Due to errors in the DNS server, a large part of all network problems are caused. Therefore, the correct installation and configuration of this server role is all the more important. In this article you will learn what to look for during installation and how to set up a DNS server.
The Domain Name System (DNS) is needed to resolve server names into IP addresses. This is true on the Internet as well as in smaller computer networks. A functioning DNS server is essential for an Active Directory. Before an Active Directory can be installed at all you have to set up a DNS server.
The following steps work on a Windows Server 2019* or 2016 as well as on Windows Server 2012 (R2). First you have to install the server role “DNS” on the future DNS server. You can do this either via the Server Manager, or – like me – via PowerShell. For the further configuration it does not matter which of the two options you choose. However, in my opinion, it is much faster and easier to use PowerShell.
Important: If your DNS server will be used in an Active Directory later on, you should specify the future domain DNS suffix (e.g. domain.local) in the DNS settings of the network adapter beforehand.
Set up DNS server
Before installing a DNS server, you should enter the future DNS suffix in the network connection. This is important if you want to make the DNS server the domain controller later.
Install DNS Server via Powershell
- The installation of the DNS server via Powershell. The exit code “Success” reveals: The installation was successful.
After the installation: Configure DNS Server
- You can configure the server role directly after the installation. A restart is not necessary. To do this, open the “DNS” entry in the Server Manager under Tools. The Management Console of the DNS server is then displayed.
- To set up the DNS server, right-click on the server name and select “Configure DNS server”. This will start the wizard, which will guide you through all the important sections.
The easiest way to set up the DNS server is to use the DNS Server Configuration Wizard. In the first step, I recommend creating a forward and a reverse lookup zone. The forward lookup zone resolves the server names by IP addresses. The reverse lookup zone does the same in the other direction, resolving IP addresses to server names.
Since we don’t have another DNS server on the network yet, we create the forward lookup zone as the primary zone. It is mandatory that the name of the zone matches the previously entered DNS suffix of the server, as well as the future DNS domain name. The zone name must correspond to the DNS suffix of the future domain.
In the next step you should select the option “Allow non-secure and secure dynamic updates”. This selection is important because the Active Directory installation wizard needs to create multiple entries in the lookup zones. After installing the domain services you can and should change this selection to “Allow only secure dynamic updates”.
You should create the reverse lookup zone as a primary zone just like the forward lookup zone. In my example it is an IPv4 reverse lookup zone (but it works the same with IPv6). In the field “Network ID” you have to enter the first three sections of your IPv4 addresses of the network in question. The name of the reverse lookup zone will be created automatically.
Configuring the DNS server
In the reverse lookup zone, it is also important to first allow the “non-secure and secure dynamic updates” and to change them again later. The change to “Allow only secure dynamic updates” is therefore important, so that later only computers of the Active Directory can register in the lookup zones of the DNS server.
In the item Forwardings you can specify servers to which DNS requests are forwarded, should the configured DNS server not be able to handle them. This can be the IP address of the default gateway, e.g. Sophos UTM. Alternatively, it is also possible to resolve these queries using the root name servers. The root name servers can be found under the “Root Notes” tab after installation. If they are missing, you can find instructions on how to restore them here.
- After configuring the redirects, you can finish the configuration of the DNS server. With the previous steps you have now already installed and configured a working DNS server. But there are still some fine tuning possibilities here and there.
- On the one hand there is the function of “aging”. A Windows network grows with time and devices are replaced from time to time. To avoid the situation where two computers with the same IP address are in the forward or reverse lookup zone, the DNS server offers the function to clean up obsolete entries. This automatically removes invalid entries.
- Unfortunately, I often find configurations at customers where automatic cleanup has not been activated. Normally, this should not necessarily lead to major problems. But it leads to confusion. It can also lead to confusion when querying IP addresses. To enable this feature you have to right click on the DNS server name and then select “Set aging/cleanup for all zones”. The default value for aging is seven days. If needed, this can be adjusted to your own guidelines.
Furthermore, in IPv4-only networks you should limit the query to the IPv4 address of the DNS server. This way all queries to the DNS server will be processed and answered only through the IPv4 interface. When pinging a computer in the domain, you will then see the IPv4 address instead of the IPv6 address.
To configure the interfaces of the DNS server, you have to right-click on the name of the DNS server again and then open the properties. In the “Interfaces” tab you can then select the IP addresses. When configuring the DNS server, you should pay attention to which interface should process the requests.
Test the DNS server configuration
- Finally you have to test the function of the DNS server. To do this, open the command prompt (or PowerShell) and enter the command nslookup. The default server (DNS server) should be the server name you just set up, as well as its IPv4 address.
- The check with nslookup now provides you with the correct hostname after entering the IP address. Tip: It can happen that localhost with the IP 127.0.0.1 is displayed as default server. In this case you have to change the DNS server of the network connection to the IPv4 address of the server.
Setting up a DNS server should not be too difficult, as long as you take into account the things mentioned above. Especially when preparing an Active Directory installation, the DNS configuration should be well planned and carried out as accurately as possible. This way you can avoid mistakes that can cause you a lot of trouble later on. It is better to invest a little more time in planning than to spend hours later struggling with problems.