How to Configure DNS Server on Windows Server 2016
The DNS Server role on Windows Server 2016 resolves hostnames to IP addresses, enabling network resources to be located by name rather than by number. DNS is a fundamental requirement for Active Directory to function, and it is also used for general network name resolution. This guide covers installing the DNS Server role, creating forward and reverse lookup zones, adding DNS records, and configuring forwarders.
Step 1: Install the DNS Server Role
Install the DNS Server role using PowerShell or Server Manager. If you installed Active Directory Domain Services earlier, DNS was likely installed automatically. Verify first before proceeding:
# Check if DNS Server is already installed
Get-WindowsFeature -Name DNS
# Install DNS Server role with management tools
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name DNS | Select-Object Name, InstallState
Step 2: Start and Verify the DNS Service
# Start the DNS server service
Start-Service -Name DNS
# Set DNS service to start automatically
Set-Service -Name DNS -StartupType Automatic
# Check DNS service status
Get-Service -Name DNS | Select-Object Status, StartType
Step 3: Create a Forward Lookup Zone
A forward lookup zone maps hostnames to IP addresses. Create a primary zone for your domain:
# Create a primary forward lookup zone
Add-DnsServerPrimaryZone -Name "corp.example.com" -ZoneFile "corp.example.com.dns" -DynamicUpdate None
# Create an Active Directory-integrated zone (requires AD DS)
Add-DnsServerPrimaryZone -Name "corp.example.com" -ReplicationScope "Forest" -DynamicUpdate Secure
# List all DNS zones
Get-DnsServerZone | Select-Object ZoneName, ZoneType, IsDsIntegrated, DynamicUpdate
Step 4: Create a Reverse Lookup Zone
Reverse lookup zones map IP addresses back to hostnames. Create one for your subnet:
# Create a reverse lookup zone for the 192.168.1.0/24 subnet
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ZoneFile "1.168.192.in-addr.arpa.dns"
# For Active Directory-integrated reverse zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Forest" -DynamicUpdate Secure
# Verify the reverse zone was created
Get-DnsServerZone | Where-Object { $_.IsReverseLookupZone -eq $true }
Step 5: Add DNS Resource Records
Manually add DNS records for static hosts such as servers and printers that do not register themselves dynamically:
# Add an A record (host to IP)
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" -Name "webserver" -IPv4Address "192.168.1.20"
# Add a PTR record (IP to host) in the reverse zone
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "20" -PtrDomainName "webserver.corp.example.com."
# Add a CNAME record (alias)
Add-DnsServerResourceRecordCName -ZoneName "corp.example.com" -Name "www" -HostNameAlias "webserver.corp.example.com."
# Add an MX record for mail
Add-DnsServerResourceRecordMX -ZoneName "corp.example.com" -Name "@" -MailExchange "mail.corp.example.com." -Preference 10
# Add a TXT record (e.g., SPF)
Add-DnsServerResourceRecord -ZoneName "corp.example.com" -Txt -Name "@" -DescriptiveText "v=spf1 ip4:192.168.1.0/24 -all"
Step 6: View and Delete DNS Records
# List all records in a zone
Get-DnsServerResourceRecord -ZoneName "corp.example.com"
# List only A records
Get-DnsServerResourceRecord -ZoneName "corp.example.com" -RRType A
# Find a specific record
Get-DnsServerResourceRecord -ZoneName "corp.example.com" -Name "webserver"
# Remove a DNS record
Remove-DnsServerResourceRecord -ZoneName "corp.example.com" -RRType A -Name "webserver" -Force
Step 7: Configure DNS Forwarders
DNS forwarders send queries for external domains to an upstream DNS server (such as your ISP’s DNS or a public resolver like Google DNS or Cloudflare) when the local server cannot resolve them:
# Add DNS forwarders
Add-DnsServerForwarder -IPAddress 8.8.8.8
Add-DnsServerForwarder -IPAddress 1.1.1.1
# View current forwarders
Get-DnsServerForwarder
# Remove a forwarder
Remove-DnsServerForwarder -IPAddress 8.8.8.8
# Configure conditional forwarder (forward specific domain to specific DNS)
Add-DnsServerConditionalForwarderZone -Name "partner.com" -MasterServers 10.0.0.1
Step 8: Configure DNS Root Hints
If you are not using forwarders, DNS root hints allow your server to query root DNS servers to resolve external names:
# View current root hints
Get-DnsServerRootHint
# Import root hints from the internet (refreshes the list)
dnscmd /ResetDefaultRootHints
# Or update via PowerShell
Import-DnsServerRootHint
Step 9: Enable DNS Debug Logging
Enable DNS debug logging to troubleshoot resolution issues:
# Enable DNS query logging
Set-DnsServerDiagnostics -All $true
# View DNS server log
Get-EventLog -LogName "DNS Server" -Newest 50
# Test DNS resolution from the server
Resolve-DnsName "google.com" -Server 127.0.0.1
Resolve-DnsName "webserver.corp.example.com" -Server 127.0.0.1 -Type A
Step 10: Verify DNS Configuration
# Run DNS diagnostic tests
dcdiag /test:DNS /v
# Check DNS server statistics
Get-DnsServerStatistics
# Flush the DNS server cache
Clear-DnsServerCache -Force
# Flush the DNS client resolver cache on the server
Clear-DnsClientCache
ipconfig /flushdns
# Test forward and reverse lookups
nslookup webserver.corp.example.com
nslookup 192.168.1.20
The DNS Server role is now configured on Windows Server 2016. Forward and reverse lookup zones are in place, resource records have been added for key hosts, and forwarders are configured to resolve external names. DNS is the foundation of network name resolution — keeping it accurate and well-maintained is essential for all network services to function reliably.
