How to Configure DNS Server on Windows Server 2019
Domain Name System (DNS) is the backbone of both internet connectivity and Active Directory. Windows Server 2019 includes a full-featured DNS server role that supports forward and reverse lookup zones, dynamic DNS updates, DNS Security Extensions (DNSSEC), DNS policies, Response Rate Limiting (RRL), and DNS over HTTPS. This guide covers installing and configuring DNS on Windows Server 2019 for both Active Directory-integrated zones and standalone DNS scenarios.
Installing the DNS Server Role
If DNS was not installed during AD DS promotion, install it separately using PowerShell or Server Manager:
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Verify the installation
Get-WindowsFeature -Name DNS
# Start and enable the DNS service
Start-Service DNS
Set-Service DNS -StartupType Automatic
# Check DNS server status
Get-Service DNSUnderstanding DNS Zone Types
Windows Server DNS supports several zone types. Primary zones are the authoritative, writable copies of zone data. Secondary zones are read-only copies transferred from a primary zone for redundancy and load distribution. Stub zones contain only the NS records for a zone and are used to maintain resolution for delegated zones. Active Directory-Integrated zones store zone data in the AD database rather than flat files, enabling secure dynamic updates, automatic replication to all domain controllers, and multi-master DNS updates.
Creating Forward Lookup Zones
A forward lookup zone resolves hostnames to IP addresses. When AD DS is installed, an AD-integrated forward lookup zone is created automatically for the domain. To create additional zones:
# Create an AD-integrated primary forward lookup zone
Add-DnsServerPrimaryZone `
-Name "example.com" `
-ReplicationScope "Forest" `
-DynamicUpdate "Secure"
# Create a standard (file-backed) primary zone
Add-DnsServerPrimaryZone `
-Name "external.example.com" `
-ZoneFile "external.example.com.dns" `
-DynamicUpdate "None"
# Create a secondary zone (read-only replica)
Add-DnsServerSecondaryZone `
-Name "partner.example.com" `
-ZoneFile "partner.example.com.dns" `
-MasterServers 192.168.50.10
# List all zones
Get-DnsServerZoneCreating Reverse Lookup Zones
Reverse lookup zones resolve IP addresses back to hostnames (PTR records). These are essential for many network services, security tools, and log analysis. Create a reverse lookup zone for your network:
# Create a reverse lookup zone for the 192.168.1.x subnet
Add-DnsServerPrimaryZone `
-NetworkId "192.168.1.0/24" `
-ReplicationScope "Forest" `
-DynamicUpdate "Secure"
# Create a reverse zone for a /16 network
Add-DnsServerPrimaryZone `
-NetworkId "10.0.0.0/16" `
-ReplicationScope "Forest" `
-DynamicUpdate "Secure"
# Verify reverse zones
Get-DnsServerZone | Where-Object {$_.IsReverseLookupZone -eq $true}Managing DNS Resource Records
DNS resource records map names to data. The most common types are A (IPv4 address), AAAA (IPv6 address), CNAME (alias), MX (mail exchanger), NS (name server), PTR (reverse pointer), SRV (service location), and TXT (text data).
# Add an A record (hostname to IP)
Add-DnsServerResourceRecordA `
-ZoneName "corp.example.com" `
-Name "webserver01" `
-IPv4Address "192.168.1.20" `
-TimeToLive (New-TimeSpan -Hours 1)
# Add an AAAA record (IPv6)
Add-DnsServerResourceRecordAAAA `
-ZoneName "corp.example.com" `
-Name "webserver01" `
-IPv6Address "2001:db8::1:20"
# Add a CNAME record (alias)
Add-DnsServerResourceRecordCName `
-ZoneName "corp.example.com" `
-Name "www" `
-HostNameAlias "webserver01.corp.example.com."
# Add an MX record
Add-DnsServerResourceRecordMX `
-ZoneName "corp.example.com" `
-Name "@" `
-MailExchange "mail.corp.example.com" `
-Preference 10
# Add a PTR record manually
Add-DnsServerResourceRecordPtr `
-ZoneName "1.168.192.in-addr.arpa" `
-Name "20" `
-PtrDomainName "webserver01.corp.example.com."
