Create DNS records for Microsoft using Windows-based DNS

Check the Domains FAQ if you don’t find what you’re looking for.

If you host your own DNS records using Windows-based DNS, follow the steps in this article to set up your records for email, Skype for Business Online, and so on.

To get started, you need to find your DNS records in Windows-based DNS so you can update them. Also, if you’re planning to synchronize your on-premises Active Directory with Microsoft, see Non-routable email address used as a UPN in your on-prem Active Directory.

Trouble with mail flow or other issues after adding DNS records, see Troubleshoot issues after changing your domain name or DNS records.

Find your DNS records in Windows-based DNS

Go to the page that has the DNS records for your domain. If you’re working in Windows Server 2008, go to Start > Run. If you’re working in Windows Server 2012, press the Windows key and r. Type dnsmgmnt.msc, and then select OK. In DNS Manager, expand > Forward Lookup Zones. Select your domain. You’re now ready to create the DNS records.

Add MX record

Add an MX record so email for your domain will come to Microsoft.

• The MX record you’ll add includes a value (the Points to address value) that looks something like this: .mail.protection.outlook.com, where is a value like MSxxxxxxx.
• From the MX row in the Exchange Online section of the Add DNS records page in Microsoft, copy the value listed under Points to address. You’ll use this value in the record you’re creating in this task.
• On the DNS Manager page for the domain, go to Action >Mail Exchanger (MX). To find this page for the domain, see Find your DNS records in Windows-based DNS.
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Host Name:
  • @Address: Paste the Points to address value that you just copied from Microsoft here.
  • Pref:
• Select Save Changes.
• Remove any obsolete MX records. If you have any old MX records for this domain that route email somewhere else, select the check box next to each old record, and then select Delete >OK.

Add CNAME records

Add the CNAME records that are required for Microsoft. If additional CNAME records are listed in Microsoft, add those following the same general steps shown here.

If you have Mobile Device Management (MDM) for Microsoft, then you must create two additional CNAME records. Follow the procedure that you used for the other four CNAME records, but supply the values from the following table. (If you do not have MDM, you can skip this step.)

• On the DNS Manager page for the domain, go to Action >CNAME (CNAME).
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Host Name: autodiscover
  • Type:
  • CNAMEAddress: autodiscover.outlook.com
• Select OK.

Add the SIP CNAME record.

• On the DNS Manager page for the domain, go to Action >CNAME (CNAME).
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Host Name: sip
  • Type: CNAME
  • Address: sipdir.online.lync.com
• Select OK.

Add the Skype for Business Online Autodiscover CNAME record.

• On the DNS Manager page for the domain, go to Action >CNAME (CNAME). In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Host Name: lyncdiscover
  • Type: CNAME
  • Address: webdir.online.lync.com
• Select OK.

Add two CNAME records for Mobile Device Management (MDM) for Microsoft

If you have Mobile Device Management (MDM) for Microsoft, then you must create two additional CNAME records. Follow the procedure that you used for the other four CNAME records, but supply the values from the following table. >(If you do not have MDM, you can skip this step.)

Add the MDM Enterpriseregistration CNAME record.

• On the DNS Manager page for the domain, go to Action >CNAME (CNAME).
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
• Host Name: enterpriseregistration
• Type: CNAME
• Address: enterpriseregistration.windows.net
• Select OK.

Add the MDM Enterpriseenrollment CNAME record.

• On the DNS Manager page for the domain, go to Action >CNAME (CNAME).
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Host Name: enterpriseenrollment
  • Type: CNAME
  • Address: enterpriseenrollment-s.manage.microsoft.com
• Select OK.

Add a TXT record for SPF to help prevent email spam

You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you’ll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don’t create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a single SPF record that includes both sets of values.

Add the SPF TXT record for your domain to help prevent email spam.

• You might already have other strings in the TXT value for this record (such as strings for marketing email), which is fine. Leave those strings in place and add this one, placing double-quotes around each string to separate them.
• On the DNS Manager page for your domain, go to Action >Text (TXT).
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values.

