Active Directory doesn’t work without DNS. Full stop. And while you can run AD without DHCP, you probably shouldn’t in any environment larger than a home lab.
These two services are foundational. If DNS breaks, AD breaks. If DHCP fails, nothing gets an IP. Understanding how they integrate with Active Directory will save you countless troubleshooting hours.
What you’ll learn:
- How DNS integrates with Active Directory
- Setting up AD-integrated DNS zones
- DHCP server configuration and scopes
- DNS and DHCP best practices
- Troubleshooting common issues
Career Value: DNS and DHCP troubleshooting is the #1 daily activity for Windows sysadmins. “If it’s not DNS, it’s always DNS” is a meme because it’s true. Demonstrating deep knowledge of AD-integrated DNS and DHCP failover shows production experience that commands GBP 50-70k+ salaries.
DNS Manager: The critical foundation of Active Directory
Quick Reference
| Concept | What It Is | Remember |
|---|---|---|
| AD-Integrated DNS | DNS zones stored in AD | Replicates with AD, more secure |
| Forward Lookup | Name to IP | “What’s the IP for server01?” |
| Reverse Lookup | IP to Name | “What’s the name for 192.168.1.10?” |
| DHCP Scope | Range of IPs to assign | Define start, end, exclusions |
| DHCP Reservation | Fixed IP for specific MAC | Servers, printers get same IP always |
| DNS Forwarder | Where to ask for external names | Usually your ISP or 8.8.8.8 |
DNS and Active Directory: The Critical Relationship
Why AD Needs DNS
Active Directory requires DNS. Here’s why:
- Domain controller location – Clients find DCs via DNS SRV records
- Kerberos authentication – Service tickets require name resolution
- Replication – DCs find each other through DNS
- Group Policy – GPO application requires DC discovery
When you promote a server to a DC, you almost always install DNS. They’re a package deal.
How Clients Find Domain Controllers
1. Client needs to log in
2. Client queries DNS for: _ldap._tcp.dc._msdcs.yourdomain.local
3. DNS returns list of DCs
4. Client contacts nearest DC
5. Authentication happensIf DNS fails at step 2, nothing else works. This is why DNS is so critical.
Setting Up DNS for Active Directory
AD-Integrated vs Standard Zones
Standard Primary Zone:
- Stored in a text file
- Single point of failure
- Manual replication needed
AD-Integrated Zone:
- Stored in Active Directory database
- Replicates with AD automatically
- Secure dynamic updates
- Multi-master (any DC can update)
Always use AD-Integrated for your AD domain zones.
Creating an AD-Integrated Zone
When you promote your first DC with DNS, the zone is created automatically. For additional zones:
GUI:
DNS Manager → Forward Lookup Zones → Right-click → New Zone
→ Primary zone → Store in Active DirectoryPowerShell:
# Create AD-integrated forward lookup zone
Add-DnsServerPrimaryZone -Name "newdomain.local" -ReplicationScope "Domain"
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"Zone Replication Scopes
| Scope | Replicates To | Use When |
|---|---|---|
| Domain | All DCs in domain | Default, most common |
| Forest | All DCs in forest | Multi-domain environments |
| DomainDnsZones | All DNS servers in domain | Domain-specific zones |
| ForestDnsZones | All DNS servers in forest | Forest-wide zones |
Essential DNS Records
Records Created Automatically
When computers join the domain, they register:
A Record: workstation01.yourdomain.local → 192.168.1.50
PTR Record: 50.1.168.192.in-addr.arpa → workstation01.yourdomain.localDCs create additional SRV records:
_ldap._tcp.yourdomain.local → DC01.yourdomain.local
_kerberos._tcp.yourdomain.local → DC01.yourdomain.local
_gc._tcp.yourdomain.local → DC01.yourdomain.localManual Records You’ll Create
A Records (Host to IP):
Add-DnsServerResourceRecordA -Name "fileserver" -ZoneName "yourdomain.local" -IPv4Address "192.168.1.20"CNAME Records (Alias):
Add-DnsServerResourceRecordCName -Name "files" -ZoneName "yourdomain.local" -HostNameAlias "fileserver.yourdomain.local"MX Records (Mail):
Add-DnsServerResourceRecordMX -Name "." -ZoneName "yourdomain.local" -MailExchange "mail.yourdomain.local" -Preference 10DNS Forwarders and Root Hints
Forwarders
When your DNS server can’t resolve a name (external websites), it needs to ask someone else:
# View current forwarders
Get-DnsServerForwarder
# Set forwarders
Set-DnsServerForwarder -IPAddress "8.8.8.8","8.8.4.4"Common forwarder choices:
- ISP DNS servers (often fastest)
- Google: 8.8.8.8, 8.8.4.4
- Cloudflare: 1.1.1.1, 1.0.0.1
- Quad9: 9.9.9.9
Root Hints vs Forwarders
Root Hints: Your server queries root DNS servers directly, walks the hierarchy
Forwarders: Your server asks another DNS server to resolve for it
For most environments, use forwarders – they’re faster and reduce external queries.
