Re: Overlapping Reverse Zone Files
- From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
- Date: Sun, 11 Feb 2007 12:55:12 -0600
Will wrote:
"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in
message news:u50N45aTHHA.5016@xxxxxxxxxxxxxxxxxxxxxxx
When you say you have multiple subnets using 192.168.0.0, does that
mean these are on two separate networks?
If this is the case, it really makes no difference because you won't
be able to route between the two networks anyway.
Forest 1 contains these subnets:
192.168.11.0 / 24
192.168.15.0 / 24
192.168.16.0 / 24
Forest 2 contains this subnet:
192.168.21.0 / 24
All of these subnets are connected together by a firewall. They do
route between each other.
Or is it two forests sharing the same network?
No
So the proposal was the Forest 1 would have a reverse primary zone
that is AD integrated defined to be:
192.168.0.0 / 16
Forest 2 would have a reverse primary zone that is AD integrated
defined to be:
192.168.21.0 / 24
Forest 1 would have a secondary on the 192.168.21.0 that pulls from
Forest 2's DNS.
The above appears to work but leaves me a little uncomfortable only
because the two reverse zones have overlapping addresses in theory
(not in practice).
This post is a lot more clear about your actual network than your original
post.
But it still leaves big questions, having a zone named 168.192.in-addr.arpa.
is easier to overcome than having an actual 192.168/16 Network, the bigger
question is the Network a /16 network or a 192.168.0/24 network with a
192.168.x zone?
It is simple to add delegations to the 192.168.x zone for the 192.168.11.x,
192.168.15.x and 192.168.16.x zones. But you would have to create a
secondary of the 192.168.x zone on all DNS servers in the enterprize to make
it seamless.
In fact to make reverse lookups seamless across the enterprize ths would be
the way to go with one exception, even on the DNS where the Primary
192.168.x zone is, if it is a /24 network, you should add zone for the
192.168.0.x network, and a delegation for that zone.
So in clarification, all DNS servers should have:
192.168.x with delegations named 0, 11, 15 and 16 to the respective servers
with these zones:
192.168.0.x
192.168.11.x
192.168.15.x
192.168.16.x
The reasoning is that if each subnet is properly delegated, any one DNS
server can find any other reverse lookup, and allows each DNS server to have
proper authority over the zones they are responsible for the security of.
Oh, and Dynamic updates should be disallowed in the 192.168.x zone.
Also, reverse lookups are mostly irrelevent in Active Directory, but if
you're going to have them, make them seamless.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
.
- Follow-Ups:
- Re: Overlapping Reverse Zone Files
- From: Will
- Re: Overlapping Reverse Zone Files
- References:
- Overlapping Reverse Zone Files
- From: Will
- Re: Overlapping Reverse Zone Files
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Overlapping Reverse Zone Files
- From: Will
- Overlapping Reverse Zone Files
- Prev by Date: Re: Unable to connect to a share
- Next by Date: Re: Adding a new DNS server first to replace unather later
- Previous by thread: Re: Overlapping Reverse Zone Files
- Next by thread: Re: Overlapping Reverse Zone Files
- Index(es):
Relevant Pages
|
