Docs / Windows Server / Configure Windows DNS Server Role

Configure Windows DNS Server Role

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 362 views · 3 min read

The Windows DNS Server role is a core infrastructure component that resolves domain names for your Active Directory environment and internal network. This guide covers configuring DNS zones, records, forwarders, and conditional forwarding for a production Windows DNS deployment on your VPS.

Install DNS Server Role

# Install DNS Server (usually installed with AD DS)
Install-WindowsFeature -Name DNS -IncludeManagementTools

# Verify
Get-WindowsFeature DNS
Get-Service DNS

Configure Forward Lookup Zones

# AD-integrated zones are created automatically with AD DS
# Create additional forward lookup zones

# Primary zone (AD-integrated)
Add-DnsServerPrimaryZone -Name "apps.corp.example.com" `
    -ReplicationScope "Forest" `
    -DynamicUpdate "Secure"

# Secondary zone (for external DNS)
Add-DnsServerSecondaryZone -Name "partner.com" `
    -MasterServers "10.0.0.50" `
    -ZoneFile "partner.com.dns"

# Stub zone
Add-DnsServerStubZone -Name "branch.example.com" `
    -MasterServers "192.168.1.10" `
    -ReplicationScope "Forest"

Configure Reverse Lookup Zones

# Create reverse lookup zone for your subnet
Add-DnsServerPrimaryZone -NetworkId "10.0.0.0/24" `
    -ReplicationScope "Forest" `
    -DynamicUpdate "Secure"

# Add PTR records
Add-DnsServerResourceRecordPtr -ZoneName "0.0.10.in-addr.arpa" `
    -Name "10" `
    -PtrDomainName "dc1.corp.example.com"

Manage DNS Records

# A Records
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" `
    -Name "webserver" -IPv4Address "10.0.0.50"

Add-DnsServerResourceRecordA -ZoneName "corp.example.com" `
    -Name "mailserver" -IPv4Address "10.0.0.60"

# AAAA Record (IPv6)
Add-DnsServerResourceRecordAAAA -ZoneName "corp.example.com" `
    -Name "webserver" -IPv6Address "2001:db8::50"

# CNAME Record
Add-DnsServerResourceRecordCName -ZoneName "corp.example.com" `
    -Name "intranet" -HostNameAlias "webserver.corp.example.com"

Add-DnsServerResourceRecordCName -ZoneName "corp.example.com" `
    -Name "mail" -HostNameAlias "mailserver.corp.example.com"

# MX Record
Add-DnsServerResourceRecordMX -ZoneName "corp.example.com" `
    -Name "." -MailExchange "mailserver.corp.example.com" `
    -Preference 10

# TXT Record (for SPF, DKIM, etc.)
Add-DnsServerResourceRecord -ZoneName "corp.example.com" `
    -Name "." -Txt -DescriptiveText "v=spf1 ip4:10.0.0.60 -all"

# SRV Record
Add-DnsServerResourceRecord -ZoneName "corp.example.com" `
    -Name "_sip._tcp" -Srv -DomainName "sipserver.corp.example.com" `
    -Priority 0 -Weight 0 -Port 5060

# List all records in a zone
Get-DnsServerResourceRecord -ZoneName "corp.example.com" | `
    Sort-Object RecordType | Format-Table -AutoSize

Configure Forwarders

# Set DNS forwarders (for queries this server can't resolve)
Set-DnsServerForwarder -IPAddress "1.1.1.1", "8.8.8.8" -UseRootHint $false

# Conditional forwarders (for specific domains)
Add-DnsServerConditionalForwarderZone -Name "partner.com" `
    -MasterServers "203.0.113.10", "203.0.113.11" `
    -ReplicationScope "Forest"

Add-DnsServerConditionalForwarderZone -Name "cloud.internal" `
    -MasterServers "10.100.0.2" `
    -ReplicationScope "Forest"

# View current forwarders
Get-DnsServerForwarder

DNS Policies and Split-Brain DNS

# DNS Policies allow different responses based on query source

# Create client subnets
Add-DnsServerClientSubnet -Name "InternalNetwork" -IPv4Subnet "10.0.0.0/8"
Add-DnsServerClientSubnet -Name "ExternalNetwork" -IPv4Subnet "0.0.0.0/0"

# Create zone scopes
Add-DnsServerZoneScope -ZoneName "corp.example.com" -Name "InternalScope"
Add-DnsServerZoneScope -ZoneName "corp.example.com" -Name "ExternalScope"

# Add records to scopes
Add-DnsServerResourceRecord -ZoneName "corp.example.com" `
    -A -Name "webapp" -IPv4Address "10.0.0.50" -ZoneScope "InternalScope"

Add-DnsServerResourceRecord -ZoneName "corp.example.com" `
    -A -Name "webapp" -IPv4Address "203.0.113.50" -ZoneScope "ExternalScope"

# Create resolution policies
Add-DnsServerQueryResolutionPolicy -Name "InternalPolicy" `
    -Action ALLOW -ClientSubnet "eq,InternalNetwork" `
    -ZoneScope "InternalScope,1" -ZoneName "corp.example.com"

Add-DnsServerQueryResolutionPolicy -Name "ExternalPolicy" `
    -Action ALLOW -ClientSubnet "eq,ExternalNetwork" `
    -ZoneScope "ExternalScope,1" -ZoneName "corp.example.com"

DNS Security

# Enable DNSSEC on a zone
Invoke-DnsServerZoneSign -ZoneName "corp.example.com" -SignWithDefault

# Configure DNS logging
Set-DnsServerDiagnostics -All $true -EnableLoggingToFile $true `
    -LogFilePath "C:\DNS\dns-debug.log" `
    -MaxMBFileSize 100

# Restrict zone transfers
Set-DnsServerPrimaryZone -Name "corp.example.com" `
    -SecureSecondaries TransferToSecureServers `
    -SecondaryServers "10.0.0.12"

# Enable DNS cache locking
Set-DnsServerCache -LockingPercent 100

Monitoring and Troubleshooting

# Test DNS resolution
Resolve-DnsName "webserver.corp.example.com"
Resolve-DnsName "corp.example.com" -Type MX
Resolve-DnsName "corp.example.com" -Type SOA -Server dc1.corp.example.com

# Check DNS statistics
Get-DnsServerStatistics | Select-Object -ExpandProperty QueryStatistics

# Clear DNS cache
Clear-DnsServerCache -Force

# Check zone health
Test-DnsServer -IPAddress "10.0.0.10" -ZoneName "corp.example.com"

Best Practices

  • Use AD-integrated zones for automatic replication and secure dynamic updates
  • Configure at least two DNS servers for redundancy
  • Set appropriate forwarders: Use reliable public DNS as forwarders
  • Enable DNS logging for troubleshooting and security auditing
  • Use conditional forwarders for partner networks and cloud services
  • Regularly clean up stale DNS records with scavenging enabled
  • Secure zone transfers — only allow transfers to authorized servers

Was this article helpful?

Related Articles