DHCP Server Setup
Installing DHCP Role
PowerShell:
Install-WindowsFeature -Name DHCP -IncludeManagementToolsAuthorizing DHCP in Active Directory
DHCP servers must be authorized in AD to prevent rogue DHCP:
# Authorize DHCP server
Add-DhcpServerInDC -DnsName "DC01.yourdomain.local" -IPAddress 192.168.1.10
# Verify authorization
Get-DhcpServerInDCCreating a Scope
A scope defines a range of IP addresses to hand out:
GUI:
DHCP Manager → IPv4 → Right-click → New ScopePowerShell:
# Create scope
Add-DhcpServerv4Scope -Name "Main Office" `
-StartRange 192.168.1.100 `
-EndRange 192.168.1.200 `
-SubnetMask 255.255.255.0 `
-State Active
# Set scope options
Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 `
-DnsServer 192.168.1.10,192.168.1.11 `
-DnsDomain "yourdomain.local" `
-Router 192.168.1.1Scope Options Explained
| Option | Code | Purpose |
|---|---|---|
| Router | 003 | Default gateway |
| DNS Servers | 006 | DNS server IPs |
| DNS Domain | 015 | Domain suffix for clients |
| WINS Server | 044 | Legacy NetBIOS resolution |
| Lease Duration | – | How long clients keep IP |
DHCP Reservations
When to Use Reservations
Reservations guarantee a specific IP for a specific MAC address:
- Servers – Need consistent IPs for firewall rules
- Printers – Users bookmark by IP
- Network devices – Switches, APs, cameras
- Specific workstations – For access control
Creating Reservations
# Get MAC address from existing lease
Get-DhcpServerv4Lease -ScopeId 192.168.1.0
# Create reservation
Add-DhcpServerv4Reservation -ScopeId 192.168.1.0 `
-IPAddress 192.168.1.50 `
-ClientId "AA-BB-CC-DD-EE-FF" `
-Name "Printer-Reception"Reservation vs Static IP
Reservation (DHCP):
- Managed centrally
- Easy to audit and document
- Client still uses DHCP
- Can include all scope options
Static IP (Manual):
- Configured on device
- Works without DHCP server
- Harder to track
- Must manually set DNS, gateway
Best Practice: Use reservations for most fixed-IP needs. Use static only for infrastructure that must work before DHCP is available (DCs, DHCP servers themselves).
DNS and DHCP Integration
Dynamic DNS Updates
When DHCP assigns an IP, it can automatically update DNS:
# Enable dynamic DNS updates for scope
Set-DhcpServerv4DnsSetting -ScopeId 192.168.1.0 `
-DynamicUpdates "Always" `
-DeleteDnsRROnLeaseExpiry $trueSettings:
- Always – Update both A and PTR records
- OnClientRequest – Only if client requests
- Never – No dynamic updates
Scavenging: Cleaning Up Stale Records
Old DNS records from departed devices clutter your DNS:
# Enable scavenging on zone
Set-DnsServerZoneAging -Name "yourdomain.local" -Aging $true -ScavengeServers "DC01.yourdomain.local"
# Set scavenging intervals
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00Warning: Test scavenging in a lab first. Aggressive settings can delete records you need.
High Availability
DNS High Availability
With AD-integrated DNS, every DC is a DNS server. Built-in HA.
Client configuration:
- Primary DNS: First DC
- Secondary DNS: Second DC
- Tertiary: Third DC (if available)
DHCP High Availability
Option 1: DHCP Failover (Windows Server 2012+)
# Create failover relationship
Add-DhcpServerv4Failover -Name "DHCP-Failover" `
-PartnerServer "DC02.yourdomain.local" `
-ScopeId 192.168.1.0 `
-SharedSecret "SecurePassword123" `
-Mode LoadBalance `
-LoadBalancePercent 50Option 2: Split Scope (Legacy)
- 80% of addresses on primary DHCP
- 20% on secondary DHCP
- Both servers active, non-overlapping ranges
Option 3: DHCP on Multiple DCs
- Different scopes per subnet
- Each DC serves its local subnet
Troubleshooting DNS
DNS Not Resolving Internal Names
# Clear DNS cache
Clear-DnsClientCache
# Test resolution
Resolve-DnsName yourdomain.local
Resolve-DnsName dc01.yourdomain.local
# Check DNS server being used
Get-DnsClientServerAddress
# Query specific DNS server
Resolve-DnsName dc01.yourdomain.local -Server 192.168.1.10SRV Records Missing
# Check for required SRV records
Resolve-DnsName -Name "_ldap._tcp.yourdomain.local" -Type SRV
# Force DC to re-register DNS records
nltest /dsregdnsIf SRV records are missing, AD authentication fails.
