Export (0) Print
Expand All

Concepts about DNS

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Server 2003 DNS is based on Requests For Comments (RFCs) standards developed by the Internet Engineering Task Force (IETF) and is therefore interoperable with other standards-compliant DNS implementations. DNS uses a distributed database that implements a hierarchical naming system. This naming system enables an organization to expand its presence on the Internet and enables the creation of names that are unique both on the Internet and on private TCP/IP-based intranets.

By using DNS, any computer on the Internet can look up the name of any other computer in the Internet namespace. Computers running Windows Server 2003 and Microsoft® Windows® 2000 also use DNS to locate domain controllers and other servers running Active Directory.

DNS Roles

Deploying a DNS infrastructure involves design, implementation, and maintenance tasks. The individuals who are responsible for these tasks include DNS designers and the DNS administrators. Before you begin designing your DNS deployment, it is helpful to identify the individuals in your organization who are responsible for these roles. Table 3.1 lists the responsibilities of the DNS designer and DNS administrator roles.

Table 3.1   DNS Roles


Role Responsibility

DNS designer

  • Designing the DNS namespace

  • Placing DNS servers and zones within the DNS namespace

  • Creating a secure DNS infrastructure

  • Designing DNS integration with Active Directory

DNS administrator

  • Deploying, configuring, and managing the DNS infrastructure

  • Managing Active Directory integration

DNS designer role

If you are deploying DNS to support Active Directory in an environment that does not already have a DNS infrastructure, the DNS designer is responsible for the DNS integration with the entire Active Directory forest. The DNS designer works closely with the DNS administrator for Active Directory.

If you are deploying DNS to support Active Directory in an environment that has an existing DNS infrastructure, the DNS designer works with the DNS administrator for Active Directory to delegate the forest root DNS name to Active Directory. The Active Directory forest administrator delegates management of DNS to a DNS administrator.

DNS administrator role

DNS administrators manage and maintain the DNS namespace, DNS servers, DNS clients, DNS zones, and zone propagation. DNS administrators are also responsible for maintaining network security by anticipating and mitigating new security threats. In addition, DNS administrators are responsible for DNS integration with other Windows Server 2003 services.

New in Windows Server 2003

Windows Server 2003 DNS includes several new features, including:

  • Conditional forwarding. Conditional forwarding enables a DNS server to forward DNS queries based on the DNS domain name in the query. For more information about conditional forwarding, see Help and Support Center for Windows Server 2003.

  • DNS application directory partitions. DNS application directory partitions enable you to set the replication scope for Active Directory–integrated DNS data. By limiting the scope of replication traffic to a subset of the servers running Active Directory in your forest, you can reduce replication traffic.

  • DNSSEC. DNS provides basic support for the DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535: Domain Name System Security Extensions. For more information about DNSSEC, see Help and Support Center for Windows Server 2003.

  • EDNS0. Extension Mechanisms for DNS (EDNS0) enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 octets, the original DNS limit for UDP packet size. For more information about EDNS0, see Help and Support Center for Windows Server 2003.

Tools for Deploying DNS

Windows Server 2003 includes a number of tools to assist you in deploying a DNS infrastructure.


The Netdiag.exe tool assists you in isolating networking and connectivity problems. Netdiag.exe performs a series of tests that you can use to determine the state of your network client. For more information about Netdiag.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.


You can use the Nslookup.exe command-line tool to perform query testing of the DNS domain namespace and to diagnose problems with DNS servers.


You can use the Dnscmd.exe command-line tool to perform administrative tasks on the DNS server the same as you can by using the DNS Microsoft Management Console (MMC) snap-in.


DNSLint is a command-line tool that you can use to address some common DNS name resolution issues, such as lame delegation and DNS record verification. DNSLint is in the file in the \Support\Tools folder on the Windows Server 2003 operating system CD. You can install DNSLint by running Suptools.msi.

Terms and Definitions

The following are some important DNS-related terms.

Authoritative DNS server   A DNS server that hosts a primary or secondary copy of zone data. Each zone has at least one authoritative DNS server.

