Forward and reverse lookup zones, conditional forwarders, DNSSEC, scope creation and reservations, DHCP failover, IPAM, and the Windows-side networking that makes the rest of the domain reachable.
13 articles • follow them in order
Learn how to configure DNS reverse lookup zones and PTR records on Windows Server. This step-by-step guide covers zone creation, dynamic registration, manual PTR records, and verification — essential for email delivery, SIEM tools, and network troubleshooting.
Learn how to configure DNS forwarding in Windows Server DNS Manager. This step-by-step guide covers regular forwarding (offloading all external queries to public DNS servers like 8.8.8.8) and conditional forwarding (routing domain-specific queries to designated DNS servers), including the DNS resolution order and Active Directory replication for conditional forwarders.
Learn how to implement DNSSEC on Windows Server to protect against man-in-the-middle DNS attacks. This step-by-step guide covers the Zone Signing Wizard, configuring Key Signing Keys (KSK) and Zone Signing Keys (ZSK) with RSA-SHA-256, enabling NSEC3 and Trust Anchor distribution, verifying the padlock icon, and best practices for key rotation and monitoring.
Learn how to implement and manage IPAM (IP Address Management) on Windows Server. This step-by-step guide covers installing the IPAM feature, provisioning with Group Policy-based provisioning, configuring server discovery, setting servers to Managed status, applying IPAM GPOs with Invoke-IpamGpoProvisioning, retrieving data, and using the IP address space, DHCP scope, and DNS zone management capabilities.
Learn how to implement and configure the DHCP Server role on Windows Server. This step-by-step guide covers installing the DHCP role, setting a static IP address, completing the Post-Installation Configuration Wizard, authorizing the server in Active Directory (including DHCP Administrators and DHCP Users security groups), verifying authorization with green arrows, and creating a scope to begin issuing IP addresses.
Learn how to create and manage DHCP scopes on Windows Server. This step-by-step guide covers launching the New Scope Wizard, configuring the IP address range, setting exclusion ranges and lease duration, configuring scope options (gateway and DNS), activating the scope, viewing active leases, modifying scope properties post-creation, creating superscopes for multinet environments, and monitoring scope utilization statistics.
Learn how to create and manage DHCP IP reservations on Windows Server. This guide covers opening the DHCP console, locating the target scope, creating a new reservation with a descriptive name, entering the device MAC address, selecting supported protocols (DHCP, BOOTP, or Both), verifying the reservation, and avoiding common pitfalls including exclusion conflicts, duplicate MAC addresses, and stale reservations after hardware changes.
Learn how to implement DHCP high availability on Windows Server using DHCP failover. This guide covers Load Balance and Hot Standby failover modes, preparing and authorizing the secondary DHCP server, running the Configure Failover Wizard to set relationship name, MCLT, mode, and shared secret, verifying scope synchronization on the secondary server, testing failover behavior, managing Replicate Scope and Replicate Relationship operations, and configuring firewall rules for TCP port 647.
Learn how to install and configure a standalone DHCP server on Windows Server without Active Directory. This step-by-step guide covers verifying the static IP, installing the DHCP Server role via Server Manager, skipping AD authorization in the post-install wizard, creating a scope with IP range exclusions and lease duration, configuring scope options (gateway and DNS), activating the scope, verifying client IP assignment with ipconfig, viewing address leases, and creating reservations from the console.
One PowerShell script that walks every Primary forward zone on a DNS server and removes every record (A, NS, SRV, CNAME, PTR) that names or points at a demoted host - in one pass. Covers why scavenging alone doesn't catch them, the manual DNS Manager review (zone Properties Name Servers, DomainDnsZones host records, _msdcs SRV records under sites), the full Remove-DNSRecords.ps1 with -WhatIf-first usage, the trailing-dot trap on SRV/NS data, verification with Resolve-DnsName + dcdiag /test:dns, and 7 common pitfalls (skipped -WhatIf, missed trailing dot, non-Primary zones, reverse zones, scavenging assumptions, downstream-DNS confusion, client caches).
The three most common AD-DNS failure modes and how to fix each: clients pointing at the wrong DNS server (point at a peer DC + loopback, never the DC's own external IP); the AD-integrated zone gone missing (recreate as Primary AD-integrated, restart Netlogon to re-register SRV records, verify with dcdiag /test:dns); and inter-DC replication broken (repadmin /replsummary, /showrepl, /syncall /A /e /P, plus time skew and firewall checks). Includes the four-tool diagnostic kit (nslookup SRV / dcdiag / repadmin / Event Viewer Directory Service) and 7 common pitfalls.
Domain join error 0x232A (An Active Directory Domain Controller for the domain could not be contacted) is a name-resolution failure, not a network outage. The fix is almost always one of three things: type the DNS FQDN instead of the NetBIOS short name, point the workstation's DNS at servers that host the AD zones, or disable NetBIOS over TCP/IP entirely. This article walks the seven-step diagnostic path: confirm the name typed, fix client DNS, kill NetBIOS, verify SRV record resolution with nslookup, prove TCP 53 / 389 connectivity, check both host firewalls, and read NetSetup.log for the exact failure point. Includes the difference between 0x232A and 0x3a and the common pitfalls (public DNS in the DHCP scope, split-tunnel VPN DNS, unreplicated SRV records on a newly promoted DC).
AD-integrated DNS zones live in the directory database, not in flat .dns files - which means a Windows Server system-state backup catches them but only restores via a full authoritative restore in DSRM. For per-zone recovery (accidental delete, single-zone corruption), the right tool is dnscmd /zoneexport (or Export-DnsServerZone) for backup and the New Zone Wizard + zone-type conversion for restore. This article walks the full round trip: export fortesting.local and _msdcs.fortesting.local to .dns.backup files, simulate the disaster by deleting both zones, restore each as a standard Primary zone via the New Zone Wizard (with the rename-the-backup-file trick the wizard requires), then convert back to AD-integrated and tighten dynamic updates to Secure only. Includes the forest-wide replication-scope gotcha for _msdcs (default is domain-wide after conversion - has to be manually widened to forest), the off-server-copy requirement (the export drops files on the DC's own disk), and the verification commands.
