Configuring DNS to Support Active Directory

Aside from the details listed above, it is important to understand how to create an initial DNS zone to support Active Directory. This should be done in advanced of installing Active Directory, in order to ensure that things are configured as you wish them to be. If you do not configure the zone in advance, the installation wizard will automatically do it for you, and the installation may not meet your needs.

Configuring a zone first involves installing the DNS service via the Add/Remove Windows components wizard. After doing this, open the DNS tool and you should see the default configuration.

By default the server will act as a caching-only server, simply forwarding queries to root servers when an answer cannot be found in cache. However, in order to support AD, a zone must be created that will be authoritative for the Active Directory domain that is to be installed. A wizard does exist to walk you through the process (right click and choose Configure the Server) if you choose that method. However, right-clicking the forward lookup zone and choosing New Zone will open the New Zone wizard, which I will cover here. By default, three options exist for zone types to be created.

Note that the option for an Active Directory-integrated zone is unavailable since Active Directory has not yet been set up. Choosing a standard primary would be our only real option, since a secondary requires a primary to exist. This primary zone can later be changed to AD-integrated as we’ll see in a bit. The zone must be named, so I have chosen, which will create a zone file called

After creating a zone, ensure that the TCP/IP properties of the server you wish to promote to a domain controller point to this newly created DNS server (it may be the same system). Also note that the properties on the zone can be accessed to change settings such as the zone type (which can be changed once we install AD), support for dynamic updates (disabled by default), SOA, Name Server, WINS, and Zone Transfer information.

The properties configured for a zone are different than those configured for a DNS server, which may support many zones. Properties for a DNS server are shown below, allowing you to control elements including the configuration of interfaces, forwarders, advanced properties, root hints, logging, and monitoring.

Note that dynamic updates are not allowed by default. You’ll need to change this in order for domain controllers to automatically register their service records.

Also remember that a zone can only be compromised of domains in a contiguous namespace. As such, if you wanted to support domains called and from the same DNS server, you would be required to created separate zones. However, a single zone could handle the domains and without issue.

Although not required for Active Directory support, it is also good practice to create reverse lookup zones for all forward lookup zones created, since these provide IP address to hostname resolution services. A reverse zone name will be in a format that reverses the network portion of the IP address range in use, and appends the reverse-lookup domain name. For example, the domain name for a reverse zone that supports network would be You should also enable dynamic updates for this zone in order for reverse records to be added automatically.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.