A forward lookup zone is the most common DNS zone type – it resolves hostnames to IP addresses. When a client queries server1.example.com, the DNS server checks its forward lookup zone and returns the corresponding IP address. Windows Server 2025 supports creating forward lookup zones through both DNS Manager (GUI) and PowerShell.
This guide covers creating primary, secondary, and stub forward lookup zones on Windows Server 2025. We also walk through zone delegation, zone transfers, dynamic updates, and verification with nslookup. For the full DNS architecture reference, see the Microsoft DNS documentation.
Prerequisites
Before creating a forward lookup zone, confirm these are in place:
- Windows Server 2025 with the DNS Server role installed. If you have not installed it yet, follow our guide on installing and configuring DNS Server on Windows Server
- Administrator or Domain Admin privileges on the server
- A static IP address configured on the DNS server
- TCP/UDP port 53 open in Windows Firewall for DNS traffic
- For secondary zones – network connectivity to the primary DNS server
Step 1: Create a Forward Lookup Zone Using DNS Manager
The DNS Manager GUI is the quickest way to create a forward lookup zone on a standalone or domain-joined server.
Open Server Manager, click Tools, and select DNS. This opens the DNS Manager console.
In the left pane, expand your server name, right-click Forward Lookup Zones, and select New Zone. The New Zone Wizard opens.
Follow these wizard steps:
- Click Next on the welcome screen
- Select Primary zone and click Next. If the server is a domain controller with Active Directory, you also get the option to store the zone in AD
- Enter the zone name – this is the DNS domain you want to host (for example,
example.com) – and click Next - Accept the default zone file name (or specify a custom one) and click Next
- Choose your dynamic update preference. For standalone servers, select Do not allow dynamic updates. For Active Directory-integrated zones, select Allow only secure dynamic updates
- Click Finish to create the zone
The new zone appears under Forward Lookup Zones in the DNS Manager tree. Right-click the zone and select Properties to confirm the zone type, file name, and dynamic update settings.
Step 2: Create a Forward Lookup Zone Using PowerShell
PowerShell gives you repeatable, scriptable zone creation – useful for provisioning multiple zones or automating DNS setup. The Add-DnsServerPrimaryZone cmdlet handles this.
Open an elevated PowerShell session and run the following command to create a file-backed primary zone:
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns" -DynamicUpdate NoneFor an Active Directory-integrated zone, use the -ReplicationScope parameter instead of -ZoneFile:
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope Domain -DynamicUpdate SecureVerify the zone was created by listing all forward lookup zones:
Get-DnsServerZone | Where-Object { $_.IsReverseLookupZone -eq $false } | Format-Table ZoneName, ZoneType, DynamicUpdateThe output shows every forward lookup zone on the server along with its type and dynamic update setting:
ZoneName ZoneType DynamicUpdate
-------- -------- -------------
example.com Primary None
TrustAnchors Primary NoneTo add a host record (A record) to the new zone:
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "server1" -IPv4Address "10.0.1.10"Step 3: Create a Secondary Forward Lookup Zone
A secondary zone holds a read-only copy of a primary zone. It provides redundancy and load distribution for DNS queries. The secondary server pulls zone data from the primary through zone transfers. If you want a deeper walkthrough on secondary DNS, check our guide on configuring Windows Server as a secondary DNS server.
Using DNS Manager
Right-click Forward Lookup Zones and select New Zone. In the wizard, select Secondary zone instead of Primary. Enter the zone name (must match the primary zone exactly), then enter the IP address of the primary DNS server that holds the master copy of the zone. Click Add, then Finish.
Using PowerShell
Create a secondary zone pointing to the primary server at 10.0.1.5:
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers 10.0.1.5The secondary server initiates a zone transfer from the primary immediately. Confirm the zone data replicated by checking the record count:
Get-DnsServerResourceRecord -ZoneName "example.com" | Measure-ObjectStep 4: Create a Stub Zone
A stub zone contains only the SOA record, NS records, and glue A records for a zone. It helps a DNS server locate authoritative servers for a domain without hosting a full copy of the zone data. Stub zones are lighter than secondary zones and reduce zone transfer traffic.
Using DNS Manager
Right-click Forward Lookup Zones, select New Zone, and choose Stub zone in the zone type step. Enter the zone name and the IP address of the primary server. The wizard creates the stub zone with minimal records.
Using PowerShell
Create a stub zone for partner.com with the master server at 10.0.2.10:
Add-DnsServerStubZone -Name "partner.com" -MasterServers 10.0.2.10 -ZoneFile "partner.com.dns"Verify the stub zone was created and check which records it holds:
Get-DnsServerResourceRecord -ZoneName "partner.com"You should see only NS and SOA records – stub zones do not replicate host (A/AAAA) records.
Step 5: Configure Zone Delegation
Zone delegation lets you split a DNS namespace by assigning a subdomain to a different DNS server. For example, if example.com is hosted on your server but dev.example.com is managed by a different team, you delegate that subdomain to their DNS server.
Using DNS Manager
Right-click the parent zone (example.com) and select New Delegation. Enter the delegated domain name (for example, dev for dev.example.com). Add the name server that is authoritative for the delegated zone along with its IP address. Click Finish.