In some versions of Windows DNS Manager, the domain may have been set up so that when you create a txt record, the home name defaults to the parent domain. In this situation, when adding a TXT record, set the host name to blank (no value) instead of setting it to @ or the domain name.

Record Type: TXT

Address: v=spf1 include:spf.protection.outlook.com -all

Select OK.

Add SRV records

Add the two SRV records that are required for Microsoft.

Add the SIP SRV record for Skype for Business Online web conferencing.

• On the DNS Manager page for your domain, go to Action >Other New Records.
• In the Resource Record Type window, select Service Location (SRV), and then select Create Record.
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Service: _sip
  • Protocol: _tls
  • Priority: 100
  • Weight: 1
  • Port: 443
  • Target (Hostname): sipdir.online.lync.com
• Select OK.

Add the SIP SRV record for Skype for Business Online federation.

• On the DNS Manager page for your domain, go to Action >Other New Records.
• In the Resource Record Type window, select Service Location (SRV), and then select Create Record.
• In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
  • Service: _sipfederationtls
  • Protocol: _tcp
  • Priority: 100
  • Weight: 1
  • Port: 5061
  • Target (Hostname): sipfed.online.lync.com
• Select OK.

Add a record to verify that you own the domain, if you haven’t already

Before you add the DNS records to set up your Microsoft services, Microsoft has to confirm that you own the domain you’re adding. To do this, you add a record, following the steps below.

This record is used only to verify that you own your domain; it doesn’t affect anything else.

1. Gather information from Microsoft.
2. In the admin center, go to the Settings >Domains page.
3. On the Domains page, in the Actions column for the domain that you are verifying, select Start setup.
4. On the Add a domain to Microsoft page, select Start step 1.
5. On the Confirm that you own your domain page, in the See instructions for performing this step with drop-down list, choose General instructions.
6. From the table, copy the Destination or Points to Address value. You’ll need it for the next step. We recommend copying and pasting this value, so that all of the spacing stays correct.

Add a TXT record.

• On the DNS Manager page for your domain, go to Action >Text (TXT).
• In the New Resource Record dialog box, select Edit.
• In the Custom Host Names area of the New Resource Record dialog box, make sure that the fields are set to precisely the following values.

In some versions of Windows DNS Manager, the domain may have been set up so that when you create a txt record, the home name defaults to the parent domain. In this situation, when adding a TXT record, set the host name to blank (no value) instead of setting it to @ or the domain name.

• Host Name: @
• Type: TXT
• Address: Paste the Destination or Points to Address value that you just copied from Microsoft here.
• Select OK >Done.

Verify your domain in Microsoft.

Wait about 15 minutes before you do this, so the record you just created can update across the Internet.

• Go back to Microsoft and follow the steps below to request a verification check. The check looks for the TXT record you added in the previous step. When it finds the correct TXT record, the domain is verified.

1. In the admin center, go to the Setup >Domains page.
2. On the Domains page, in the Action column for the domain you are verifying, select Start setup.
3. On the Confirm that you own your domain page, select done, verify now, and then in the confirmation dialog box, select Finish.

Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you’ve made to update across the Internet’s DNS system. If you’re having trouble with mail flow or other issues after adding DNS records, see Troubleshoot issues after changing your domain name or DNS records.

Non-routable email address used as a UPN in your on-prem Active Directory

If you’re planning to synchronize your on-premises Active Directory with Microsoft, you’ll want to make sure that the Active Directory user principal name (UPN) suffix is a valid domain suffix, and not an unsupported domain suffix such as @contoso.local. If you need to change your UPN suffix, see How to prepare a non-routable domain for directory synchronization.

Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you’ve made to update across the Internet’s DNS system. If you’re having trouble with mail flow or other issues after adding DNS records, see Troubleshoot issues after changing your domain name or DNS records.

How To Set Up And Configure DNS On Windows Server 2016

Domain Name System (DNS), defined in several Request for Comments (RFC) documents, performs a single task: translating user-friendly hostnames to IPv4 or IPv6 addresses. The DNS server in Windows Server 2016 works the same basic way as it does in Windows Server 2012 R2. However, the Windows Server engineering team added some worthwhile enhancements, including DNS policies and Response Rate Limiting (RRL).

