Reliability Workbook for Windows Server DNS Server

Overview

Service health is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide for Reliability Workbooks at www.microsoft.com/mof.

Task List Columns

  • Health Attribute: A group of requirements for a healthy system.
  • Health Area: A category of health action.
  • Health Requirement: A requirement in a particular health control area that drives monitoring activity, which ensures continued component health.
  • Monitoring Task: An action that involves observing trends and paying attention to warning levels and error alerts. These alerts will trigger maintenance tasks.
  • Maintenance Task: Regularly scheduled or trend-driven work that ensures the continued health of the component.
  • Monitoring Parameter: The picture of health for a component. These conditions are determined by your organization's requirements and may vary according to factors such as the component's importance to the business, the size of the organization, or staffing constraints.
  • Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done.
  • Notes: Additional information relating to this item.

Monitoring Activities

Check the total amount of memory used by the User Datagram Protocol (UDP) message memory.

Health attribute

Security

Health area

DNS Server

Health requirement

The DNS server is able to process DNS queries in a timely manner.

Monitoring task

Check the total amount of memory used by the User Datagram Protocol (UDP) message memory.

Monitoring parameter

The amount of User Datagram Protocol (UDP) message memory does not dramatically increase, indicating an unexpected increase in UDP messages and a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: UDP Message Memory

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12973

Check the total amount of memory used by the DNS Server service.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to process DNS queries in a timely manner.

Monitoring task

Check the total amount of memory used by the DNS Server service.

Monitoring parameter

The amount of memory that the DNS Server service uses does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: Process

Counter: Private bytes

Instance: dns

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12974

Check the total number of successful zone transfers of a master DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zones are transferred to other DNS servers.

Monitoring task

Check the total number of successful zone transfers of the master DNS server.

Monitoring parameter

The total number of successful zone transfers continues to increase at a consistent rate, which indicates that the regularly scheduled zone transfers are occurring successfully.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Zone Transfer Success

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12975

Check the number of Windows Internet Naming Service (WINS) lookups performed per second.

Health attribute

Performance

Health area

WINS Integration

Health requirement

The DNS server is able to perform name resolution using Windows Internet Naming Service (WINS).

Monitoring task

Check the total number of Windows Internet Naming Service (WINS) lookups performed per second.

Monitoring parameter

The number of Windows Internet Naming Service (WINS) lookups dos not dramatically increase, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: WINS Lookup Received/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12976

Check the total number of successful full zone transfers of a master DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zones are transferred to other DNS servers.

Monitoring task

Check the total number of successful full zone transfers of a master DNS server.

Monitoring parameter

The total number of full zone transfers successfully sent by the DNS Server service continues to increase at a consistent rate, which indicates that the regularly scheduled zone transfers are occurring successfully.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: AXFR Success Sent

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12977

Check the amount of virtual memory used by the DNS Server service.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to process DNS queries in a timely manner.

Monitoring task

Check the amount of virtual memory used by the DNS Server service.

Monitoring parameter

The amount of virtual memory that the DNS Server service uses does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: Process

Counter: Virtual Bytes

Instance: dns

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12978

Check the rate of dynamic updates being written to a DNS zone.

Health attribute

Performance

Health area

DNS Zone

Health requirement

The dynamic updates are performed on the DNS zones.

Monitoring task

Check the rate of dynamic updates being written to a DNS zone.

Monitoring parameter

The rate of dynamic updates to the DNS zone does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Dynamic Update Written to Database/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12979

Check the amount of memory used for DNS caching.

Health attribute

Performance

Health area

DNS Server

Health requirement

The amount of memory used for caching is sufficient to improve response times to DNS queries.

Monitoring task

Check the amount of memory used for DNS caching.

Monitoring parameter

The amount of memory used for DNS caching of requests does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: Process

Counter: Caching Memory

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12980

Check the average number of TCP queries that the DNS server receives each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of TCP queries that the DNS server receives each second.

Monitoring parameter

The average number of TCP queries does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: TCP Queries Received/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12981

Check the average number of Windows Internet Naming Service (WINS) reverse lookup responses that the DNS server sends each second.

Health attribute

Performance

Health area

WINS Integration

Health requirement

The DNS server is able to perform name resolution using Windows Internet Naming Service (WINS).

Monitoring task

Check the average number of Windows Internet Naming Service (WINS) reverse lookup responses that the DNS server sends each second.

Monitoring parameter

The average number of Windows Internet Naming Service (WINS) reverse lookup responses sent by the server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: WINS Reverse Response Sent/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12982

Check the total number of failed zone transfers of the master DNS server.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS zones are transferred to other DNS servers.

Monitoring task

Check the total number of failed zone transfers of the master DNS server.

Monitoring parameter

The total number of failed zone transfers of the master DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Zone Transfer Failure

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12983

Check the average number of recursive DNS query failures in each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of recursive DNS query failures in each second.

Monitoring parameter

The average number of recursive DNS query failures does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Recursive Query Failure/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12984

Notes

Microsoft recommends monitoring for over 500 recursive query failures per second over a 75-minute period of time as a baseline.

Check the average number of responses that the DNS server sends each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of responses that the DNS server sends each second.

Monitoring parameter

The average number of responses sent by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Total Response Sent/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12985

Check the total number of successful incremental zone transfers that a secondary DNS server receives.

Health attribute

Performance

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers

Monitoring task

Check the total number of successful incremental zone transfers that a secondary DNS server receives.

Monitoring parameter

The total number of successful incremental zone transfers continues to increase at a consistent rate, which indicates the regularly scheduled zone transfers are occurring successfully.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: IXFR Success Received

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12986

Check the average number of dynamic update requests that the DNS server receives each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to successfully perform dynamic updates on DNS zones.

Monitoring task

Check the average number of dynamic update requests that the DNS server receives each second.

Monitoring parameter

The average number of dynamic update requests received by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Dynamic Update Received/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12987

Check the total number of full zone transfers that the DNS Server service receives when operating as a secondary server for a zone.

Health attribute

Performance

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers

Monitoring task

Check the total number of full zone transfers that the DNS Server service receives when operating as a secondary server for a zone.

Monitoring parameter

The total number of full zone transfers received by the DNS Server service continues to increase at a consistent rate, which indicates the regularly scheduled zone transfers are occurring successfully.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: AXFR Success Received

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12988

Check the working set of the DNS Server service process.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the working set of the DNS Server service process.

Monitoring parameter

The working set of the DNS Server service does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: Process

Counter: Working set

Instance: dns

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12989

Check the average number of recursive DNS queries sending time-outs in each second.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of recursive DNS queries sending time-outs in each second.

Monitoring parameter

The average number of recursive DNS queries sending time-outs does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Recursive Timeout/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12990

Notes

Microsoft recommends monitoring for over 500 recursive queries timeouts per second over a 75-minute period of time as a baseline.

Check the average number of recursive queries that a DNS server receives each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of recursive queries that a DNS server receives each second.

Monitoring parameter

The average number of recursive queries received by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Recursive Queries/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12991

Notes

Microsoft recommends monitoring for over 8,000 recursive queries per second over a 75-minute period of time as a baseline.

Check the total number of secure updates that have failed on the DNS server.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the total number of secure updates that have failed on the DNS server.

