DNS and DHCP are the backbone of every Active Directory environment. Without functioning DNS, domain join fails, Kerberos authentication breaks, and Group Policy cannot be applied. This lab builds and validates the full DNS/DHCP stack: forward and reverse zones, SRV records that AD clients rely on, DHCP scopes with exclusions and reservations, and systematic troubleshooting using native Windows tools.
Installed DNS Server and DHCP Server roles via Server Manager on the Windows Server 2019 domain controller. Post-install, authorized the DHCP server in Active Directory to prevent rogue DHCP servers from operating on the network.
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {DNS Server, DHCP Server}
# Authorize DHCP server in AD
PS> Add-DhcpServerInDC -DnsName "DC01.corp.local" -IPAddress 192.168.10.10
PS> Get-DhcpServerInDC
IPAddress DnsName
--------- -------
192.168.10.10 DC01.corp.local
Verified the forward lookup zone (corp.local) was auto-created during AD DS promotion. Created a reverse lookup zone for the 192.168.10.0/24 subnet. AD DS automatically registers critical SRV records during promotion — verified these are present and resolving correctly using nslookup.
SRV records are essential: Windows clients query _ldap._tcp.corp.local to locate the domain controller and _kerberos._tcp.corp.local to locate the KDC for authentication.
Server: DC01.corp.local
Address: 192.168.10.10
_ldap._tcp.corp.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC01.corp.local
C:\> nslookup -type=SRV _kerberos._tcp.corp.local
_kerberos._tcp.corp.local SRV service location:
port = 88
svr hostname = DC01.corp.local
REM Verify reverse lookup (PTR record)
C:\> nslookup 192.168.10.10
Name: DC01.corp.local
Address: 192.168.10.10
Created a DHCP scope for the 192.168.10.0/24 subnet with a lease duration of 8 hours. Configured an exclusion range for static infrastructure devices (10–20) and created reservations for the domain controller, file server, and printer based on MAC address. Set scope options for DNS server, router, and domain name.
PS> Add-DhcpServerv4Scope -Name "Corp LAN" -StartRange 192.168.10.1 -EndRange 192.168.10.254 -SubnetMask 255.255.255.0 -LeaseDuration 0.08:00:00 -State Active
# Exclude static device range
PS> Add-DhcpServerv4ExclusionRange -ScopeId 192.168.10.0 -StartRange 192.168.10.1 -EndRange 192.168.10.20
# Set scope options (router, DNS, domain)
PS> Set-DhcpServerv4OptionValue -ScopeId 192.168.10.0 -Router 192.168.10.1 -DnsServer 192.168.10.10 -DnsDomain "corp.local"
# Create reservation for printer
PS> Add-DhcpServerv4Reservation -ScopeId 192.168.10.0 -IPAddress 192.168.10.15 -ClientId "AA-BB-CC-DD-EE-FF" -Description "Office Printer"
PS> Get-DhcpServerv4Reservation -ScopeId 192.168.10.0
IPAddress ClientId Description
--------- -------- -----------
192.168.10.15 AA-BB-CC-DD-EE-FF Office Printer
Enabled DNS scavenging on the corp.local zone to automatically clean up stale DNS records left by decommissioned machines. Set the No-Refresh interval to 7 days and Refresh interval to 7 days, giving records a 14-day window before they become eligible for scavenging.
PS> Set-DnsServerZoneAging -Name "corp.local" -Aging $true -NoRefreshInterval 7.00:00:00 -RefreshInterval 7.00:00:00
# Enable scavenging on the server level
PS> Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00
PS> Get-DnsServerZoneAging -Name "corp.local"
ZoneName : corp.local
AgingEnabled : True
NoRefreshInterval : 7.00:00:00
RefreshInterval : 7.00:00:00
AvailForScavengeTime : 3/17/2026 3:00:00 AM
Simulated a DNS resolution failure on a domain-joined client by misconfiguring the DNS server IP in the NIC settings. Documented the systematic troubleshooting workflow: network connectivity check → DNS server reachability → cache flush → zone record verification → NIC configuration correction.
C:\> ipconfig /all
DNS Servers . . . : 192.168.10.99 <-- wrong DNS IP
REM Step 2: Verify connectivity to DC
C:\> ping 192.168.10.10
Reply from 192.168.10.10: bytes=32 time<1ms TTL=128
REM Step 3: Test DNS resolution manually
C:\> nslookup corp.local 192.168.10.10
Name: corp.local Address: 192.168.10.10 <-- resolves when pointed at correct DC
REM Step 4: Flush and re-register
C:\> ipconfig /flushdns && ipconfig /registerdns
Successfully flushed the DNS Resolver Cache.
Registration of the DNS resource records for all adapters of this computer has been initiated.
REM Root cause: NIC manually set to wrong DNS IP — corrected to 192.168.10.10
- Installed and authorized DNS and DHCP Server roles on Windows Server 2019 DC
- Verified all AD-critical SRV records (_ldap, _kerberos, _gc) are registered and resolving
- Created forward and reverse DNS zones; PTR records resolve correctly for all static hosts
- Configured DHCP scope with exclusions, reservations, and full scope options (DNS, router, domain)
- Enabled DNS aging and scavenging to auto-clean stale records on a 14-day window
- Practiced and documented a structured DNS troubleshooting workflow end-to-end