Read on to learn how to get a Windows Server 2016-based DNS server up and running.

Installing the DNS Server Role

To install the DNS Server role, we can open an elevated Windows PowerShell console (right-click the PowerShell icon and select Run as Administrator from the shortcut menu) and run a single command:

Install-WindowsFeature -Name DNS -IncludeAllSubFeature -IncludeManagementTools

If you’re more of a GUI-minded administrator, you can use Server Manager to install DNS Server.

Using Server Manager to install DNS Server in Windows Server 2016

As shown in the preceding screen capture, I already have DNS Server installed on my Windows Server 2016 domain controller.

Setting DNS Server Preferences

We can manage the Windows Server DNS Server in a variety of ways:

Windows Server 2016 also includes the traditional Nslookup.exe and IPConfig.exe command-line tools as well.

If you install the Remote Server Administration Tools (RSAT) tools on your administrative workstation, you’ll get all the aforementioned DNS Server management utilities.

Open the DNS Manager by typing dnsmgmt.msc from your elevated PowerShell console. Right-click your server and you’ll see a number of configuration options directly on the shortcut menu. For instance, you can:

Create a new forward or reverse lookup zone

Scour your DNS zone files for outdated and/or inaccurate records

Purge the server’s resolver cache

Pause, stop, start, or restart the server

Configuring a Windows Server 2016 DNS server

In the previous screenshot you see the Advanced page from my DNS servers’ Properties sheet.

Run the following command to retrieve a list of all 130-odd PowerShell DNS functions:

Get-Command -Module DNSServer | Select-Object -Property Name

Use Get-DNSServer to retrieve the local server’s configuration data. In the following example, I use Set-DNSServer to migrate configuration data from server01 to server02:

Get-DnsServer -CimSession ‘server01’ | Set-DnsServer -ComputerName ‘server02’

Of course, we use the native PowerShell *-Service cmdlets to operate on the server directly. For instance, to restart the local DNS server we can run:

Restart-Service -Name DNS -Force

Creating a Forward Lookup Zone

Although you can configure a DNS server to do nothing but fulfill name resolution requests and cache the results, the primary work of a Windows DNS server is to host one or more lookup zones.

Let’s create a simple forward (that is, hostname-to-IP address) lookup zone for a domain called toms.local.

In DNS Manager, right-click Forward Lookup Zones and select New Zone from the shortcut menu. This launches the New Zone Wizard, which will ask us to specify the following information:

Zone type. Options are primary, secondary, stub, and Active Directory-integrated. Let’s choose primary here, and deselect the AD integration option (the AD integraded option is available only on AD DS domain controllers, by the way)

Zone name. In our case, we’ll specify toms.local.

Zone file name. We’ll accept the default name, which is toms.local.dns. This is a simple plain text file, actually.

Dynamic updates. Accept the default, which is to disallow dynamic updates. In production business networks, you’ll want to enable this option so DNS clients can update their DNS records on their own.

By default, your new zone will have two DNS records:

Start of Authority (SOA): This record identifies which server is authoritative for the zone

Name Server (NS): This record identifies the servers that host records for this zone

Right-click the new zone and you’ll see various resource record creation options directly in the shortcut menu; these include:

Host (A): This is your «bread and butter» record that identifies a single host

Alias (CNAME): This record allows you to map more than one hostname to a single IP address

Mail Exchanger (MX): This record identifies your company’s e-mail server(s) that are attached to the current DNS domain

We’ll finish today’s tutorial by using PowerShell to define a new A record for a host named ‘client1’ and verify its existence. To create the record, we use Add-DnsServerResourceRecordA (yes, that’s a long command name.)

Add-DnsServerResourceRecordA -Name ‘client1’ -ZoneName ‘toms.local’ -IPv4Address 172.16.1.100

We finally run the equally awkward command Get-DnsServerResourceRecord to retrieve client1’s A record:

Get-DnsServerResourceRecord -ZoneName ‘toms.local’ -Name ‘client1’ | Format-Table -AutoSize

Reviewing our new DNS zone contents.

In the previous screen capture we can see our new client1 A record both in DNS Manager as well as in the Windows PowerShell console