Monitoring parameter

The total number of secure updates that have failed on the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: AXFR Success Received

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12992

Check the total amount of system memory that the DNS Server service uses for database nodes.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the total amount of system memory that the DNS Server service uses for database nodes.

Monitoring parameter

The total amount of system memory in use by the DNS Server service for database nodes does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Secure Update Failure

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12993

Check the total number of successful incremental zone transfers of the master DNS server.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers.

Monitoring task

Check the total number of successful incremental zone transfers of the master DNS server.

Monitoring parameter

The total number of successful incremental zone transfers of the master DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: IXFR Success Sent

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12994

Check the total number of full zone transfer requests that the DNS Server service receives when operating as a master server for a zone.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers.

Monitoring task

Check the total number of full zone transfer requests that the DNS Server service receives when operating as a master server for a zone.

Monitoring parameter

The total number of full zone transfer requests received by the DNS Server service when operating as a master server for a zone does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: AXFR Request Received

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12995

Check the total number of incremental zone transfer requests that the master DNS server receives.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers.

Monitoring task

Check the total number of incremental zone transfer requests that the master DNS server receives.

Monitoring parameter

The total number of incremental zone transfer requests received by the master DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: IXFR Request Received

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12996

Check the average number of queries that the DNS server receives each second.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the average number of queries that the DNS server receives each second.

Monitoring parameter

The average number of queries received by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Total Query Received/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12997

Check the average number of Windows Internet Naming Service (WINS) reverse lookup requests that the DNS server receives each second.

Health attribute

Performance

Health area

WINS Integration

Health requirement

The DNS server is able to perform name resolution using Windows Internet Naming Service (WINS).

Monitoring task

Check the average number of Windows Internet Naming Service (WINS) reverse lookup requests that the DNS server receives each second.

Monitoring parameter

The average number of Windows Internet Naming Service (WINS) reverse lookup requests received by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: WINS Reverse Lookup Received/sec

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12998

Check the total number of dynamic updates the DNS server has queued.

Health attribute

Performance

Health area

DNS Zone

Health requirement

The resource records in the DNS zones can be dynamically updated.

Monitoring task

Check the total number of dynamic updates that the DNS server has queued.

Monitoring parameter

The total number of dynamic updates queued by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: Dynamic Update Queued

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=12999

Check the total TCP message memory used by the DNS server.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check the total TCP message memory that the DNS server uses.

Monitoring parameter

The total TCP message memory used by the DNS server does not increase dramatically, which might indicate a potential denial of service (DoS) attack.

Frequency

Hourly

Owner

Operator

Manual

Check the following performance counter using Reliability and Performance Monitor:

Object: DNS

Counter: TCP Message Memory

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13000

Check for valid DNS configuration updates.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check for DNS configuration updates.

Monitoring parameter

The DNS configuration after updates is valid.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 409, 412, or 413 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13001

Check for problems with DNS resource records.

Health attribute

Availability

Health area

Resource Records

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check for problems with DNS resource records.

Monitoring parameter

The DNS resource records are valid.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1600, 1601, 1610, 1611, 1612, 1613, 1614, 1616, 1617, 1618, 1619, 1620, or 1621 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13002

Check for an excessive number of DNS events occurring.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check for an excessive number of DNS events occurring.

Monitoring parameter

The DNS server generates an excessive number of events, which may indicate a potential denial of service (DoS) attack or the DNS Server service is configured for too verbose logging.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 3000 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13003

Notes

This warning indicates that the DNS service has temporarily suspended logging more events to the DNS server event log because too many messages were logged in a short time period.

Whether this is a problem depends on the events that were logged prior to event ID 3000 being logged. For example, if all the previous events were information events, then this event can be ignored. Otherwise, investigate the previous messages.

Also, consider reducing the number of events that the DNS service is logging.

Check for deletion of a DNS zone.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS server is able to respond to DNS queries for a specific zone.

Monitoring task

Check for deletion of a DNS zone.

Monitoring parameter

The DNS zone is deleted, which may or may not be an expected event.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4005 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13004

Check for a network adapter's failure to open for Windows Internet Naming Service (WINS) lookup.

Health attribute

Availability

Health area

WINS Integration

Health requirement

The DNS server is able to perform name resolution using Windows Internet Naming Service (WINS).

Monitoring task

Check for a network adapter's failure to open for Windows Internet Naming Service (WINS) lookup.

Monitoring parameter

The DNS server is unable to bind the network adapter for Windows Internet Naming Service (WINS)/NetBIOS over TCP/IP (NetBT) usage.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 132 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13005

Check for proper operation with Active Directory Domain Services (AD DS).

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The DNS server is able to communicate with Active Directory Domain Services (AD DS) and to store AD DS–integrated zones in AD DS.

Monitoring task

Check for proper operation with Active Directory Domain Services (AD DS).

Monitoring parameter

No Active Directory Domain Services (AD DS) integration events appear in the event log on the DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4001, 4002, 4003, 4004, 4006, 4010, 4011, 4012, 4013, 4014, 4015, or 4016 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13006

Check for proper operation with Windows Internet Naming Service (WINS).

Health attribute

Availability

Health area

WINS Integration

Health requirement

The DNS server is able to perform name resolution using Windows Internet Naming Service (WINS).

Monitoring task

Check for proper operation with Windows Internet Naming Service (WINS).

Monitoring parameter

The DNS server is able to resolve names using integration with Windows Internet Naming Service (WINS).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 130, 131, 1650, 1651, 1654, or 1656 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13007

Check for potential problems in zone transfers.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The zones are properly replicated to other DNS servers.

Monitoring task

Check for potential problems in zone transfers.

Monitoring parameter

All zones are replicated correctly.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1520, 1521, 1522, 1523, 6001, 6002, 6003, 6004, 6520, 6421, 6522, 6523, 6524, 6530, 6531, or 6532 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13008

Check for potential problems in DNS caching.

Health attribute

Performance

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check for potential problems in DNS caching.

Monitoring parameter

No DNS caching events appear in the event log on the DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 5105, 5106, 5107, or 5108 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13009

Check for malformed or invalid DNS query packets.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is able to respond to DNS queries.

Monitoring task

Check for malformed or invalid DNS query packets.

Monitoring parameter

No malformed or invalid events appear in the event log on the DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 5500, 5501, 5502, 5503, 5504, 5505, 5506, 5507, 5508, 5509, or 5510 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13010

Check for potential problems in writing resource records to DNS zones.

Health attribute

Availability

Health area

DNS Zone

Health requirement

DNS zones are properly updated.

Monitoring task

Check for potential problems in writing resource records to DNS zones.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with writing resource records to DNS zones.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 3151, 3152, 3153, 3160, 3162, or 3163 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13011

Verify whether the DNS Server service is starting.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is running, and the server is able to respond to DNS queries.

Monitoring task

Verify that the DNS Server service is starting.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with starting the DNS Server service.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13012

Verify that the DNS Server service has shut down.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is running, and the server is able to respond to DNS queries.

Monitoring task

Verify that the DNS Server service has shut down.

Monitoring parameter

No events appear in the event log on the DNS server that relate to the DNS Server service being shut down.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 3 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13013

Verify whether the DNS Server service has started.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is running, and the server is able to respond to DNS queries.

