for the zone to other servers. however.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. You can specify in which Active Directory partition to store the zone and.Interoperability issues. You can use a stub zone instead of a secondary zone in situations where replicating all the zone data would be undesirable. A partition is a data structure within Active Directory used to distinguish data for different replication purposes. For more information. For example. Web Edition. For more information.  Stub zones DNS supports a new zone type called a stub zone.  Enhancements to DNS zone storage in Active Directory DNS zones can be stored in the domain or application directory partitions of Active Directory. operating system. a DNS server can be configured to forward all the queries it receives for names ending with widgets. see Understanding forwarders. A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. consequently. such as over a slow network link. Note o This feature is not included on computers running the Microsoft® Windows Server® 2003. For more information.  Conditional forwarders The DNS Server service extends a standard forwarder configuration with conditional forwarders. see Overview of Windows Server 2003. see DNS zone replication in Active Directory.

WINS lookup integration. Also. see Understanding stub zones. see Active Directory integration. Dynamic update.For more information. For more information.  Enhanced DNS security features DNS provides enhanced security administration for the DNS Server service. In addition to the DNS console. For more information. These include integration with Active Directory. This improves DNS administration by reducing the time needed to manually manage these records. based on the dynamic update protocol (RFC 2136).  Support for incremental zone transfer between servers Zone transfers are used between DNS servers to replicate information about a portion of the DNS namespace. other tools are provided to help you better manage and support DNS servers and clients on your network.  Support for new resource record types Page 158 of 165 . and DNS data.  RFC-compliant dynamic update protocol support The DNS Server service allows clients to dynamically update resource records. WINS. the DNS Client service. For more information. Computers running the DNS Client service can dynamically register their DNS names and IP addresses. see Security information for DNS. see Dynamic update. see DNS tools. Incremental zone transfer is used to replicate only the changed portions of a zone. For more information. see Understanding zones and zone transfer.  Integration with other Microsoft networking services The DNS Server service offers integration with other services and contains features beyond those specified in the RFCs. there are several configuration wizards for performing common server administration tasks. conserving network bandwidth. and DHCP services. For more information.  Improved ease of administration The DNS console offers an improved graphical user interface for managing the DNS Server service.

which include the service location (SRV) and ATM address (ATMA) RRs. This avoids continued negative caching of stale information if the records later become available. Page 159 of 165 . which can adversely affect client system performance. Negative caching is a new DNS standard specification defined in RFC 2308. If no preferred DNS servers are available. Preferred DNS servers are given first priority. For more information on obtaining RFCs. then alternate DNS servers are used. Any query information negatively cached is kept for a shorter period of time than is used for positive query responses. Negative caching prevents the repeating of additional queries for names that do not exist. see TCP/IP RFCs. The list is arranged based on the following criteria: 1. the DNS Client service also caches negative query responses.The DNS Server service includes support for several new resource record (RR) types. expand the possibilities for using DNS as a names database service. This information is then cached for a set Time to Live (TTL) and can be used again to answer subsequent queries. ordered by preference. by default. A negative response results when a resource record for the queried name does not exist. For more information. These types. Client features The Domain Name System (DNS) Client service is used to resolve DNS domain names and implements the following features: • System-wide caching Resource records (RRs) from query responses are added to the client cache as applications query DNS servers. no more than 5 minutes. 2. • RFC-compliant negative caching support In addition to caching positive query responses from DNS servers (which contain resource record information in the answered reply). This list includes all preferred and alternate DNS servers configured for each of the active network connections on the system. refer to this RFC. • Avoidance of unresponsive DNS servers The DNS Client service uses a server search list.

Important • The DHCP Client service initiates dynamic registration for client DNS names. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network. For more information. An attacker commonly begins an attack by using this DNS data to diagram. Data modification is an attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets the attacker has created. Unresponsive servers are removed temporarily from these lists. its CPU usage will eventually reach its maximum and the DNS Server service will become unavailable. Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure through the addition of security features. a network. thereby giving these packets the appearance of coming from a valid IP address in the network. Denial-of-service attack is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. Without a fully operating DNS server on the network.3. see Dynamic update or Using DNS servers with DHCP. Before considering which of the security features to use. network services that use DNS will become unavailable to network users. and IP addresses for sensitive network resources. Security information for DNS Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. DNS security threats The following are the typical ways in which your DNS infrastructure can be threatened by attackers: • Footprinting is the process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names. This is Page 160 of 165 • • . you should be aware of the common threats to DNS security and the level of DNS security in your organization. or footprint. computer names. As a DNS server is flooded with queries. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily.

commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can gain access to the network and destroy data or conduct other attacks.

Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers under the control of the attacker. For example, if a query were originally made for example.microsoft.com and a referral answer provided a record for a name outside of the microsoft.com domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a query for that name. Redirection can be accomplished whenever an attacker has writable access to DNS data, such as with insecure dynamic updates.

Mitigating DNS security threats
DNS can be configured to mitigate the common DNS security issues discussed above. The following table lists five main areas on which to concentrate when determining your DNS security.

DNS security Description area DNS Incorporate DNS security into your DNS namespace design. For namespace more information, see Securing DNS deployment. Review the default DNS Server service security settings and DNS Server apply Active Directory security features when the DNS Server service service is running on a domain controller. For more information, see Securing the DNS Server service. Review the default DNS zone security settings and apply secure dynamic updates and Active Directory security features DNS zones when the DNS zone is hosted on a domain controller. For more information, see Securing DNS zones. Review the default DNS resource record (RR) security settings DNS and apply Active Directory security features when the DNS resource resource records are hosted on a domain controller. For more records information, see Securing DNS resource records. Control the DNS server IP addresses used by DNS clients. For DNS clients more information, see Securing DNS clients.

Three levels of DNS security
Page 161 of 165

The following three levels of DNS security will help you understand your current DNS configuration and enable you to increase the DNS security of your organization.

Low-level security
Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.

The DNS infrastructure of your organization is fully exposed to the Internet. Standard DNS resolution is performed by all DNS servers in your network. All DNS servers are configured with root hints pointing to the root servers for the Internet. All DNS servers permit zone transfers to any server. All DNS servers are configured to listen on all of their IP addresses. Cache pollution prevention is disabled on all DNS servers. Dynamic update is allowed for all DNS zones. User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.

• • • • •

Medium-level security
Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.

The DNS infrastructure of your organization has limited exposure to the Internet. All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally. All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones. DNS servers are configured to listen on specified IP addresses.
Page 162 of 165

• • •

Cache pollution prevention is enabled on all DNS servers. Nonsecure dynamic update is not allowed for any DNS zones. Internal DNS servers communicate with external DNS servers through the firewall with a limited list of source and destination addresses allowed. External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet. All Internet name resolution is performed using proxy servers and gateways.

High-level security
High-level security uses the same configuration as medium-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required.

The DNS infrastructure of your organization has no Internet communication by internal DNS servers. Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal. DNS servers that are configured with forwarders use internal DNS server IP addresses only. All DNS servers limit zone transfers to specified IP addresses. DNS servers are configured to listen on specified IP addresses. Cache pollution prevention is enabled on all DNS servers. Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace. All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server. All DNS zones are stored in Active Directory. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.
Page 163 of 165

• • • •

which do not allow dynamic updates at all. Windows Server 2003 R2. • New features for DNS Updated: January 21.• DACLs are configured on DNS resource records to only allow specific individuals to create. For more information. see Understanding stub zones. Windows Server 2003 with SP1. For more information. For more information about DNS name resolution. or modify DNS data. Secure dynamic update is configured for DNS zones. thereby. maintain DNS name resolution efficiency. Windows Server 2003 with SP2 New features for DNS The following new Domain Name System (DNS) features and feature enhancements are available with the Microsoft® Windows Server™ 2003 family. a DNS server can be configured to forward all the queries it receives for names ending with widgets. For example. delete. • Stub zones Using stub zones. 2005 Applies To: Windows Server 2003. • Conditional forwarders Forward DNS queries according to the DNS domain name in the query using conditional forwarders. see How DNS Support for Active Directory Works on the Microsoft Web site. which results in fewer failures due to DNS delays and misconfiguration. • Improved domain controller name resolution In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. see Using forwarders. keep a DNS server hosting a parent zone aware of the authoritative DNS servers for its child zone and. • DNS zone replication in Active Directory Page 164 of 165 . domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered.example. except the toplevel and root zones.

see Using Extension Mechanisms for DNS (EDNS0). • Control automatic NS resource record registration on a server and a zone basis Page 165 of 165 . the DNS Client service. see Security information for DNS. For more information. For more information. For more information. the DNS Server service will perform round-robin rotation for all resource record (RR) types. and DNS data. For more information. see Configuring round robin. • Enhanced DNS security features DNS provides greater precision in its security administration for the DNS Server service. For more information. • EDNS0 Enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 octets. see DNS zone replication in Active Directory. the original DNS restriction for UDP packet size (RFC 1035). • Round robin all resource record (RR) types By default.Choose from four default replication options for Active Directoryintegrated DNS zone data. • Enhanced debug logging Use the enhanced DNS Server service debug logging settings to troubleshoot DNS problems. • DNSSEC DNS provides basic support of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. see Using server debug logging options. For more information. see Using DNS Security Extensions (DNSSEC).

Sign up to vote on this title
UsefulNot useful