DNS zone transfer is the standards-based way to keep a read-only copy of a zone’s record set on a separate server. The primary holds the authoritative copy and accepts updates;…
Networking from Scratch (lesson 8) — the DNS hierarchy from root to authoritative, the recursive resolver path, TTL propagation, the records you will actually edit (A, AAAA, CNAME, MX, TXT, SRV), DNSSEC and DoH/DoT in plain English, and the dig and nslookup commands that turn DNS into something you can debug.
Networking from Scratch (lesson 1) — an end-to-end walkthrough of the eight things that happen between clicking a link and seeing the page on your screen. DNS, ARP, routing, TCP, TLS, HTTP, render, and where to look when each one breaks. No prior experience required.
How to install the DNS extension in Windows Admin Center and use it to manage a Windows DNS server — create forward and reverse lookup zones, add Host (A) and PTR records, and verify resolution from PowerShell.
A reference for the five essential ports (88, 389, 445, 53, RPC) that must traverse a firewall for Active Directory clients to authenticate, fetch Group Policy, and replicate — plus how to pin RPC to a fixed port.
AD-integrated DNS zones live in the directory database, not in flat .dns files - which means a Windows Server system-state backup catches them but only restores via a full authoritative restore in DSRM. For per-zone recovery (accidental delete, single-zone corruption), the right tool is dnscmd /zoneexport (or Export-DnsServerZone) for backup and the New Zone Wizard + zone-type conversion for restore. This article walks the full round trip: export fortesting.local and _msdcs.fortesting.local to .dns.backup files, simulate the disaster by deleting both zones, restore each as a standard Primary zone via the New Zone Wizard (with the rename-the-backup-file trick the wizard requires), then convert back to AD-integrated and tighten dynamic updates to Secure only. Includes the forest-wide replication-scope gotcha for _msdcs (default is domain-wide after conversion - has to be manually widened to forest), the off-server-copy requirement (the export drops files on the DC's own disk), and the verification commands.
Domain join error 0x232A (An Active Directory Domain Controller for the domain could not be contacted) is a name-resolution failure, not a network outage. The fix is almost always one of three things: type the DNS FQDN instead of the NetBIOS short name, point the workstation's DNS at servers that host the AD zones, or disable NetBIOS over TCP/IP entirely. This article walks the seven-step diagnostic path: confirm the name typed, fix client DNS, kill NetBIOS, verify SRV record resolution with nslookup, prove TCP 53 / 389 connectivity, check both host firewalls, and read NetSetup.log for the exact failure point. Includes the difference between 0x232A and 0x3a and the common pitfalls (public DNS in the DHCP scope, split-tunnel VPN DNS, unreplicated SRV records on a newly promoted DC).
Domain join error 0x3a (The specified server cannot perform the requested operation) is almost always a TCP 389 LDAP connectivity problem dressed up in directory-layer language. This article walks the diagnostic path: confirm DNS and basic reachability, prove TCP 389 with Test-NetConnection, then narrow the block to the workstation host firewall, the DC host firewall, or the network ACL between them. Includes the multi-port sweep (53/88/135/389/445/464/3268), the residual-causes list when port 389 is open (AD DS service, time skew, stale computer object), and the common pitfalls (disabled firewall left off, public DNS resolver, 389-vs-636 confusion).
The three most common AD-DNS failure modes and how to fix each: clients pointing at the wrong DNS server (point at a peer DC + loopback, never the DC's own external IP); the AD-integrated zone gone missing (recreate as Primary AD-integrated, restart Netlogon to re-register SRV records, verify with dcdiag /test:dns); and inter-DC replication broken (repadmin /replsummary, /showrepl, /syncall /A /e /P, plus time skew and firewall checks). Includes the four-tool diagnostic kit (nslookup SRV / dcdiag / repadmin / Event Viewer Directory Service) and 7 common pitfalls.
One PowerShell script that walks every Primary forward zone on a DNS server and removes every record (A, NS, SRV, CNAME, PTR) that names or points at a demoted host - in one pass. Covers why scavenging alone doesn't catch them, the manual DNS Manager review (zone Properties Name Servers, DomainDnsZones host records, _msdcs SRV records under sites), the full Remove-DNSRecords.ps1 with -WhatIf-first usage, the trailing-dot trap on SRV/NS data, verification with Resolve-DnsName + dcdiag /test:dns, and 7 common pitfalls (skipped -WhatIf, missed trailing dot, non-Primary zones, reverse zones, scavenging assumptions, downstream-DNS confusion, client caches).
Three GUI clicks to set a new IP, four CLI commands (ipconfig /flushdns, /registerdns, nltest /dsregdns, dcdiag /fix) to re-register with DNS, and one downstream-consumer audit afterwards. Walks the pre-flight (second DC, console access not RDP, replication health, downstream-consumers list), the GUI procedure with screenshots, the PowerShell-only equivalent (Remove-NetIPAddress / New-NetIPAddress / Set-DnsClientServerAddress), DNS-pointer trap (don't point at the DC's old IP), the SRV-records-need-nltest /dsregdns trap, and 7 common pitfalls (RDP'd into it, peer DCs caching old IP, stale scavenger window, FSMO concerns).
Two paths to remove a Domain Controller from Active Directory - graceful demotion via Server Manager (Remove Roles and Features wizard) for an online DC, and manual / forced removal via ADUC delete-from-Domain-Controllers-OU for an offline one. Walks both paths end to end with the actual screenshots. Includes the FSMO transfer pre-flight, the Test-ADDSDomainControllerUninstallation cmdlet, the post-demote AD Sites and Services cleanup, and a one-shot DNS scrub script that removes A/NS/SRV/CNAME records for the demoted DC across every Primary forward zone in one pass.
