Skip to content

Windows

DNS and DHCP on Windows Server

DNS and DHCP are the two background services almost every Windows network depends on: DNS resolves names to IP addresses, and DHCP hands clients a working IP configuration automatically. This page covers installing and operating both as Windows Server roles.

Tested on

Windows Server 2022 (Datacenter, GUI). DNS examples use the DnsServer PowerShell module; DHCP examples use the DhcpServer module. Both ship with the respective role.

Protocol fundamentals live elsewhere

This page is about the Windows implementation. For how DNS resolution and the DHCP DORA exchange actually work at the protocol level (record types, recursion, TTL, relay), read DNS and DHCP first.

The DNS Server role

DNS on Windows is most important because it underpins Active Directory: domain controllers register their location in DNS using SRV records, and clients find DCs by querying DNS. A broken DNS server breaks logons, Group Policy, and replication.

Installing the role

# Install the DNS Server role plus its management tools
Install-WindowsFeature -Name DNS -IncludeManagementTools

Or via the GUI: Server Manager > Add Roles and Features > DNS Server. Manage it afterwards from Server Manager > Tools > DNS (the DNS Manager console, dnsmgmt.msc).

Installing AD usually installs DNS for you

If you promote a server to a domain controller and let it install DNS, the AD-integrated zone for your domain is created automatically. You only install DNS by hand on a standalone resolver or a secondary DNS server.

Forward and reverse lookup zones

A zone is the portion of the DNS namespace a server is authoritative for.

  • A forward lookup zone answers name to IP queries (e.g. corp.example.com > 10.0.0.10). It holds your A, AAAA, CNAME, MX, and other records.
  • A reverse lookup zone answers IP to name queries using the special in-addr.arpa domain. It holds PTR records and is what makes nslookup 10.0.0.10 return a name.
# Forward lookup zone
Add-DnsServerPrimaryZone -Name "corp.example.com" -ZoneFile "corp.example.com.dns"

# Reverse lookup zone for the 10.0.0.0/24 network
Add-DnsServerPrimaryZone -NetworkID "10.0.0.0/24" -ZoneFile "0.0.10.in-addr.arpa.dns"

In DNS Manager you do the same with: right-click Forward Lookup Zones (or Reverse Lookup Zones) > New Zone > follow the wizard.

Common record types

Record Purpose
A Maps a name to an IPv4 address
AAAA Maps a name to an IPv6 address
CNAME Alias of one name to another name
PTR Reverse mapping: IP to name (lives in the reverse zone)
MX Mail server for a domain
NS The authoritative name servers for the zone
SOA Start of Authority - zone serial, refresh, and primary server
SRV Locates a service - this is how clients find AD domain controllers

Add records from PowerShell:

# Add an A record (and create the matching PTR if a reverse zone exists)
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" -Name "web01" `
    -IPv4Address "10.0.0.20" -CreatePtr

# Add a CNAME alias
Add-DnsServerResourceRecordCName -ZoneName "corp.example.com" -Name "intranet" `
    -HostNameAlias "web01.corp.example.com"

AD-integrated zones

When a zone is Active Directory-integrated, the records are stored in AD rather than in a flat text file. The advantages:

  • Multi-master replication: any DC running DNS can accept updates, and they replicate through normal AD replication.
  • Secure dynamic updates: only authenticated domain members can register/update their own records, blocking spoofed registrations.
  • No separate zone-transfer setup: replication is handled by AD.

You choose AD integration in the New Zone wizard (the "Store the zone in Active Directory" checkbox), or convert an existing primary zone:

ConvertTo-DnsServerPrimaryZone -Name "corp.example.com" `
    -ReplicationScope "Domain" -PassThru -Force

AD-integrated zones need DNS on a domain controller

Storing a zone in AD requires the DNS role to run on a writable domain controller. A standalone DNS server can only host standard primary/secondary (file-based) zones.

Forwarders

Your DNS server is not authoritative for the public internet. A forwarder tells it where to send queries it cannot answer locally - typically your ISP's resolver or a public resolver like 1.1.1.1. Without one (and with no root hints), external name resolution fails.

# Forward unresolved queries to public resolvers
Set-DnsServerForwarder -IPAddress 1.1.1.1, 8.8.8.8

In DNS Manager: right-click the server > Properties > Forwarders tab > Edit. Conditional forwarders let you send a specific domain to a specific server (handy for resolving a partner's internal domain).

The DHCP Server role

DHCP automatically leases IP configuration (address, subnet mask, gateway, DNS servers) to clients via the DORA exchange - Discover, Offer, Request, Acknowledge - covered in DNS and DHCP.