Monitoring task

Verify whether the DNS Server service has started.

Monitoring parameter

No events appear in the event log on the DNS server that relate to the DNS Server service not being started.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 2 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13014

Check DNS queries for host names on the block list.

Health attribute

Security

Health area

DNS Server

Health requirement

Resource records for host names on the block list will fail.

Monitoring task

Check DNS queries for host names on the block list.

Monitoring parameter

No events appear in the event log on the DNS server that relate to host names on the block list.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 7600 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13015

Check for problems relating to free disk space for the DNS zones.

Health attribute

Availability

Health area

DNS Zone

Health requirement

Disk volumes where the DNS zones are stored have adequate free disk space.

Monitoring task

Check for problems relating to free disk space for the DNS zones.

Monitoring parameter

No events appear in the event log on the DNS server that relate to lack of free disk space on the disk volumes where the DNS zones are stored.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 3151 or 3153 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13016

Check for insufficient system resources on the DNS server.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server has sufficient system resources.

Monitoring task

Check for insufficient system resources on the DNS server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to insufficient system resources.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 111, 403, 404, 405, 407, 1001, 6433, 7502, 7503, or 7504 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13017

Check for the inability to write to a DNS zone file.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS server is able to write to a zone file.

Monitoring task

Check for the inability to write to a DNS zone file.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with writing to DNS zone files.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 3152 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13018

Check for the inability to start the remote procedure call (RPC) service.

Health attribute

Availability

Health area

DNS Server

Health requirement

The remote procedure call (RPC) service starts successfully.

Monitoring task

Check for the inability to start the remote procedure call (RPC) service.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with starting the remote procedure call (RPC) service.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 140 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13019

Check for the inability to contact Active Directory Domain Services (AD DS) to load one or more AD DS–integrated zones.

Health attribute

Availability

Health area

AD DS Integration

Health requirement

Active Directory Domain Services (AD DS) is running and available for use by DNS.

Monitoring task

Check for the inability to contact Active Directory Domain Services (AD DS) to load one or more AD DS–integrated zones.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems contacting Active Directory Domain Services (AD DS).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 10 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13020

Check for the inability to create a path name for a DNS zone file because the path is too long.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS is able to successfully create DNS zone files.

Monitoring task

Check for the inability to create a path name for a DNS zone file because the path is too long.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with creating DNS zone files as a result of the length of the path.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1008 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13021

Check for the inability to contact a required DNS server.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS is able to contact any required DNS servers.

Monitoring task

Check for the inability to contact a required DNS server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with connecting to required DNS servers.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 7600 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13022

Check the health state of the DNS Server service.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is running.

Monitoring task

Check the health state of the DNS Server service.

Monitoring parameter

The DNS Server service is running.

Frequency

Hourly

Owner

Operator

Manual

Check the health state using DNS Manager, the Services console, or the net start command.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13023

Check the health state of the remote procedure call (RPC) service.

Health attribute

Availability

Health area

DNS Server

Health requirement

The remote procedure call (RPC) service is running.

Monitoring task

Check the health state of the remote procedure call (RPC) service.

Monitoring parameter

The remote procedure call (RPC) service is running.

Frequency

Hourly

Owner

Operator

Manual

Check the health state using the Services console or the net start command.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13024

Check for a secondary zone that has no master IP address.

Health attribute

Availability

Health area

DNS Zone

Health requirement

DNS is able to successfully replicate DNS zones.

Monitoring task

Check for a secondary zone that has no master IP address.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with secondary zones that have no master IP address.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 503 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13025

Determine whether Active Directory Domain Services (AD DS) responds to requests from the DNS Server service.

Health attribute

Availability

Health area

AD DS Integration

Health requirement

Active Directory Domain Services (AD DS) responds to requests from the DNS Server service.

Monitoring task

Determine whether Active Directory Domain Services (AD DS) responds to requests from the DNS Server service.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with Active Directory Domain Services (AD DS) responding to the DNS Server service.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4010, 4011, or 4012 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13026

Determine whether the DNS Server service is able to load zone data from Active Directory Domain Services (AD DS).

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The DNS Server service is able to load zone data from Active Directory Domain Services (AD DS).

Monitoring task

Determine whether the DNS Server service is able to load zone data from Active Directory Domain Services (AD DS).

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service loading zone data from Active Directory Domain Services (AD DS).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4001 or 4019 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13027

Determine whether the DNS Server service is able to delete a zone from Active Directory Domain Services (AD DS).

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The DNS Server service is able to delete a zone from Active Directory Domain Services (AD DS).

Monitoring task

Determine whether the DNS Server service is able to delete a zone from Active Directory Domain Services (AD DS).

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service deleting a zone from Active Directory Domain Services (AD DS).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4003 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13028

Determine whether the DNS Server service is able to add a zone to Active Directory Domain Services (AD DS).

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The DNS Server service is able to add a zone to Active Directory Domain Services (AD DS).

Monitoring task

Determine whether the DNS Server service is able to add a zone to Active Directory Domain Services (AD DS).

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service adding a zone to Active Directory Domain Services (AD DS).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4002 or 4016 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13029

Determine whether the DNS Server service is in an inconsistent state.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is running.

Monitoring task

Determine whether the DNS Server service is in an inconsistent state.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service being in an inconsistent state.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 140 or 1540 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13030

Determine whether the DNS Server service is able to read the DNS boot file.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is able to read the DNS boot file.

Monitoring task

Determine whether the DNS Server service is able to read the DNS boot file.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service's inability to read the DNS boot file.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1200 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13031

Determine whether the DNS Server service is able to read a required registry key.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service is able to read a required registry key.

Monitoring task

Determine whether the DNS Server service is able to read a required registry key.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service's inability to read a required registry key.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 2200 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13032

Check for a DNS server being configured with a fully qualified domain name (FQDN).

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is configured with a fully qualified domain name (FQDN).

Monitoring task

Check for a DNS server configured with a fully qualified domain name (FQDN).

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service not being configured with a fully qualified domain name (FQDN).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 414 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13033

Determine whether the DNS Server service has adequate memory or other system resources.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service has adequate memory and other system resources.

Monitoring task

Determine whether the DNS Server service has inadequate memory or other system resources.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the DNS Server service having inadequate memory or other system resources.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4018 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13034

Check for a DNS server event logging level being configured at too low a value.

Health attribute

Configuration

Health area

DNS Server

Health requirement

DNS server event logging is configured at the appropriate level.

Monitoring task

Check for a DNS server event logging level being configured at too low a value.

Monitoring parameter

DNS server event logging is configured at the appropriate level.

Frequency

Hourly

Owner

Operator

Manual

Check for the level of event logging using DNS Manager or Windows PowerShell scripts.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13035

Notes

Microsoft recommends that the logging level be set to 4 or 7 for monitoring of DNS.

Check for corruption of DNS zone information in the registry.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS zone information stored in the registry is valid.

Monitoring task

Check for corruption of DNS zone information in the registry.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the corruption of DNS zone information in the registry.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 500, 502, 504, or 505 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13036

Check for multiple copies of an Active Directory Domain Services (AD DS)–integrated zone in different directory partitions.

Health attribute

Availability

Health area

AD DS Integration

Health requirement

Only one copy of an Active Directory Domain Services (AD DS)–integrated zone appears in AD DS.