Conditional forwarding   A DNS query setting that enables a DNS server to route a request for a particular name to another DNS server by specifying a name and IP address. For example, a DNS server in can be configured to forward queries for names in to a DNS server hosting the zone.

Delegation   The process of using resource records to provide pointers from parent zones to child zones in a namespace hierarchy. This enable DNS servers in a parent zone to route queries to DNS servers in a child zone for names within their branch of the DNS namespace. Each delegation corresponds to at least one zone.

DNS client resolver   A service that runs on client computers and sends DNS queries to a DNS server. Some resolvers use a cache to improve name resolution performance.

DNS namespace   The hierarchical naming structure of the domain tree. Each domain label that is used in a fully qualified domain name (FQDN) indicates a node or branch in the domain tree. For example, is an FQDN that represents the node host1, under the node Contoso, under the node com, under the DNS root.

DNS server   A computer that hosts DNS zone data, resolves DNS queries, and caches the query responses.

Domain tree   In DNS, the inverted hierarchical tree structure that is used to index domain names within a namespace. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage.

Public namespace   A namespace on the Internet, such as, that can be accessed by any connected device. Beneath the top-level domains, the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Assigned Numbers Authority (IANA), and other Internet naming authorities delegate domains to organizations such as Internet Service Providers (ISPs), which in turn delegate subdomains to their customers or host zones for their customers. For more information about public namespaces, see the Internet Assigned Numbers Authority (IANA) link on the Web Resources page at

Forward lookup zone   An authoritative DNS zone that is primarily used to resolve network resource names to IP addresses.

Fully qualified domain name (FQDN)   A DNS name that uniquely identifies a node in a DNS namespace. The FQDN of a computer is a concatenation of the computer name (for example, client1) and the primary DNS suffix of the computer (for example,, and a terminating dot (for example,

Internal namespace   A namespace internal to an organization to which it can control access. Organizations can use the internal namespace to shield the names and IP addresses of its internal computers from the Internet. A single organization might have multiple internal namespaces. Organizations can create their own root servers and any subdomains as needed. The internal namespace can coexist with an external namespace.

Iterative query   A query made by a client to a DNS server for an authoritative answer that can be provided by the server without generating additional server-side queries to other DNS servers.

Primary DNS server   A DNS server that hosts read-write copies of zone data, has a DNS database of resource records, and resolves DNS queries.

Secondary DNS server   A DNS server that hosts a read-only copy of zone data. A secondary DNS server periodically checks for changes made to the zone on its configured primary DNS server, and performs full or incremental zone transfers, as needed.

Recursive query   A query made by either a client or a DNS server on behalf of a client, the response to which can be an authoritative answer or a referral to another server. Recursive queries continue until the DNS server receives an authoritative answer for the queried name. By default, recursion is enabled for Windows Server 2003 DNS.

Resource record (RR)   A DNS database structure containing name information for a particular zone. For example, an address (A) resource record can map the IP address to the name or a namespace (NS) resource record can map the name to the server name Most of the basic RR types are defined in RFC 1035: Domain Names — Implementation and Specification, but additional RR types are defined in other RFCs.

Reverse lookup zone   An authoritative DNS zone that is primarily used to resolve IP addresses to network resource names.

Stub zone   A partial copy of a zone that can be hosted by a DNS server and used to resolve recursive or iterative queries. Stub zones contain the Start of Authority (SOA) resource records of the zone, the DNS resource records that list the zone’s authoritative servers, and the glue address (A) resource records that are required for contacting the zone’s authoritative servers. Stub zones are used to reduce the number of DNS queries on a network, and to decrease the network load on the primary DNS servers hosting a particular name.

Zone   In a DNS database, a contiguous portion of the domain tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all of the names within the zone.

Zone file   A file that consists of the DNS database resource records that define the zone. DNS data that is Active Directory–integrated is not stored in zone files because the data is stored in Active Directory. However, DNS data that is not Active Directory–integrated is stored in zone files.

Zone transfer   The process of copying the contents of the zone file located on a primary DNS server to a secondary DNS server. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server. The secondary DNS server can continue performing name resolution if the primary DNS server fails.

Community Additions

© 2016 Microsoft