DNS is the phonebook every other Windows Server service depends on. Nine stops, one foundation block of the WSA Lego kit.
DNS (Domain Name System) translates human-readable names to IP addresses. The right-side diagram shows recursive resolution walking from your client all the way to the authoritative server.
DNS uses a tree structure with the root at the top:
. (Root)
│
┌───────────┼───────────┐
│ │ │
com org local
│ │
google hexworth
│ │
www dc01
| Level | Example | Description |
|---|---|---|
| Root | . (dot) | Top of hierarchy, 13 root server clusters worldwide |
| TLD | .com, .org, .local | Top-Level Domain, managed by registries |
| Second-Level | hexworth.local | Your organization's domain |
| Subdomain | dc01.hexworth.local | Hosts and child domains |
Zone data lives in AD: multi-master, replicates with AD, secure dynamic updates. Default choice for AD environments.
Name → IP Address
IP Address → Name
Each record maps a name (or address) to data. The right panel lists every common type with examples.
| Type | Example | |
|---|---|---|
| A IPv4 | dc01 → 192.168.1.10 | |
| AAAA IPv6 | dc01 → 2001:db8::1 | |
| CNAME alias | mail → exchange01.hexworth.local | |
| MX | Mail exchanger for domain | hexworth.local → mail.hexworth.local (priority 10) |
| Type | Purpose | Example |
|---|---|---|
| PTR | Reverse lookup (IP to name) | 10.1.168.192 → dc01.hexworth.local |
| SRV | Service location | _ldap._tcp → dc01.hexworth.local:389 |
| NS | Name server for zone | hexworth.local → dc01.hexworth.local |
| SOA | Start of Authority (zone info) | Serial, refresh, retry, expire, TTL |
AD uses SRV records for service discovery — clients query _service._protocol.domain, get host+port back.
nslookup -type=srv _ldap._tcp.dc._msdcs.hexworth.local.
Forwarders send queries upstream instead of using root hints.
Dynamic updates allow clients to automatically register their DNS records:
| Setting | Description | When to Use |
|---|---|---|
| None | No dynamic updates allowed | Static-only environments |
| Nonsecure and Secure | Any client can register | Non-AD environments only |
| Secure Only | Only authenticated clients | Recommended for AD |
Lock down the zone so only authenticated AD clients can register records.
Three command-line tools cover most DNS triage. The right-side terminal walks through the typical sequence.
Resolve-DnsName — PowerShell-native query with object outputResolve-DnsName -Server <ip> — force a specific resolver (bypass local)Clear-DnsClientCache · ipconfig /flushdns — wipe the local cache when answers go staleResolve a hostname to its IP address using the default DNS server.
Flush + inspect DNS caches.
Issues: stale records (enable scavenging) · missing SRV (nltest /dsregdns) · wrong DNS server · forwarder timeout.
Scavenging automatically removes stale (old) DNS records that are no longer valid.
Turn on automatic scavenging at the server level with a 7-day interval.
Enable aging on the specific zone so stale records get timestamped.
List every DNS zone hosted on the server to see what is configured.
View all DNS records within a specific zone to audit its contents.