Monitoring task

Check for multiple copies of an Active Directory Domain Services (AD DS)–integrated zone in different directory partitions.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with multiple copies of an Active Directory Domain Services (AD DS)–integrated zone in different directory partitions.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4511 or 4515 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13037

Check for an improperly configured default application directory partition for DNS to store Active Directory Domain Services (AD DS)–integrated zones.

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The default application directory partition is configured correctly.

Monitoring task

Check for an improperly configured default application directory partition for DNS to store Active Directory Domain Services (AD DS)–integrated zones.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with an improperly configured default application directory partition for DNS to store Active Directory Domain Services (AD DS)–integrated zones.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4512, 4513, or 4514 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13039

Check for DNS zone start of authority configuration issues.

Health attribute

Availability

Health area

DNS Zone

Health requirement

The DNS zone start of authority configuration is valid.

Monitoring task

Check for DNS zone start of authority configuration issues.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with DNS zone start of authority configuration issues.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 800 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13040

Check for corruption of DNS Server service information in the registry.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS Server service information in the registry is valid.

Monitoring task

Check for corruption of DNS Server service information in the registry.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the corruption of DNS Server service information in the registry.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 2202 or 2203 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13041

Check for corruption of DNS Server service parameters in the registry.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS Server service parameters in the registry are valid.

Monitoring task

Check for corruption of DNS Server service parameters in the registry.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the corruption of DNS Server service parameters in the registry.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 2204 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13042

Check for failure to update peer DNS servers with a DNS server's new IP address.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server is able to update peers with new a IP address.

Monitoring task

Check for failure to update peer DNS servers with a DNS server's new IP address.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with updating peer DNS servers with a DNS server's new IP address.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 6702 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13043

Check for corruption of DNS server registry data.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS server data in the registry is valid.

Monitoring task

Check for corruption of DNS server registry data.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with the corruption of DNS server registry data.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 506 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13044

Check for problem with plug-in dynamic link libraries (DLLs).

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS Server service and all plug-in dynamic link libraries (DLLs) start correctly.

Monitoring task

Check for problems with plug-in dynamic link libraries (DLLs).

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with plug-in dynamic link libraries (DLLs).

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 150 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13045

Check for renaming of the DnsAdmins group.

Health attribute

Security

Health area

DNS Server

Health requirement

The DnsAdmins group is named correctly.

Monitoring task

Check for renaming of the DnsAdmins group.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with renaming of the DnsAdmins group.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4017 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13046

Check for forwarding of DNS queries to a DNS server that does not support recursive queries.

Health attribute

Availability

Health area

DNS Server

Health requirement

DNS servers in the forwarders list support recursive queries.

Monitoring task

Check for forwarding of DNS queries to a DNS server that does not support recursive queries.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with forwarding of DNS queries to a DNS server that does not support recursive queries.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 7063 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13047

Check for missing required files for the DNS Server service.

Health attribute

Availability

Health area

DNS Server

Health requirement

All required files exist for the DNS Server service.

Monitoring task

Check for missing required files for the DNS Server service.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with missing required files for the DNS Server service.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1000 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13048

Check for invalid data in a DNS configuration file.

Health attribute

Availability

Health area

DNS Server

Health requirement

All DNS configuration files contain valid data.

Monitoring task

Check for invalid data in a DNS configuration file.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with invalid data in a DNS configuration file.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1202, 1502, 1503, 1504, 1506, 1507, 1508, 1520, 1521, 1522, 1523, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1600, 1601, 1602, 1610, 1611, 1612, 1613, 1614, 1616, 1617, 1618, 1619, 1620, 1621, 1650, 1651, 1654, 1656, 3160, 3162, 3163, 5105, 5106, 5107, 5108, 6530, 6531, or 6532 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13049

Check for an invalid network adapter address.

Health attribute

Availability

Health area

DNS Server

Health requirement

All network adapters that are bound to DNS have valid addresses.

Monitoring task

Check for an invalid network adapter address.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with an invalid network adapter address.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 408 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13050

Check for an invalid configuration-identifying master server.

Health attribute

Availability

Health area

DNS Server

Health requirement

A valid configuration-identifying master server exists.

Monitoring task

Check for an invalid configuration-identifying master server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with an invalid configuration-identifying master server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 6527 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13051

Check for problems connecting to a domain naming master.

Health attribute

Availability

Health area

AD DS Integration

Health requirement

The DNS server is able to connect to the domain naming master in Active Directory Domain Services (AD DS).

Monitoring task

Check for problems connecting to a domain naming master.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with connecting to a domain naming master.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4510 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13052

Check for a DNS server not configured to use itself as a preferred DNS server.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is configured to use itself as a preferred DNS server.

Monitoring task

Check for a DNS server not configured to use itself as a preferred DNS server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with a DNS server not being configured to use itself as a preferred DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 2630 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13053

Check for improper configuration of root hints on the DNS server.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server is properly configured for root hints.

Monitoring task

Check for improper configuration of root hints on the DNS server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with improper configuration of root hints on the DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 707 or 1003 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13054

Check for configuration of an incorrect forwarder on the DNS server.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS server has properly configured forwarders.

Monitoring task

Check for configuration of an incorrect forwarder on the DNS server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with configuration of an incorrect forwarder on the DNS server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 507 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13055

Check for an invalid or missing DNS zone file.

Health attribute

Availability

Health area

DNS Server

Health requirement

All DNS zone files are present and valid.

Monitoring task

Check for an invalid or missing DNS zone file.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with an invalid or missing DNS zone file.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 1004 or 1201 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13056

Check for invalid configuration of the master server.

Health attribute

Availability

Health area

DNS Server

Health requirement

The DNS master server configuration is valid.

Monitoring task

Check for invalid configuration of the master server.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with invalid configuration of the master server.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 6523 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13057

Check for invalid characters in resource records in a DNS zone.

Health attribute

Availability

Health area

DNS Zone

Health requirement

All resource records in all DNS zones contain valid characters.

Monitoring task

Check for invalid characters in resource records in a DNS zone.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with invalid characters in resource records in a DNS zone.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4006 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13058

Check for latency in performing DNS query resolution.

Health attribute

Performance

Health area

DNS Server

Health requirement

DNS queries are resolved within established baselines.

Monitoring task

Check for latency in performing DNS query resolution.

Monitoring parameter

DNS queries are resolved within established baselines.

Frequency

Hourly

Owner

Operator

Manual

Check by using nslookup.exe.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13059

Notes

Establish baseline measurements, and then compare the current DNS query resolution time against those baseline measurements.

Check for slow performance in loading Active Directory Domain Services (AD DS)–integrated zones from AD DS.

Title

Check for slow performance in loading Active Directory Domain Services (AD DS)–integrated zones from AD DS.

Health attribute

Performance

Health area

DNS Server

Health requirement

Active Directory Domain Services (AD DS)–integrated zones load with no delays.

Monitoring task

Check for slow performance in loading Active Directory Domain Services (AD DS)–integrated zones from AD DS.

Monitoring parameter

No events appear in the event log on the DNS server that relate to problems with slow performance in loading Active Directory Domain Services (AD DS)–integrated zones from AD DS.