Installing the role

Install-WindowsFeature -Name DHCP -IncludeManagementTools

Or Server Manager > Add Roles and Features > DHCP Server. Manage it from Server Manager > Tools > DHCP (the DHCP console, dhcpmgmt.msc).

Authorizing the server in Active Directory

In an AD domain, a DHCP server will not hand out leases until it is authorized in AD. This is a safety feature that stops rogue DHCP servers from corrupting a network. After installing the role, Server Manager shows a post-deployment task to "Complete DHCP configuration"; you can also authorize from PowerShell:

# Authorize this DHCP server in Active Directory
Add-DhcpServerInDC -DnsName "dhcp01.corp.example.com" -IPAddress 10.0.0.5

# Confirm it is authorized
Get-DhcpServerInDC

Unauthorized = silent

An unauthorized Windows DHCP server in a domain simply refuses to service requests - clients fall back to APIPA (169.254.x.x) addresses. If clients are not getting leases, check authorization first.

Creating a scope

A scope is the pool of addresses and options a DHCP server hands out for one subnet. You define the address range, the subnet mask, the gateway (router), and DNS options.

# 1. Create the scope (range + mask)
Add-DhcpServerv4Scope -Name "LAN-10.0.0" -StartRange 10.0.0.100 `
    -EndRange 10.0.0.200 -SubnetMask 255.255.255.0 -State Active

# 2. Set the default gateway (option 003) for that scope
Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 -Router 10.0.0.1

# 3. Set DNS servers (option 006) and DNS domain (option 015)
Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 `
    -DnsServer 10.0.0.10 -DnsDomain "corp.example.com"

In the GUI: right-click IPv4 > New Scope and the wizard walks you through range, exclusions, lease duration, gateway, and DNS.

Exclusions vs the range

Static devices (servers, the gateway, printers) should sit outside the scope range, or be carved out with Add-DhcpServerv4ExclusionRange, so DHCP never offers an address that is already in use.

Reservations

A reservation ties a specific IP to a device's MAC address, so that device always leases the same address while still receiving the scope's options centrally. Use it for printers, servers, and anything that needs a predictable address.

Add-DhcpServerv4Reservation -ScopeId 10.0.0.0 -IPAddress 10.0.0.150 `
    -ClientId "00-15-5D-AB-CD-EF" -Name "office-printer"

The lease and DORA

When a client connects:

DISCOVER  client broadcasts "is there a DHCP server?"
OFFER     server offers an address from the scope
REQUEST   client broadcasts "I'll take that one"
ACK       server confirms and records the lease

The address is leased for the lease duration (8 days by default). The client tries to renew at 50% of the lease (T1) directly with the server, and again at ~87.5% (T2) via broadcast if needed. For clients on a different subnet from the DHCP server, a DHCP relay agent (IP helper) forwards the broadcasts - see the networking page for that detail.

DHCP and DNS together

Windows DHCP can register/update clients' A and PTR records in DNS on their behalf (the DNS tab on a scope or server). Combined with secure dynamic updates on an AD-integrated zone, this keeps DNS accurate as leases change.

Verify your work

DNS:

# List zones and confirm yours exist
Get-DnsServerZone

# Resolve a record you created (against this server)
Resolve-DnsName web01.corp.example.com -Server 10.0.0.10
nslookup web01.corp.example.com 10.0.0.10

DHCP:

# Confirm authorization, scope, and that leases are being issued
Get-DhcpServerInDC
Get-DhcpServerv4Scope
Get-DhcpServerv4Lease -ScopeId 10.0.0.0

On a client, ipconfig /all should show an address from the scope range, the correct gateway, and your DNS server - not a 169.254.x.x APIPA address.

Summary

  • Install with Install-WindowsFeature DNS -IncludeManagementTools and Install-WindowsFeature DHCP -IncludeManagementTools; manage in DNS Manager and the DHCP console.
  • DNS needs forward (name to IP) and reverse (IP to name, in-addr.arpa) zones; create records with Add-DnsServerResourceRecordA. Key types: A, AAAA, CNAME, PTR, MX, NS, SOA, SRV.
  • AD-integrated zones replicate via AD and support secure dynamic updates; forwarders handle queries the server is not authoritative for.
  • A DHCP server in a domain must be authorized in AD (Add-DhcpServerInDC) before it leases anything.
  • A scope defines the range, mask, gateway (option 003), and DNS (options 006/015); reservations pin an IP to a MAC; addressing is handed out via the DORA lease process.
  • AD-integrated DNS underpins Active Directory; see also Group Policy and the protocol-level DNS and DHCP.

Test yourself