Networking Dns Windows Dns

Core Architecture

AD-Integrated Zones

When DNS runs on a Domain Controller, zones stored in AD provide:

• Multi-master updates (any DC can accept dynamic updates)
• Automatic replication via AD replication topology
• Secure-only dynamic updates (only authenticated domain computers register)
• Encrypted storage as AD DS objects

Replication Scopes

Zone Types

• Primary: Read/write authoritative copy (file-based or AD-integrated)
• Secondary: Read-only copy via AXFR/IXFR (file-based only)
• Stub: SOA + NS + glue records only (delegation discovery)
• Conditional Forwarder: Forwards specific domain queries to designated servers
• Reverse Lookup: PTR records for IP-to-name resolution

DNS Policies (Server 2016+)

DNS Policies allow behavior customization based on client subnet, query type, FQDN, time of day, transport protocol. PowerShell only -- no GUI.

Key objects: Client Subnets, Zone Scopes, Recursion Scopes, Query Resolution Policies, Zone Transfer Policies.

Use cases: geo-location routing, split-brain DNS, DNS sinkholing, recursion control.

DNSSEC

Windows supports DNSSEC on primary zones (file-backed and AD-integrated):

• Key Master: authoritative server generating/distributing signing keys
• KSK rollover: double-signature method; DS record at parent updated manually
• ZSK rollover: prepublish method; fully automatic
• Recommended algorithm: ECDSAP256/SHA-256 with NSEC3

Aging and Scavenging

Removes stale dynamically-registered records:

• No-refresh interval (default 7 days): suppress refresh writes to AD
• Refresh interval (default 7 days): window for record refresh
• Total record lifetime before scavenging = no-refresh + refresh = 14 days
• Must be enabled at BOTH server level AND zone level
• Only dynamic records (non-zero timestamp) are eligible

Set-DnsServerScavenging -ScavengingState $True -ScavengingInterval 7.00:00:00
Set-DnsServerZoneAging -ZoneName "contoso.com" -Aging $True

Key PowerShell Cmdlets

# Zone management
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Forest"
Add-DnsServerSecondaryZone -Name "partner.com" -ZoneFile "partner.com.dns" -MasterServers 10.1.1.53
Add-DnsServerConditionalForwarderZone -Name "cloud.com" -MasterServers "10.1.1.53" -ReplicationScope "Domain"

# Records
Add-DnsServerResourceRecord -ZoneName "example.com" -A -Name "www" -IPv4Address "10.0.0.10"
Get-DnsServerResourceRecord -ZoneName "example.com" -RRType "A"

# Forwarders
Set-DnsServerForwarder -IPAddress "8.8.8.8","8.8.4.4" -UseRootHint $True

# DNSSEC
Invoke-DnsServerZoneSign -ZoneName "example.com" -SignWithDefault -Force
Get-DnsServerDnsSecZoneSetting -ZoneName "example.com"

# Policies
Add-DnsServerClientSubnet -Name "InternalSubnet" -IPv4Subnet "10.0.0.0/8"
Add-DnsServerZoneScope -ZoneName "example.com" -Name "InternalScope"
Add-DnsServerQueryResolutionPolicy -Name "InternalPolicy" -Action ALLOW -ClientSubnet "eq,InternalSubnet" -ZoneScope "InternalScope,1" -ZoneName "example.com"

# Diagnostics
Get-DnsServerStatistics
Set-DnsServerDiagnostics -Queries $True -Answers $True

Troubleshooting Event IDs

Common Pitfalls

1. Scavenging not enabled at both levels -- Scavenging requires enablement at server level AND zone level. Missing either means no cleanup.
2. Scavenging too aggressive -- Setting scavenging interval shorter than DHCP lease duration deletes records for active clients. Rule: scavenging period = DHCP lease + 1 day.
3. Static records aged out -- Manually created records have timestamp 0 (exempt). But dnscmd /ageallrecords makes ALL records eligible -- use with caution.
4. DNS Policies invisible in GUI -- DNS Policies are PowerShell-only. Admins using only DNS Manager will not see configured policies.
5. Conditional forwarder not AD-replicated -- If not using -ReplicationScope, conditional forwarders must be configured on each DNS server manually.
6. DNSSEC DS record not updated at parent -- After KSK rollover, the DS record at the parent zone must be updated manually. Failure causes validation failures.

Version Agents

• 2022/SKILL.md -- Client-side DoH, DNSSEC improvements, Azure Arc integration
• 2025/SKILL.md -- Server-side DoH (preview), continued DNS Policy support

Reference Files

• references/architecture.md -- AD-integrated zones, replication, DNS policies, zone scopes, DNSSEC key management
• references/best-practices.md -- Aging/scavenging, forwarder design, split-brain, PowerShell management, secure dynamic updates