Frequency

Hourly

Owner

Operator

Manual

Check for event ID 4520 or 4521 for the source Microsoft-Windows-DNS-Server-Service using Event Viewer.

Automation

Check using Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. https://www.microsoft.com/en-us/download/details.aspx?id=13060

Notes

Establish baseline measurements, and then compare the current DNS query resolution time against those baseline measurements.

Maintenance Activities

Prepare target computer hardware for DNS server role installation.

Health attribute

Configuration

Health area

DNS Server

Health requirement

Target computer hardware is configured to support installation of the DNS server role.

Maintenance task

Prepare target computer hardware for DNS server role installation.

Frequency

As required

Owner

Operator

Manual

Configure target computer hardware using vendor-provided hardware configuration utilities and other software.

Automation

Notes

Create a new account, or identify an existing account used to install the DNS server role.

Health attribute

Security

Health area

DNS Server

Health requirement

The account used to install the DNS server role is a member of the local Administrators group on the target computer.

Maintenance task

Create a new account, or identify an existing account used to install the DNS server role.

Frequency

As required

Owner

Operator

Manual

Create account using Active Directory Users and Computers, and make this account a member of the local Administrators group using Server Manager.

Automation

Create an account, and assign local Administrators group membership using Windows PowerShell scripts.

Install the DNS server role on a computer running Windows Server 2008 or Windows Server 2008 R2.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server role is installed in preparation for creating a new DNS server.

Maintenance task

Install the DNS server role on a computer running Windows Server 2008 or Windows Server 2008 R2.

Frequency

As required

Owner

Operator

Manual

Install the DNS server role using Server Manager or servermanager.exe.

Automation

Install the DNS server role using unattended answer files.

Notes

See Install a DNS Server.

Remove the DNS server role from a computer running Windows Server 2008 or Windows Server 2008 R2.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server role is removed from an existing DNS server.

Maintenance task

Remove the DNS server role from a computer running Windows Server 2008 or Windows Server 2008 R2.

Frequency

As required

Owner

Operator

Manual

Remove the DNS server role using Server Manager or servermanager.exe.

Automation

Remove the DNS server role using unattended answer files.

Configure the DNS server for use with Active Directory Domain Services (AD DS).

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server can be used with Active Directory Domain Services (AD DS) to support AD DS–integrated DNS zones.

Maintenance task

Configure the DNS server for use with Active Directory Domain Services (AD DS).

Frequency

As required

Owner

Operator

Manual

Configure the DNS server for use with AD DS using Server Manager or servermanager.exe.

Automation

Configure the DNS server for use with Active Directory Domain Services (AD DS) using unattended answer files.

Notes

See Configure a DNS Server for Use with Active Directory Domain Services.

Configure a newly installed DNS server

Health attribute

Configuration

Health area

DNS Server

Health requirement

The newly installed DNS server is prepared to use root hints and is configured with a forward and reverse lookup zone.

Maintenance task

Configure a newly installed DNS server.

Frequency

As required

Owner

Operator

Manual

Configure a new DNS server using DNS Manager or dnscmd.exe.

Automation

Configure a new DNS server using dnscmd.exe or Windows PowerShell scripts.

Notes

See Configure a New DNS Server.

Configure a DNS server to use forwarders.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server is configured to forward unresolved DNS queries to other DNS servers.

Maintenance task

Configure a DNS server to use forwarders.

Frequency

As required

Owner

Operator

Manual

Configure a DNS server to use forwarders using DNS Manager or dnscmd.exe.

Automation

Configure a DNS server to use forwarders using dnscmd.exe or Windows PowerShell scripts.

Notes

See Configure a DNS Server to Use Forwarders.

Create a DNS application directory partition in Active Directory Domain Services (AD DS).

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server is configured to store Active Directory Domain Services (AD DS)–integrated DNS zones in a specific partition so that the scope of replication for the zone stored in that partition can be better controlled.

Maintenance task

Create a DNS application directory partition in Active Directory Domain Services (AD DS).

Frequency

As required

Owner

Operator

Manual

Create a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe.

Automation

Create a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe or Windows PowerShell scripts.

Notes

See Create a DNS Application Directory Partition.

Enlist a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS).

Health attribute

Configuration

Health area

DNS Server

Health requirement

A DNS server is configured to store Active Directory Domain Services (AD DS)–integrated DNS zones in an existing application directory partition so that the scope of replication for the zone stored in that partition can be better controlled.

Maintenance task

Enlist a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS).

Frequency

As required

Owner

Operator

Manual

Enlist a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe.

Automation

Enlist a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe or Windows PowerShell scripts.

Notes

See Enlist a DNS Server in a DNS Application Directory Partition.

Remove a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS).

Health attribute

Configuration

Health area

DNS Server

Health requirement

A DNS server is configured to no longer store Active Directory Domain Services (AD DS)–integrated DNS zones in an existing application directory partition.

Maintenance task

Remove a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS).

Frequency

As required

Owner

Operator

Manual

Remove a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe.

Automation

Remove a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS) using dnscmd.exe or Windows PowerShell scripts.

Notes

See Remove a DNS Server from a DNS Application Directory Partition.

Configure a method for obtaining startup information for a DNS server.

Health attribute

Configuration

Health area

DNS Server

Health requirement

A DNS server is configured to obtain its startup information from the registry, from a boot file, or from Active Directory Domain Services (AD DS).

Maintenance task

Configure method for obtaining startup information for a DNS server.

Frequency

As required

Owner

Operator

Manual

Configure a method for obtaining startup information for a DNS server using DNS Manager.

Automation

Configure a method for obtaining startup information for a DNS server using Windows PowerShell scripts.

Notes

See Change the Boot Method Used by the DNS Server.

Configure the DNS Server service to listen to specific IP addresses.

Health attribute

Configuration

Health area

DNS Server

Health requirement

A DNS server is configured to listen to specific IP addresses on a multihomed computer.

Maintenance task

Configure the DNS Server service to listen to specific IP addresses.

Frequency

As required

Owner

Operator

Manual

Configure the DNS Server service to listen to specific IP addresses using DNS Manager.

Automation

Configure the DNS Server service to listen to specific IP addresses using Windows PowerShell scripts.

Notes

See Configuring Multihomed Servers.

See Restrict a DNS server to listen only on selected addresses.

Configure the DNS server to prevent pollution of the DNS cache.

Health attribute

Security

Health area

DNS Server

Health requirement

A DNS server is configured to prevent pollution of the DNS cache, which occurs when an attacker sends DNS query responses that contain nonauthoritative or malicious data.

Maintenance task

Configure the DNS server to prevent pollution of the DNS cache.

Frequency

As required

Owner

Operator

Manual

Configure the DNS server to prevent pollution of the DNS cache using DNS Manager.

Automation

Configure the DNS server to prevent pollution of the DNS cache using Windows PowerShell scripts.

Notes

See Secure the Server Cache Against Names Pollution.

Configure the users who can administer the DNS Server service when it is running on a domain controller.

Health attribute

Security

Health area

DNS Server

Health requirement

The appropriate users are able to administer the DNS Server service when it is running on a domain controller.

Maintenance task

Configure the users who can administer the DNS Server service when it is running on a domain controller.

Frequency

As required

Owner

Operator

Manual

Configure the users who can administer the DNS Server service when it is running on a domain controller using DNS Manager.