# Add a TXT record (e.g., SPF)
Add-DnsServerResourceRecord `
-ZoneName "corp.example.com" `
-Txt `
-Name "@" `
-DescriptiveText "v=spf1 mx a ip4:192.168.1.0/24 ~all"
# List all records in a zone
Get-DnsServerResourceRecord -ZoneName "corp.example.com"Configuring DNS Forwarders
DNS forwarders send queries for names outside the server’s authoritative zones to upstream resolvers. Configure forwarders to use your ISP’s DNS, internal resolvers, or public DNS services:
# Add forwarders
Add-DnsServerForwarder -IPAddress 8.8.8.8, 8.8.4.4
# View current forwarders
Get-DnsServerForwarder
# Remove a forwarder
Remove-DnsServerForwarder -IPAddress 8.8.8.8
# Configure a conditional forwarder (for specific domains)
# Routes queries for partner.com to their DNS server
Add-DnsServerConditionalForwarderZone `
-Name "partner.com" `
-MasterServers 203.0.113.10 `
-ReplicationScope "Forest"Configuring DNS Scavenging
Scavenging automatically removes stale DNS records left by computers that were decommissioned without proper DNS cleanup. Without scavenging, the DNS database grows with outdated entries. Enable scavenging carefully — set the No-Refresh and Refresh intervals appropriately:
# Enable scavenging on the DNS server
Set-DnsServerScavenging `
-ScavengingState $true `
-ScavengingInterval (New-TimeSpan -Days 7)
# Enable aging/scavenging on a specific zone
Set-DnsServerZoneAging `
-ZoneName "corp.example.com" `
-Aging $true `
-NoRefreshInterval (New-TimeSpan -Days 7) `
-RefreshInterval (New-TimeSpan -Days 7)
# Check scavenging configuration
Get-DnsServerScavenging
Get-DnsServerZoneAging -ZoneName "corp.example.com"Configuring DNSSEC
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records to protect against cache poisoning and spoofing attacks. Sign a zone with DNSSEC:
# Sign a zone with DNSSEC (online signing)
Invoke-DnsServerZoneSign `
-ZoneName "corp.example.com" `
-SignWithDefault `
-Force
# Verify DNSSEC signing
Get-DnsServerDnsSecZoneSetting -ZoneName "corp.example.com"
# Test DNSSEC validation
Resolve-DnsName corp.example.com -DnssecOk -Server 127.0.0.1Configuring DNS Policies
DNS policies allow you to control DNS query resolution based on criteria such as client subnet, time of day, or transport protocol. Use cases include geo-location-based DNS, split-brain DNS, and load balancing:
# Create a client subnet definition for internal clients
Add-DnsServerClientSubnet -Name "InternalSubnet" -IPv4Subnet "192.168.0.0/16"
# Create zone scopes for split-brain DNS
Add-DnsServerZoneScope -ZoneName "corp.example.com" -Name "InternalScope"
# Add a record to the internal scope
Add-DnsServerResourceRecord `
-ZoneName "corp.example.com" `
-ZoneScope "InternalScope" `
-A `
-Name "intranet" `
-IPv4Address "192.168.1.100"
# Create a policy: internal clients get the internal scope
Add-DnsServerQueryResolutionPolicy `
-Name "InternalPolicy" `
-Action ALLOW `
-ClientSubnet "eq,InternalSubnet" `
-ZoneScope "InternalScope,1" `
-ZoneName "corp.example.com"Monitoring and Troubleshooting DNS
Use the following commands to monitor DNS performance and troubleshoot resolution issues:
# Test DNS resolution from the server
Resolve-DnsName www.example.com -Server 127.0.0.1
Resolve-DnsName 192.168.1.10 -Server 127.0.0.1
# Check DNS server statistics
Get-DnsServerStatistics
# Enable DNS debug logging
Set-DnsServerDiagnostics -All $true
# View DNS event log
Get-WinEvent -LogName "DNS Server" | Select-Object -First 20
# Clear the DNS resolver cache
Clear-DnsClientCache
Clear-DnsServerCache
# Check zone transfer status
Get-DnsServerZoneTransferPolicy
# View DNS diagnostic log location
Get-DnsServerDiagnostics | Select-Object LogFilePathA well-configured DNS server is essential for Active Directory functionality and network connectivity. Monitor DNS regularly, review scavenging logs, and ensure zone transfers are secured by limiting them only to authorized secondary name servers using the -SecondaryServers parameter on zone properties.
