Microsoft AD DNS – How to force Google Safe Search

Forcing safe-search for Google is very simple, and pretty hard to turn off. Couple it together with filtering DNS queries and you’ve got yourself a pretty robust content filter.

First I’m going to show you the powershell way (run powershell as admin), then I will show you the GUI way.


add-dnsserverprimaryzone -ReplicationScope Forest -Name -Verbose
Add-DnsServerResourceRecord -DName -ZoneName -name "@" -DomainNameAlias -Verbose
Add-DnsServerResourceRecordA -IPv4Address -name "@" -ZoneName -Verbose

As you can see the powershell way is the preferred method.

Here’s how to do it the GUI way:

Open up AD DNS or just type dnsmgmt.msc in a RUN box.

img 5750ca805ac91

Add a new primary zone, replicated to the whole forest for “”

img 5750ca957c48b

img 5750ca9ebc67e

img 5750caaa47b22

img 5750cab753444

img 5750cac896ff9

img 5750cacfacb23

Now go to the zone, and create a A record pointing to “”.

img 5750cae962b1c

img 5750caf38905f

img 5750cb06606ae

Now right click and create ” other new records…” we’ll select DNAME.

img 5750cb1c7cb37

img 5750cb2bbc305

Now add “” as the FQDN, leave alias name blank.

img 5750cb41b43b7

Now flush your DNS and test it out!


img 5750cb6f97eae


if we try to turn safesearch off via the settings, it does not work!!!

img 5750cb843a71d

Same result.


img 5750cb8fc03fc


I also recommend setting your DNS forwarders to OpenDNS Family Shield (It’s FREE!) it blocks porn and malicious DNS queries.

Powershell command (needs to be run as admin)

Set-DnsServerForwarder -IPAddress "",""

Close and reopen DNS to make sure you got the new forwarders.












Leave a comment