Automation

Configure the users who can administer the DNS Server service when it is running on a domain controller using Windows PowerShell scripts.

Notes

See Modify Security for the DNS Server Service on a Domain Controller.

Disable recursive queries on a DNS server.

Health attribute

Security

Health area

DNS Server

Health requirement

Recursive queries are disabled to prevent denial of service (DoS) attacks on the DNS server.

Maintenance task

Disable recursive queries on a DNS server.

Frequency

As required

Owner

Operator

Manual

Disable recursive queries on a DNS server using DNS Manager.

Automation

Disable recursive queries on a DNS server using Windows PowerShell scripts.

Notes

See Disable Recursion on the DNS Server.

Update root hints on a DNS server.

Title

Update root hints on a DNS server.

Health attribute

Configuration

Health area

DNS Server

Health requirement

DNS queries are sent to servers that are authoritative for zones other than the zones for which the DNS server is authoritative.

Maintenance task

Update root hints on a DNS server.

Frequency

As required

Owner

Operator

Manual

Update root hints on a DNS server using DNS Manager.

Automation

Update root hints on a DNS server using Windows PowerShell scripts.

Notes

See Update Root Hints on the DNS Server.

Add a DNS server to DNS Manager.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server can be managed in DNS Manager.

Maintenance task

Add a DNS server to DNS Manager.

Frequency

As required

Owner

Operator

Manual

Add a server to DNS Manager using DNS Manager.

Automation

Notes

See Add a Server to DNS Manager.

Remove a DNS server from DNS Manager.

Title

Remove a DNS server from DNS Manager.

Health attribute

Configuration

Health area

DNS Server

Health requirement

Remove an unnecessary DNS server from DNS Manager to help minimize the attack surface and reduce operations effort.

Maintenance task

Remove a DNS server from DNS Manager.

Frequency

As required

Owner

Operator

Manual

Remove a DNS server from DNS Manager using DNS Manager.

Automation

Notes

See Remove a Server from DNS Manager.

Start the DNS Server service.

Health attribute

Configuration

Health area

DNS Server

Health requirement

Start the DNS Server service after the service was stopped and to subsequently restore services.

Maintenance task

Start the DNS Server service.

Frequency

As required

Owner

Operator

Manual

Start the DNS Server service using DNS Manager, the Service console, or the net.exe command.

Automation

Start the DNS Server service using the net.exe command or Windows PowerShell scripts.

Notes

See Start or Stop a DNS Server.

Stop the DNS Server service.

Health attribute

Configuration

Health area

DNS Server

Health requirement

Start the DNS Server service to perform maintenance.

Maintenance task

Stop the DNS Server service.

Frequency

As required

Owner

Operator

Manual

Stop the DNS Server service using DNS Manager, the Service console, or the net.exe command.

Automation

Stop the DNS Server service using the net.exe command or Windows PowerShell scripts.

Notes

See Start or Stop a DNS Server.

Resume a paused zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Resume a paused zone after the zone was paused and to subsequently restore services.

Maintenance task

Resume a paused zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Resume a paused zone on a DNS server using DNS Manager or Windows PowerShell scripts.

Automation

Resume a paused zone on a DNS server using Windows PowerShell scripts.

Notes

See Pause or Resume a Zone.

Pause an active zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Pause an active zone so that the zone no longer responds to queries or transfers requests, typically to perform maintenance.

Maintenance task

Pause an active zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Pause an active zone on a DNS server using DNS Manager or Windows PowerShell scripts.

Automation

Pause an active zone on a DNS server using Windows PowerShell scripts.

Notes

See Pause or Resume a Zone.

Add a forward lookup zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Add a forward lookup zone to configure a DNS server to be an authority for a DNS domain name.

Maintenance task

Add a forward lookup zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Add a forward lookup zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Add a forward lookup zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Add a Forward Lookup Zone.

Remove a forward lookup zone from a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Remove an unnecessary forward lookup zone to help minimize the attack surface and reduce the operations effort.

Maintenance task

Remove a forward lookup zone from a DNS server.

Frequency

As required

Owner

Operator

Manual

Remove a forward lookup zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove a forward lookup zone using dnscmd.exe or Windows PowerShell scripts.

Add a reverse lookup zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Add a reverse lookup zone to configure a DNS server to be an authority for a range of IP addresses from which to perform reverse lookup of IP addresses.

Maintenance task

Add a reverse lookup zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Add a reverse lookup zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Add a reverse lookup zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Add a Reverse Lookup Zone.

Remove a reverse lookup zone from a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Remove an unnecessary reverse lookup zone to help minimize the attack surface and reduce operations effort.

Maintenance task

Remove a reverse lookup zone from a DNS server.

Frequency

As required

Owner

Operator

Manual

Remove a reverse lookup zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove a reverse lookup zone using dnscmd.exe or Windows PowerShell scripts.

Add a stub zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Add a stub zone to configure a DNS server to identify the authoritative DNS servers for that zone.

Maintenance task

Add a stub zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Add a stub zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Add a stub zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Add a Stub Zone.

Remove a stub zone from a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Remove an unnecessary stub zone to help minimize the attack surface and reduce operations effort.

Maintenance task

Remove a stub zone from a DNS server.

Frequency

As required

Owner

Operator

Manual

Remove a stub zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove a stub zone using dnscmd.exe or Windows PowerShell scripts.

Deploy a GlobalNames zone on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Deploy a GlobalNames zone to help migrations from Windows Internet Naming Service (WINS) to DNS for all name resolution.

Maintenance task

Deploy a GlobalNames zone on a DNS server.

Frequency

As required

Owner

Operator

Manual

Deploy a GlobalNames zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Deploy a GlobalNames zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Deploying a GlobalNames Zone.

Remove a GlobalNames zone from a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Remove an unnecessary GlobalNames zone to help minimize the attack surface and reduce operations effort.

Maintenance task

Remove a GlobalNames zone from a DNS server.

Frequency

As required

Owner

Operator

Manual

Remove a GlobalNames zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove a GlobalNames zone using dnscmd.exe or Windows PowerShell scripts.

Create a zone delegation on a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Create a zone delegation to allow a portion of a DNS namespace to be serviced by another DNS server.

Maintenance task

Create a zone delegation on a DNS server.

Frequency

As required

Owner

Operator

Manual

Create a zone delegation on a DNS server using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Create a zone delegation on a DNS server using dnscmd.exe or Windows PowerShell scripts.

Notes

See Create a Zone Delegation.

Remove a zone delegation from a DNS server.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Remove an unnecessary zone delegation to help minimize the attack surface and reduce operations effort.

Maintenance task

Remove a zone delegation from a DNS server.

Frequency

As required

Owner

Operator

Manual

Remove a zone delegation using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove a zone delegation using dnscmd.exe or Windows PowerShell scripts.

Configure a DNS server to use Windows Internet Naming Service (WINS) resolution.

Health attribute

Configuration

Health area

DNS Server

Health requirement

Configure a DNS server to use Windows Internet Naming Service (WINS) to look up names that are not found in DNS.

Maintenance task

Configure a DNS server to use Windows Internet Naming Service (WINS) resolution.

