Re: Overlapping Reverse Zone Files

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in message
news:uKQvq4gTHHA.4844@xxxxxxxxxxxxxxxxxxxxxxx
But it still leaves big questions, having a zone named
168.192.in-addr.arpa.
is easier to overcome than having an actual 192.168/16 Network, the bigger
question is the Network a /16 network or a 192.168.0/24 network with a
192.168.x zone?

The forest I am calling F1 is compromised of many non-overlapping
192.168.x.0 / 24 subnets. The reverse zone file for F1 is AD integrated
and is a 192.168.x.zone. I realize that is a hack, but it is a really
convenient thing as opposed to having to create many separate reverse zone
files that are at the proper size for the subnets they map.


It is simple to add delegations to the 192.168.x zone for the
192.168.11.x,
192.168.15.x and 192.168.16.x zones. But you would have to create a
secondary of the 192.168.x zone on all DNS servers in the enterprize to
make
it seamless.

Not sure what you mean by adding delegations. So far I have just created
the large /16 zone file and AD is automatically placing into it any matching
IP on its own. I never configured it for specific subnets. Should I?

Don't worry about secondaries for now. I'm trying focus in and understand
the situation on the AD integrated DNS servers for the F1 forest. And the
thing that is causing some discomfort is that the Forest 2 contains this
subnet 192.168.21.0 / 24 which is implemented as a secondary reverse zone in
F1 forest. So in theory some machine in F1 could accidentally be given a
192.168.21.x address and then you would have a weird situation where two
reverse zone files might contain the same /24 subnet. How does AD resolve
that conflict? Will it raise an error, or will one of the zones silently
"win"?


In fact to make reverse lookups seamless across the enterprize ths would
be
the way to go with one exception, even on the DNS where the Primary
192.168.x zone is, if it is a /24 network, you should add zone for the
192.168.0.x network, and a delegation for that zone.

So in clarification, all DNS servers should have:
192.168.x with delegations named 0, 11, 15 and 16 to the respective
servers
with these zones:
192.168.0.x
192.168.11.x
192.168.15.x
192.168.16.x
The reasoning is that if each subnet is properly delegated, any one DNS
server can find any other reverse lookup, and allows each DNS server to
have
proper authority over the zones they are responsible for the security of.
Oh, and Dynamic updates should be disallowed in the 192.168.x zone.
Also, reverse lookups are mostly irrelevent in Active Directory, but if
you're going to have them, make them seamless.

I think you are describing a huge environment, one where each subnet might
be in a different building or a different city, each of which might have
their own domain or domain controller. That's not our case at all. We
are small and I simply like to use lots of subnets off a firewall as a way
to isolate traffic flows and allow tighter control of security. So in many
ways our environment is highly trivial, and I'm simply trying to understand
how to deal with the overlap of a single /24 subnet that is not owned by the
F1 forest.

Are you suggesting to have the F2 /24 subnet exist within the F1 forest
reverse zone, and use delegation as a way to pull it as a secondary from the
F2 forest? If yes, how do I actually do that? I have no experience with
delegation of that sort.

--
Will


.

Relevant Pages

  • Re: Creating a Reverse Lookup Zone for a classless subnet/domain
    ... However it also informs me that the DNS server IP I'm ... indicated that I need a "reverse lookup zone" for my domain. ... classless subnet for my zone with a mask of 255.255.248.0. ... domain network address is 172.16.8.0 ... ...
    (microsoft.public.windows.server.dns)
  • Re: XP and Windows 98 Network
    ... Under Zone Alarm's Firewall tab, I have a Mapped Drive entry, ... Using ZoneAlarm with Your Home Network ... tell Zone Alarm to trust the new subnet? ... I have not changed anything with the exception of adding a new router. ...
    (microsoft.public.windowsxp.network_web)
  • Re: DNS Zone Replication Change Error
    ... > the replication scope to Forest since I upgraded my last DC to Win2k3 ... > zone which keep causing 4515 and 4004 warnings/errors. ... one of the Application Partitions: ...
    (microsoft.public.windows.server.dns)
  • Re: Correct DNS Setup for Domain
    ... If it is well-connected WAN you could make the forest root ... DCs of each child domain act as secondaries, receiving zone ... Any DC that has its DNS set to forward to internet DNS servers ...
    (microsoft.public.windows.server.dns)
  • Re: Forward Lookup Zone missing when new tree added to forest
    ... The problem with the DNS Forward lookup zones not ... all DNS servers in the Active Directory forest company.biz'. ... The real concern I have is that there is no forward lookup zone for ... partitions, the DomainNC (Domain Name Context, or some call the Domain ...
    (microsoft.public.windows.server.dns)