Common DNS Issues
| Symptom | Likely Cause | Fix |
|---|---|---|
| Can’t find DC | SRV records missing | Run nltest /dsregdns |
| Slow resolution | Forwarders unreachable | Check/change forwarders |
| Can’t reach internet | Forwarders not set | Add forwarders |
| Stale records | Scavenging disabled | Enable scavenging |
| Dynamic updates fail | Zone not AD-integrated | Convert zone |
Troubleshooting DHCP
Client Not Getting IP
# Release and renew
ipconfig /release
ipconfig /renew
# Check DHCP server
Get-DhcpServerv4Scope
Get-DhcpServerv4ScopeStatistics
# Check for IP conflicts
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.AddressState -eq "Declined"}DHCP Server Not Responding
# Check service
Get-Service DHCPServer
# Check authorization
Get-DhcpServerInDC
# Check scope is active
Get-DhcpServerv4Scope | Select-Object ScopeId, StateCommon DHCP Issues
| Symptom | Likely Cause | Fix |
|---|---|---|
| 169.254.x.x address | DHCP unreachable | Check server/network |
| IP conflicts | Duplicate reservations | Audit reservations |
| Wrong DNS given | Scope options wrong | Update scope options |
| Pool exhausted | Too many devices | Expand scope or reduce lease |
Best Practices
DNS Best Practices
- AD-integrated zones – Always for AD domains
- Multiple DNS servers – Every DC should be DNS
- Reverse lookup zones – Create them, applications need them
- Scavenging – Enable it, but test first
- Forwarder redundancy – At least two forwarders
- Document manual records – Track what you create
DHCP Best Practices
- Authorize in AD – Prevents rogue DHCP
- Appropriate lease times – 8 hours for WiFi, 8 days for wired
- Leave buffer space – Don’t use 100% of subnet in scope
- Exclusions for static – Exclude ranges for servers, printers
- Reservations over static – Easier management
- Failover – Always have DHCP redundancy
- Enable dynamic DNS – Keep DNS current
Interview Questions
Q1: “A user can’t log into their domain-joined laptop. Where do you start?”
Good Answer: “First, I’d check if it’s a network issue or AD issue. Can the laptop ping the DC by IP? If not, it’s network/DHCP. If yes, can it resolve the DC name? If not, it’s DNS. I’d check ipconfig /all to see what DNS servers are assigned. If DNS is correct, I’d run nslookup _ldap._tcp.dc._msdcs.yourdomain.local to verify the DC SRV records exist. Nine times out of ten, login issues trace back to DNS.”
Q2: “Explain how you’d set up DHCP for a new office with 200 users.”
Good Answer: “I’d create a scope slightly larger than needed – maybe 192.168.1.100 to 192.168.2.50 for growth. I’d set exclusions for infrastructure: first 20 IPs for network gear, another block for servers. Scope options would include our two DCs as DNS servers, the domain suffix, and default gateway. I’d create reservations for printers and any fixed devices. For redundancy, I’d set up DHCP failover with our secondary DC in load-balance mode. Finally, I’d enable dynamic DNS updates so client records stay current.”
Q3: “What happens if all DNS servers go down in an AD environment?”
Good Answer: “Everything breaks. Clients can’t find DCs, so no one can log in with domain credentials. Cached credentials might work briefly for already-logged-in users. Services can’t authenticate. Email stops. Applications that use AD authentication fail. This is why you want DNS on every DC and you never take down all DCs simultaneously. Even planned maintenance should leave at least one DC online.”
Career Application
On your resume:
- “Managed AD-integrated DNS for 50+ zones across multiple sites”
- “Implemented DHCP failover for high availability across 2000+ client environment”
- “Reduced DNS-related tickets by 60% through proper scavenging and monitoring”
Demonstrate:
- Understanding of DNS criticality for AD
- Ability to troubleshoot name resolution
- Knowledge of DHCP redundancy options
- Practical experience with both GUI and PowerShell
Next Steps
- Next in series: Windows Security Hardening – Secure your environment
- Related: Active Directory Essentials – DNS prerequisite for AD
- Practice: Build a second DC, set up DHCP failover, break DNS and fix it
DNS is the nervous system of Active Directory. If it’s healthy, everything works. If it’s broken, nothing does. Next: hardening all of this.
Windows Fundamentals Series
Part 5 of 6
Previous: Group Policy Deep Dive | Next: Windows Security Hardening
ReadTheManual is run, written and curated by Eric Lonsdale.
Eric has over 20 years of professional experience in IT infrastructure, cloud architecture, and cybersecurity, but started with PCs long before that.
He built his first machine from parts bought off tables at the local college campus, hoping they worked. He learned on BBC Micros and Atari units in the early 90s, and has built almost every PC he’s used between 1995 and now.
From helpdesk to infrastructure architect, Eric has worked across enterprise datacentres, Azure environments, and security operations. He’s managed teams, trained engineers, and spent two decades solving the problems this site teaches you to solve.
ReadTheManual exists because Eric believes the best way to learn IT is to build things, break things, and actually read the manual. Every guide on this site runs on infrastructure he owns and maintains.
Enjoyed this guide?
New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.