Frequency

As required

Owner

Operator

Manual

Configure a DNS server to use Windows Internet Naming Service (WINS) resolution using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure a DNS server to use Windows Internet Naming Service (WINS) resolution using dnscmd.exe or Windows PowerShell scripts.

Notes

See Enable DNS to Use WINS Resolution.

Change the replication scope for a DNS zone.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Change the scope for replication of an Active Directory Domain Services (AD DS)–integrated primary or stub lookup zone.

Maintenance task

Change the replication scope for a DNS zone.

Frequency

As required

Owner

Operator

Manual

Change the replication scope for a DNS zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Change the replication scope for a DNS zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Change the Zone Replication Scope.

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone.

Health attribute

Security

Health area

DNS Zone

Health requirement

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone.

Maintenance task

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone.

Frequency

As required

Owner

Operator

Manual

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone using DNS Manager or Windows PowerShell scripts.

Automation

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone using Windows PowerShell scripts.

Notes

See Modify Security for a Directory-Integrated Zone.

Configure the DNS zone transfer settings.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zone transfers occur at the appropriate frequency to the appropriate servers.

Maintenance task

Configure the DNS zone transfer settings.

Frequency

As required

Owner

Operator

Manual

Configure the DNS zone transfer settings using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure the DNS zone transfer settings using dnscmd.exe or Windows PowerShell scripts.

Notes

See Modify Zone Transfer Settings.

Add resource records to a DNS zone.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zone contains the appropriate resource records to resolve all names.

Maintenance task

Add resource records to a DNS zone.

Frequency

As required

Owner

Operator

Manual

Add resource records to a DNS zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Add resource records to a DNS zone using dnscmd.exe or Windows PowerShell scripts.

Notes

See Adding Resource Records.

Remove resource records from a DNS zone.

Title

Remove resource records from a DNS zone.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zone contains the appropriate resource records to resolve all names.

Maintenance task

Remove resource records from a DNS zone.

Frequency

As required

Owner

Operator

Manual

Remove resource records from a DNS zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Remove resource records from a DNS zone using dnscmd.exe or Windows PowerShell scripts.

Modify resource records in a DNS zone.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zone contains the appropriate resource records to resolve all names.

Maintenance task

Modify resource records in a DNS zone.

Frequency

As required

Owner

Operator

Manual

Modify resource records in a DNS zone using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Modify resource records in a DNS zone using dnscmd.exe or Windows PowerShell scripts.

Configure a DNS zone to allow dynamic updates of resource records.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS zone allows the computers that own the resource records to update them.

Maintenance task

Configure a DNS zone to allow dynamic updates of resource records.

Frequency

As required

Owner

Operator

Manual

Configure a DNS zone to allow dynamic updates of resource records using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure a DNS zone to allow dynamic updates of resource records using dnscmd.exe or Windows PowerShell scripts.

Notes

See Allow Dynamic Updates.

Configure a DNS zone to allow only secure dynamic updates of resource records.

Health attribute

Security

Health area

DNS Zone

Health requirement

The DNS zone allows only the computers that own the resource records to securely update them.

Maintenance task

Configure a DNS zone to allow only secure dynamic updates of resource records.

Frequency

As required

Owner

Operator

Manual

Configure a DNS zone to allow only secure dynamic updates of resource records using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure a DNS zone to allow only secure dynamic updates of resource records using dnscmd.exe or Windows PowerShell scripts.

Notes

See Allow Only Secure Dynamic Updates.

Configure the security for a resource record in a DNS zone.

Health attribute

Security

Health area

DNS Zone

Health requirement

The DNS zone allows only authorized accounts to modify resource records.

Maintenance task

Configure the security for a resource record in a DNS zone.

Frequency

As required

Owner

Operator

Manual

Configure the security for a resource record using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure the security for a resource record using dnscmd.exe or Windows PowerShell scripts.

Notes

See Modify Security for a Resource Record.

Configure the aging and scavenging properties for a DNS zone.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The aging and scavenging properties for a DNS zone allow automatic removal of unnecessary resource records from the zone.

Maintenance task

Configure the aging and scavenging properties for a DNS zone.

Frequency

As required

Owner

Operator

Manual

Configure the aging and scavenging properties using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure the aging and scavenging properties using dnscmd.exe or Windows PowerShell scripts.

Notes

See Set Aging and Scavenging Properties for a Zone.

Configure the default aging and scavenging properties for a DNS server.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The default aging and scavenging properties for a DNS server allow automatic removal of unnecessary resource records from zones.

Maintenance task

Configure the default aging and scavenging properties for a DNS server.

Frequency

As required

Owner

Operator

Manual

Configure the default aging and scavenging properties for a DNS server using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure the default aging and scavenging properties for a DNS server using dnscmd.exe or Windows PowerShell scripts.

Notes

See Set Aging and Scavenging Properties for the DNS Server.

Enable automatic scheduled scavenging of stale resource records.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The automatic scheduled scavenging feature of a DNS server allows automatic removal of unnecessary resource records from zones.

Maintenance task

Enable automatic scheduled scavenging of stale resource records.

Frequency

As required

Owner

Operator

Manual

Enable automatic scheduled scavenging of stale resource records using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Enable automatic scheduled scavenging of stale resource records using dnscmd.exe or Windows PowerShell scripts.

Notes

See Enable Automatic Scavenging of Stale Resource Records.

Start the immediate scavenging of stale resource records.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Unnecessary resource records are removed from zones on an as-needed basis.

Maintenance task

Start the immediate scavenging of stale resource records.

Frequency

As required

Owner

Operator

Manual

Start the immediate scavenging of stale resource records using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Notes

See Start Immediate Scavenging of Stale Resource Records.

Determine when a zone will scavenge stale resource records.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The automatic scheduled scavenging feature of a DNS server allows automatic removal of unnecessary resource records from zones.

Maintenance task

Determine when a zone will scavenge stale resource records.

Frequency

As required

Owner

Operator

Manual

Determine when a zone will start scavenging stale resource records using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Determine when a zone will start scavenging stale resource records using dnscmd.exe or Windows PowerShell scripts.

Notes

See View When a Zone Can Start Scavenging Stale Records.

Reset the aging and scavenging properties for a resource record.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

Unnecessary resource records are removed from zones.

Maintenance task

Reset the aging and scavenging properties for a resource record.

Frequency

As required

Owner

Operator

Manual

Reset the aging and scavenging properties for a resource record using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Reset the aging and scavenging properties for a resource record using dnscmd.exe or Windows PowerShell scripts.

Notes

See Reset Aging and Scavenging Properties for a Specified Resource Record.

Secure DNS server role deployments.

Health attribute

Security

Health area

DNS Server

Health requirement

The DNS server role is configured to prevent unauthorized access to the computer running the role and to the zones on the server.

Maintenance task

Secure DNS server role deployments.

Frequency

As required

Owner

Operator

Manual

Secure DNS server role deployments using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Secure DNS server role deployments using dnscmd.exe or Windows PowerShell scripts.

Notes

See Securing DNS Deployment.

Secure the DNS Server service on a DNS server.

Title

Secure the DNS Server service on a DNS server.

Health attribute

Security

Health area

DNS Server

Health requirement

The DNS Server service is configured to prevent unauthorized access to resources that the service manages.