Using PowerShell
Create a delegation for dev.example.com pointing to ns1.dev.example.com at 10.0.3.5:
Add-DnsServerZoneDelegation -Name "example.com" -ChildZoneName "dev" -NameServer "ns1.dev.example.com" -IPAddress 10.0.3.5Verify the delegation exists in the parent zone:
Get-DnsServerZoneDelegation -Name "example.com" -ChildZoneName "dev"Step 6: Configure Zone Transfers
Zone transfers replicate DNS data from a primary server to secondary servers. By default, zone transfers are disabled for security. You need to explicitly allow them for your secondary servers.
Using DNS Manager
Right-click the zone, select Properties, and go to the Zone Transfers tab. Check Allow zone transfers and select one of these options:
- To any server – least secure, only use in isolated lab environments
- Only to servers listed on the Name Servers tab – transfers allowed only to servers with NS records in the zone
- Only to the following servers – most restrictive, specify exact IP addresses
For production, use Only to the following servers and enter the IP addresses of your secondary DNS servers.
Using PowerShell
Allow zone transfers only to specific secondary servers at 10.0.1.20 and 10.0.1.21:
Set-DnsServerPrimaryZone -Name "example.com" -SecureSecondaries TransferToSecureServers -SecondaryServers 10.0.1.20,10.0.1.21Verify the zone transfer settings:
Get-DnsServerZone -Name "example.com" | Select-Object ZoneName, SecureSecondaries, SecondaryServersThe output confirms the allowed secondary server IPs:
ZoneName SecureSecondaries SecondaryServers
-------- ----------------- ----------------
example.com TransferToSecureServers {10.0.1.20, 10.0.1.21}To send notifications to secondary servers when zone data changes (so they pull updates immediately instead of waiting for the SOA refresh interval):
Set-DnsServerPrimaryZone -Name "example.com" -Notify NotifyServers -NotifyServers 10.0.1.20,10.0.1.21Step 7: Configure Dynamic Updates
Dynamic updates allow DNS clients and DHCP servers to register and update resource records automatically. This keeps DNS records current without manual intervention – critical in environments where DHCP assigns addresses to domain-joined machines.
Three dynamic update modes are available:
- None – dynamic updates disabled (most secure for internet-facing zones)
- NonsecureAndSecure – any client can register records (use only in isolated networks)
- Secure – only authenticated clients can register (requires Active Directory-integrated zone)
Using DNS Manager
Right-click the zone, select Properties, and on the General tab, change the Dynamic updates dropdown to your preferred option. For AD-integrated zones in a domain environment, Secure only is the recommended setting.
Using PowerShell
Enable secure dynamic updates on an AD-integrated zone:
Set-DnsServerPrimaryZone -Name "example.com" -DynamicUpdate SecureFor a standalone (file-backed) zone where you need dynamic updates from DHCP:
Set-DnsServerPrimaryZone -Name "example.com" -DynamicUpdate NonsecureAndSecureConfirm the dynamic update setting:
Get-DnsServerZone -Name "example.com" | Select-Object ZoneName, DynamicUpdateStep 8: Verify DNS Resolution with nslookup
After creating the zone and adding records, verify that name resolution works correctly. The nslookup tool queries the DNS server directly.
Query a host record in your new zone:
nslookup server1.example.comIf the record exists and the zone is working, you get the resolved IP address:
Server: dns1.example.com
Address: 10.0.1.5
Name: server1.example.com
Address: 10.0.1.10To query a specific DNS server (useful when testing secondary servers), specify the server address:
nslookup server1.example.com 10.0.1.20For more detailed lookups, use PowerShell’s Resolve-DnsName cmdlet:
Resolve-DnsName -Name "server1.example.com" -Server 10.0.1.5 -Type AThe output includes the record type, TTL, and IP address:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
server1.example.com A 3600 Answer 10.0.1.10To verify that DNS records are also created for A and PTR records, run nslookup for both forward and reverse resolution. If the reverse lookup fails, you need to create a reverse lookup zone as well.
Step 9: DNS Zone Types Comparison
Choosing the right zone type depends on your infrastructure needs. This table summarizes the key differences between each forward lookup zone type available in Windows Server 2025.
| Zone Type | Read/Write | Use Case |
|---|---|---|
| Primary | Read-write | Main authoritative zone where records are created and managed. Every domain needs at least one primary zone |
| Secondary | Read-only | Redundant copy of a primary zone for fault tolerance and load distribution. Receives data through zone transfers |
| Stub | Read-only (NS/SOA only) | Lightweight pointer to authoritative servers. Reduces zone transfer traffic when you only need to know where to refer queries |
| AD-Integrated | Read-write (multi-master) | Stored in Active Directory instead of a file. Supports multi-master updates and secure dynamic updates. Recommended for domain environments |
| Conditional Forwarder | N/A (forwarding rule) | Forwards queries for a specific domain to designated DNS servers. Not a zone in the traditional sense – no records stored locally |
Conclusion
You now have a working forward lookup zone on Windows Server 2025 – whether created through DNS Manager or PowerShell. The zone is set up with your chosen type (primary, secondary, or stub), zone transfers are locked down to authorized servers, and dynamic updates are configured for your environment.
For production DNS, enable zone transfer encryption with DNS over HTTPS where supported, monitor zone serial numbers to catch replication failures, and always maintain at least two DNS servers per zone for high availability.