Maintenance task

Secure the DNS Server service on a DNS server.

Frequency

As required

Owner

Operator

Manual

Secure the DNS Server service on a DNS server using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Secure the DNS Server service on a DNS server using dnscmd.exe or Windows PowerShell scripts.

Notes

See Securing the DNS Server Service.

Secure the DNS zones on a DNS server.

Health attribute

Security

Health area

DNS Zone

Health requirement

The DNS Server zones are configured to prevent unauthorized access to the zones.

Maintenance task

Secure the DNS zones on a DNS server.

Frequency

As required

Owner

Operator

Manual

Secure DNS zones using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Secure DNS zones using dnscmd.exe or Windows PowerShell scripts.

Notes

See Securing DNS zones.

Secure the resource records in the DNS zones on a DNS server.

Title

Secure the resource records in the DNS zones on a DNS server.

Health attribute

Security

Health area

DNS Zone

Health requirement

The resource records in the DNS zones are configured to prevent unauthorized access to the resource records.

Maintenance task

Secure the resource records in the DNS zones on a DNS server.

Frequency

As required

Owner

Operator

Manual

Secure the resource records in the DNS zones on a DNS server using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Secure the resource records in the DNS zones on a DNS server using dnscmd.exe or Windows PowerShell scripts.

Notes

See Securing DNS Resource Records.

Clear the DNS cache.

Health attribute

Configuration

Health area

DNS Zone

Health requirement

The DNS cache is cleared to remove cached resource records.

Maintenance task

Clear the DNS cache.

Frequency

As required

Owner

Operator

Manual

Clear the DNS cache using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Clear the DNS cache using dnscmd.exe or Windows PowerShell scripts.

Configure the DNS event log logging level.

Health attribute

Configuration

Health area

DNS Server

Health requirement

The DNS server is configured to use the appropriate event log logging level.

Maintenance task

Configure the DNS event log logging level.

Frequency

As required

Owner

Operator

Manual

Configure the DNS event log logging level using DNS Manager, dnscmd.exe, or Windows PowerShell scripts.

Automation

Configure the DNS event log logging level using dnscmd.exe or Windows PowerShell scripts.

Back up the DNS boot file.

Health attribute

Continuity

Health area

DNS Server

Health requirement

The DNS boot file is archived so that it can be used for recovery in the event of the existing boot file becoming corrupted.

Maintenance task

Back up the DNS boot file.

Frequency

As required

Owner

Operator

Manual

Back up the DNS boot file using Windows PowerShell scripts, Windows Server Backup, or other backup software.

Automation

Back up the DNS boot file using Windows PowerShell scripts, Windows Server Backup, or other backup software.

Back up the DNS zone files.

Health attribute

Continuity

Health area

DNS Server

Health requirement

The DNS zone files are archived so that they can be used for recovery in the event of the existing zone files becoming corrupted.

Maintenance task

Back up the DNS zone files.

Frequency

As required

Owner

Operator

Manual

Back up the DNS zone files using Windows PowerShell scripts, Windows Server Backup, or other backup software.

Automation

Back up the DNS zone files using Windows PowerShell scripts, Windows Server Backup, or other backup software.

Recover from corrupt registry data for a zone.

Title

Recover from corrupt registry data for a zone.

Health attribute

Continuity

Health area

DNS Server

Health requirement

The DNS server is able to read the registry data for a zone.

Maintenance task

Recover from corrupt registry data for a zone.

Frequency

As required

Owner

Operator

Manual

Delete the existing zone data in the registry, and then re-create the zone using regedit.exe and DNS Manager.

Health Risks

ID

Description

Probability

Impact

Exposure (1–5)

Mitigation strategy

Risk owner

(1–100%)

(1–5)

1

A DNS server fails.

10%

5

5

Add DNS servers to provide DNS services in the event of a DNS server failure.

2

A DNS server is performing slowly.

60%

3

2

Verify that the DNS server performance is adequate by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007. Add system resources to the DNS server, or add DNS servers.

3

The DNS Server service is not bound to the correct network adapter in multihomed computers.

25%

5

5

Verify that the DNS Server service is bound to the correct network adapter by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

4

DNS resource records are not valid.

60%

2

5

Verify that the DNS resource records are valid by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

5

The DNS server is unable to start.

25%

5

5

Verify that the DNS server is healthy by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

6

The DNS server is unable to read DNS zone information.

20%

3

2

Verify that the DNS zone information is healthy by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

7

The DNS server is unable to transfer zone information from one server to another.

70%

4

4

Verify that DNS zone transfers are occurring on a scheduled basis and are healthy by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

8

The DNS server is unable to communicate with Active Directory Domain Services (AD DS).

60%

5

5

Verify that Active Directory Domain Services (AD DS) is healthy and that DNS servers are able to communicate with AD DS by using automated methods such as Windows PowerShell scripts or Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

Standard Changes

Proposed standard change

Category verified?

Approved by

Date for change development complete

Date for change release

Create a DNS application directory partition in Active Directory Domain Services (AD DS).

Enlist a DNS server in a DNS application directory partition in Active Directory Domain Services (AD DS).

Configure a method for obtaining startup information for a DNS server.

Configure the DNS Server service to listen to specific IP addresses.

Configure the DNS server to prevent pollution of the DNS cache.

Configure the users who can administer the DNS Server service when it is running on a domain controller.

Disable recursive queries on a DNS server.

Update root hints on a DNS server.

Add a DNS server to DNS Manager.

Start the DNS Server service.

Stop the DNS Server service.

Resume a paused zone on a DNS server.

Pause an active zone on a DNS server.

Add a forward lookup zone on a DNS server.

Remove a forward lookup zone from a DNS server.

Add a reverse lookup zone on a DNS server.

Remove a reverse lookup zone from a DNS server.

Add a stub zone on a DNS server.

Remove a stub zone from a DNS server.

Deploy a GlobalNames zone on a DNS server.

Remove a GlobalNames zone from a DNS server.

Create a zone delegation on a DNS server.

Remove a zone delegation from a DNS server.

Configure a DNS server to use Windows Internet Naming Service (WINS) resolution.

Change the zone type of a DNS zone.

Change the replication scope for a DNS zone.

Change the permissions on an Active Directory Domain Services (AD DS)–integrated zone.

Configure the DNS zone transfer settings.

Add resource records to a DNS zone.

Remove resource records from a DNS zone.

Modify resource records in a DNS zone.

Configure a DNS zone to allow dynamic updates of resource records.

Configure a DNS zone to allow only secure dynamic updates of resource records.

Configure the security for a resource record in a DNS zone.

Configure the aging and scavenging properties for a DNS zone.

Configure the default aging and scavenging properties for a DNS server.

Enable automatic scheduled scavenging of stale resource records.

Start the immediate scavenging of stale resource records.

Determine when a zone will scavenge stale resource records.

Reset the aging and scavenging properties for a resource record.

Secure DNS server role deployments.

Secure the DNS Server service on a DNS server.

Secure the DNS zones on a DNS server.

Secure the resource records in the DNS zones on a DNS server.

Clear the DNS cache.

Configure the DNS event log logging level.

Back up the DNS boot file.

Back up the DNS zone files.

Acknowledgments

The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Windows Server 2008 DNS Server. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide.