DNS and Subnet Priortization & DNS Round Robin

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication Date: 5/28/2010

Edited 6/4/2010 – Included information regarding Windows 2003 and newer Subnet Priortization only defaults to Class C subnets. If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.
Edited 8/9/2010 – Added information about Windows Vista, Windows 7, Windows 2008 and WIndows 2008 R2 and their differences with XP and 2000 regarding how they handle Subnet Priortization, which they handle a bit differently, and how to make it work.

DNS and Subnet Priortization & DNS Round Robin – Which one Supercedes?

This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.

Preface on Subnet Priortization and Round Robin:

Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.
If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.

In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.

Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.

Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can’t test AD Sites responses.
You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.

Subnet Priortization and Round Robin Logic:

Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.
If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.
However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.

If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it’s own subnet.

The following passage on the specific logic was quoted from:
Configuring Subnet Prioritization
[Begin Quote]

  • If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
  • The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
  • If Enable round robin is deselected and the value of LocalNetPriority is 1:
  • The server returns the records in local net priority order. It does not rotate among available addresses.
  • If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
  • The server rotates among the available records in the order in which the records were added to the database.
  • If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
  • The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

[/End Quote]

Subnet Priortization and Round Robin Example:

The following example was quoted from:
Configuring IP Addressing and Name Resolution

[Begin Quote]
For example, suppose there are three Web servers that all host the Web
page for www.reskit.com and they are all located on different subnets.
The DNS name server for the network contains the following resource records:
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.18.64.33

When a Windows XP Professional–based
computer’s DNS resolver (client) receives a response to the query for
the A record of www.reskit.com, it returns A records in order,
starting with the IP addresses from subnets to which the computer is
directly connected.

For example, if a computer with the IP address is queried for www.reskit.com, the resolver returns the
resource records in the following order:
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the
resolver from choosing the first IP address returned in the DNS query
and using the DNS server’s round robin feature (defined in RFC 1794.)
With round robin enabled, the server rotates the order of resource
records returned when multiple A resource records exist for a queried
DNS domain name.

Thus, in the example described earlier, if a user
queried for www.reskit.com, the name server replies to the first
client request by ordering the addresses as follows:

It replies to the second client request by ordering the addresses as follows:

It replies to the third client request by ordering the addresses as follows:
With round robin enabled, if clients are configured to use the first
IP address in the list that they receive, different clients will use
different IP addresses, thus balancing the load among multiple network
resources with the same name. However, if the resolvers are configured
for subnet prioritization, the resolvers reorder the list to favor IP
addresses from networks to which they are directly connected, reducing
the effectiveness of the round robin feature.
Although subnet prioritization does reduce network traffic across
subnets, in some cases you might prefer to have the round robin
feature work as described in RFC 1794. If so, you can disable the
subnet prioritization feature on your clients by adding the registry
entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
the following registry subkey:
DnsCache\ Parameters
[/End Quote]


 Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

Yep, that’s correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it’s a Class C subnet, well more accurately, it’s set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.

The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.

This can be accomplished with the DNSCMD command.

For example, using DNSCMD to set the default settings for a subnet, is:
Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF

For anything other than a Class C, we need to alter the “/LocalNetPriorityNetMask” value to the environment’s subnet.

The last two characters in the value used for a Class C subnet (“0x000000FF”) is “FF.” This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to “FF” in Hex.

Taking that into account, we can view a simple table with the base Class subnets:

For the base Classes, the values are:

Netmask  LocalPriorityNet      0x000000ff         0x0000ffff             0x00ffffff

To set it for something other than the default classes, such as for example a /22 ( or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0’s to 1’s and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

Another example, if you have a /27 ( or 11111111.11111111.11111111.11100000), convert the 0’s to 1’s –> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F

Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.

Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
Note: Of course, some of the values can’t be used in the table, but I created the table to show all possible binary values.

NetMask                Binary                                                   CIDR    Comments                     LocalPriorityNet Value   11111111.11111111.11111111.11111111    /32      Host (single addr)          0x00000000   11111111.11111111.11111111.11111110    /31      Unuseable                     0x00000001   11111111.11111111.11111111.11111100    /30      2  useable                     0x00000003   11111111.11111111.11111111.11111000    /29      6  useable                     0x00000007   11111111.11111111.11111111.11110000    /28     14  useable                    0x0000000F   11111111.11111111.11111111.11100000    /27     30  useable                    0x0000001F   11111111.11111111.11111111.11000000    /26     62  useable                    0x0000003F   11111111.11111111.11111111.10000000    /25     126  useable                  0x0000007F       11111111.11111111.11111111.00000000    /24     “Class C” 254 useable   0x000000ff      11111111.11111111.11111110.00000000    /23       2  Class C’s                   0x000001FF      11111111.11111111.11111100.00000000    /22       4  Class C’s                   0x000003FF      11111111.11111111.11111000.00000000    /21       8  Class C’s                   0x000007FF      11111111.11111111.11110000.00000000    /20      16  Class C’s                  0x00000FFF      11111111.11111111.11100000.00000000    /19      32  Class C’s                  0x00001FFF      11111111.11111111.11000000.00000000    /18      64  Class C’s                  0x00003FFF      11111111.11111111.10000000.00000000    /17     128  Class C’s                 0x00007FFF          11111111.11111111.00000000.00000000    /16      “Class B”                          0x0000ffff          11111111.11111110.00000000.00000000    /15      2  Class B’s                    0x0001FFFF          11111111.11111100.00000000.00000000    /14      4  Class B’s                    0x0003FFFF          11111111.11111000.00000000.00000000    /13      8  Class B’s                    0x0007FFFF          11111111.11110000.00000000.00000000    /12     16  Class B’s                  0x000FFFFF          11111111.11100000.00000000.00000000    /11     32  Class B’s                  0x001FFFFF          11111111.11000000.00000000.00000000    /10     64  Class B’s                  0x003FFFFF          11111111.10000000.00000000.00000000    /9      128  Class B’s                 0x007FFFFF              11111111.00000000.00000000.00000000    /8       “Class A”                          0x00ffffff              11111110.00000000.00000000.00000000    /7                                               0x01FFFFFF              11111100.00000000.00000000.00000000    /6                                               0x03FFFFFF              11111000.00000000.00000000.00000000    /5                                               0x07FFFFFF              11110000.00000000.00000000.00000000    /4                                               0x0FFFFFFF              11100000.00000000.00000000.00000000    /3                                               0x1FFFFFFF              11000000.00000000.00000000.00000000    /2                                               0x3FFFFFFF              10000000.00000000.00000000.00000000    /1                                               0x7FFFFFFF                  00000000.00000000.00000000.00000000    /0    IP subnet definition         0xFFFFFFFF

You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.

More info on this value and setting:

Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS


Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

Windows Vista, Windows 7 and Windows 2008 behaves a bit differently, than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here’s more info, and keep in mind in mind it doesn’t mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:

Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default

Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
DWORD = OverrideDefaultAddressSelection
Value data: = 1

DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)

However, AD Sites should prevail in an AD environment. An AD client’s GetDcList functions will use Sites to determine which DC or GC to communicate with.

Therefore, basically:

Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.

To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :

DWORD = OverrideDefaultAddressSelection 
Value data: = 0


If Active Directory Sites Are Involved with AD Aware Services:

AD Sites provide two basic things: Logon & Authentication control to
limit the auth request to only a GC/DC in it’s own site, and
replication traffic control between Sites. Replication is compressed
in Site to Site communications. Good for the WAN link. AD enabled apps
also use AD Sites.
You would first create a new Site giving it a unique Site Name. Then
create an IP Subnet Object that represents the subnet or subnets of
the location (you may and can create multiple IP SUbnet Objects if
needed), then associate the IP Subnet to the Site Name.
In the Site link, you will notice the default replication period is 3
hours. You can chop that down to as low as 15 minutes. You can’t go
lower, because that is the max time allotted for all DCs within a site
to be able to replicate changes between each other. If DCs are added,
the KCC jumps in and re-evaluates the intra site connection objects
between DCs to optimize and keep within the 15 minute alotment.
A standalone would rely simply on DNS’ ability to provide responses
either as Subnet prioritized, or Round Robin.
However, with AD Sites, and this works for AD enabled services and
entities (such as Exchange, client machines, etc). So AD aware apps
and services adds an extra twist and can be used to your advantage.
That was why I was asking if you are using ISA. ISA can be published
into AD, and set by GPO. This way a client in SiteA will always use
the ISA in SiteA.
However, if standalone servers are in use, and  you can disable Round Robin.



Optimizing DNS – This article shows a brief description of and numerous How-To’s regarding DNS parameter configuration settings and how to change them.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, as well as Windows 2008 and Windows 2008 R2.

Ace Fekay

Should I Disable IPv6? No…

12/11/2014 – Ace here again. I’ve revamped this blog bringing it up to date, but you know what, there was nothing really to change, because guess what? It’s not recommended to disable IPv6. Period.

I hope you find this helpful.


This topic has been discussed numerous times. Previously in this article I wrote:

There are known issues regarding IPv6 affecting communications in certain scenarios, such as with errors when using Outlook Anywhere such as to fix an Exchange 2007 running on WIndows 2008 when there is a DC NSPI port 6004 communication issue.

Read the link in the “Related Links” section below for more information on this issue. Therefore, to eliminate communications issues regarding whether this is a factor or not, it is recommended to disable IPv6 in registry on the Exchange server, as well as on the domain controllers, or any server for that matter, especially if there are no plans in using IPv6. For the same reasons, it is also recommended to disable the RSS TCP Chimney Offload feature on the same servers.

IPv6 provides a robust means for IP addressing that offers additional information in the IP address. However, if the current network does not have the necessary supporting hardware to support it, such as a router, nor if IPv6 is currently in use, some say it’s additional overhead on the machine, which many have claimed, including myself in the past, to recommend disabling it. There is also an incompatibility with using IPv6 with UNC paths, such as mapping a drive using an IPv6 address, but I don’t think that’s relevent to the context of this article.

However, things have changed

The only time to disable IPv6 is with the above scenario using Exchange 2007 on a Windows 2008 server. At no other time should you disable IPv6. It must be kept enabled, or it will break many features in Windows. Read the next section…


Should I Disable IPv6? Nope


When I originally wrote this article, my original recommendations to disable IPv6 were based on a problem I found back in 2008 with an Exchange 2007 installation on Windows 2008 and DSAccess communications to a Windows 2008 DC/GC. I couldn’t figure out what was causing it. I finally called Microsot PSS. After some digging around, the support engineer recommended disabling IPv6, which he said was causing the issue. It actually fixed the communications problem. He referenced an article explaining the issue:

The installation of the Exchange Server 2007 Hub Transport role may be unsuccessful on a Windows Server 2008-based computer

However, that article has been retired and is no longer available. Microsoft is now recommending to keep IPv6 enabled. You can read more about it in this article, which I highly suggest reading it:

The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.

Basically, Joseph Davies in the above article, said (quoted directly from the article):

The Argument against Disabling IPv6

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.


Ipconfig /all shows IPv6 “::1” Loopback address as the First DNS Entry

In some cases, there may be some issues with IPv6 because it is the default protocol. When you run an ipconfig /all, you may find that the IPv6 “::1” Loopback address shows up as a DNS address when you run an ipconfig /all. Because it’s at the top of the DNS addresses, some say it slows down resolution because the resolver is trying to use an IPv6 address to resolve it first before attempting to resolve the IPv4 address.

Who cares. Leave it alone. What harm is it doing? Just because it doesn’t look right?

Well, if you really want to remove the ::1, you can, although to me, it’s really a cosmetic thing when running nslookup. If it will make you feel warm and fuzzy not to see it, and rather see the IPv4 address, you can remove it using the following steps.


You can delete the “::1” IPv6 loopback address by the following method.

Run an ipconfig /all. Determine the “Local Area Connection” name. In the example below, I used “Local Area Connection” for the interface name:

netsh interface ipv6 delete dnsserver “Local Area Connection” ::1

You can add it back in, if you like: 

netsh interface ipv6 add dnsserver “Local Area Connection” ::1


For more info on the netsh command reference for Windows 2008 & 2008 R2, see the following. For command info on IPv6, click on “Netsh Command for Interface IPv4 and IPv6,” then click on ” Netsh commands for Interface IPv6.” :

Netsh Command Reference
(Comprehensive Command Reference) – Updated: July 2, 2009 – Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista


Originally, I illustrated in this blog to do it in the following fashion from a previous post (provided below), however this appears to not work for some. I suggest running the method above.

You can eliminate that from showing up on that specific interface. One way to do that is to find the IDX# of the interface by running:

netsh interface ipv6 show interfaces

Once you’ve identified the IDX# for that interface, you can delete it on that specific interface by running:

netsh interface ipv6 delete dnsserver name=”IDX#” address=::1

You’ll find resolution will be quicker, as well as not getting that familiar nslookup initialization error message saying it “can’t find server…”

Originally posted in:

Windows 2008 R2 with AD integerated DNS



Windows 2008 R2, and Windows 7 will use IPv6 as the first preferred protocol.

In my opinion, if you just leave things as default, things will work fine.

However, for whatever reason you want to alter these settings, whether real or imagined, that is your choice.

That disclaimer out of the way, if you still need to force the TCP stack to use IPv4 first instead of IPv6, you can do so in the registry. The following procedure in this section was quoted from the following Microsoft KB article:

How to disable IP version 6 (IPv6) or its specific components in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008


To force the system to use IPv4 first, before IPv6

The key you are looking for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents. If it doesn’t exist, you have to created it.

Or if you do not want to do this manual procedure, you can now use the Microsoft “Mr Fix It” script to automatically do it for you. The scripts are in the KB929852 article above.

  1. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  2. Double-click DisabledComponents to modify the DisabledComponents entry.
    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.



Again, do not disable IPv6

However, if you still need to disable IPv6, the following steps show how To Disable IPv6 on 2008 (non-SBS 2008), Vista or Windows 7.

Note: You can now use the Microsoft “Mr Fix It” script to automatically disable it, see:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008

You can also do it manually: The following steps are from:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008

The installation of the Exchange Server 2007 Hub Transport role is unsuccessful on a Windows Server 2008-based computer
(This article is no longer available. It originally recommended to disable IPv6 to overcome Exchagne 2007 installed on Windows 2008 (not 2008 R2) that have DSAccess NSPI to GC Communications issues.)

Paul Berg also has a good article on disabling IPv6, too:
Disabling IPv6 on Windows 2008 or Vista


  1. Uncheck IPv6 in NIC properties
  2. Uncheck the two LinkLayer Topology Discovery components
  3. Then Navigate to:
  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
    • In the details pane, click New, and then click DWORD (32-bit) Value.
    • Type in DisabledComponents , and then press ENTER.
    • Double-click DisabledComponents,
    • Type 0xffffffff in Hexadecimal.
    • It should look like this if you’ve entered it correctly:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
      • “DisabledComponents”=dword:ffffffff


Or more specifically, and with a complete list of values this key supports:


In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  1. Double-click DisabledComponents to modify the DisabledComponents entry.

    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  2. Type any one of the following values in the Value data: field to configure the IPv6 protocol to the desired state, and then click OK:
    1. Type 0 to enable all IPv6 components. (Windows default setting)
    2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface.
    3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.
    4. Type 0x10 to disable IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces).
    5. Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
    6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.


Disabling IPv6 on SBS 2008 & 2011

Don’t do it. But if you must, to disable IPv6 on SBS 2008 is slightly different.

Read the reasons why, and the instructions in the following link, but as noted above, it’s no longer recommended to disable IPv6.

Issues After Disabling IPv6 on Your NIC on SBS 2008



Related Links

TCP Chimney and RSS Features May Cause Slow File Transfers or Cause Connectivity Problems:





I hope this helps!

Original Publication Date: 11/1/2011
Updated 12/11/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262[2][2] clip_image00462[2][2] clip_image00662[2][2] clip_image00862[2][2] clip_image01062[2][2] clip_image01262[2][2] clip_image01462[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

How to Subnet

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original publication: 3/2002, Updated 5/2010



Background – Why I Published This Blog

There are many tutorials on the internet providing subnetting guidelines. I tried to provide a simple, 15 minute tutorial that I use teaching a class on how to subnet. At the requests of some of my students, I created a blog with the steps involved. This is a simple tutorial providing a quick and easy way to understand how to subnet.


What is subnetting?

Subnetting is the process of dividing up a network ID into more or less IP addresses based on what’s needed for a network solution.

In the early 1990’s, it was realized that the number of public IPs in the 32 bit address space was finite, and dwindling as companies snatched them up. Some companies have huge blocks (Class A or /8 ranges) that provide over 16 million IP addresses. That was wastefull, especially if a company doesn’t have a need for that many. Private IP addressing wasn’t as prevalent as it is today. Public IPs were used, but because the number of public IPs were finite, we had to find a way to break down a range in order to offer less than a whole range for what a customer may need. Why give them 254 IP addresses when they need say, 20 IP addresses? That was sure wasteful as well.

In Feb, 1996, RFC1918 was introduced to address the wastefulness, and provide a means to break down a network using a private IP range, instead of wasting public IPs in a private network.

RFC1918 – Address Allocation for Private Internets

RFC 1918 is in wide use today. It’s so widely used, that even with the advent of IPv6 to provide a logirithmically more number of IPs for the public ranges, it has not been widely adopted. This is because the private ranges provide more than enough for an internal private range. However, there are numerous advantages of using IPv6, besides many more IPs than IPv4 can handle, there is also routing information in the IP. However, as mentioned, it has not been widely adopted, upto the date of this publication.

Quick overview:

When I worked for a VAR (Value Added Reseller) in the mid 1990’s, I learned how to subnet with the method below from a tech that worked at UUNet. UUNet at that time, was our primary go-to company to resell an Internet solution for our customers. Since we were VARs, we offered a complete soup to nuts solution for our customers selling the Pick MDBMS solution. Pick Systems is no longer around, and there are other companies selling and supporting the basic Pick solution. The point is, at that time, only public IP addresses were offered for internal use. Therefore we needed to make sure we didn’t give out more than what was neccessary in order to not waste the dwindling number of IPs on the internet. Once we’ve come up with an MDBMS solution for the customer, we then addressed their internet requirements. Once a solution is in place, we needed to figure out how many hosts (computers, servers, the internal router address, etc) will be connected to the internet or their internal network. Once we have the total, then we figured out that subnet mask was required to support the number of hosts on the internal network.

Quick Example: Customer needs only 20 IP addresses

Let’s start off with a quick example before getting into how to break it down. For example, if you have a customer that needs 20 IP addresses, you only really want to give them 20 IP addresses and no more.

To achieve this, requires a basic understanding of the process. If you provide an IP range a subnet mask, you are telling the computer that its IP address is one of 254 IP addresses on the network. Why is that? Because the “.0” on the end of the mask is the number of hosts the mask supports, or basically says there are 254 usable IPs in that mask. The “255” portion of a mask are the number of networks. If you break down a mask of into its corresponding bits, it would look like this:


There are eight zeros to the right of the 1’s. If you take 2^8 (2x2x2x2x2x2x2x2), it equals to 256. That’s how many IP’s it will handle. The more zeros, the more IPs it will handle, the less zeros, the less IPs. Using the inverse, the more “1’s” in the mask, the more networks, and the less “1’s” in the mask, the less networks.

You can look at it as using a slide rule. If you put the focus on the slide in between the zero and the one, you can move it left to right. If you move the ruler to the right, it gives you more networks, but less IPs, and move it to the left, it gives you more IPs but less networks.

So the case in point, if the customer only needs 20 IPs, we don’t need a mask with eight “0’s” in it. We need less.

How many less? Good question. Convert the number 20 into binary. You will get 10100. You are not really concerned with what the actual result is, but the number of digits in the binary answer. In this answer, there are 5 digits. Therefore, that is how many “0’s” you need in the right portion of the mask. That will support the 20 IP addresses the customer needs. You say it will suppport more? Yes, that’s correct. Actually, five “0’s” will support 32 IP addresses. If we tried to give it four “0’s” it will only support 16 IP addresses (14 usable).


Scenario: A customer needs 50 IP Addresses

put 50 into the calc and find out it’s binary equivalent.

50 is equal to 110010
All we really need of this answer is the # of bits
which in this case, it’s  6 bits

So now we can put together a mask
Remember that the network bits are on the left and the host bits are to the right.

So we’ll take the 6 bits, since they represent the hosts, and put them to the right.
For the remainder of the byte (or the octet), we’ll buffer it with 1’s to the left.

Which comes out to be in this case:

We’ll now convert 11000000 to decimal (calculator or manual, whatever you

11000000 = 192

So now we have a working mask:

Which is equal to:

Now we need to determine the IP ranges.

We’ll go back to the mask:

Now we need to find the Delta.

To do that we’ll look at the binary column of the first significant bit (1)
to the left of the zeros. Which in our mask, it winds up being in the 64 column.

128 64 32 16 8  4  2  1
  1    1   0   0   0  0  0  0
The second bit above is the first significant bit (a “1”) to the left of the zeroes. It’s in the 64 column.
So we now have our Delta, which is equal to 64.

Then we’ll map out a series using the Delta, starting with 0.


We’ll now determine a IP range that is not being used, and we’ll apply that
IP range to this map.

From iventory, we look for a range that has not yet been assigned to a customer. We found this one below to assign for this customer:

Applying the IP range to the series, we find that we now have 4 IP subnets. Notice that the 64 and subsequent multiples, are actually the starting point of the next range. So

the end IP address based on the Delta, is the Delta minus 1. So the first range is 0 to 63, the second range is 64 to 127, etc. Here they are layed out below. You can do this

with ANY range, it doesn’t matter what range you use.  to to to to

So now we choose one of the ranges to give to our customers.
We’ll choose the first range:  to

And we’ll tell our customers that their actual usable IP range will be from: to,

which winds up being 62 IP addresses. Always keep in mind, the router needs an IP, after all, how would they get off the network if they didn’t have a router?

Will this take care of the customer’s requirements?
Yes, with plenty of leftover.
Now, just to test whether a machine on one range communicate with another, we’ll use
the “Anding” process.

We’ll choose a source host of to communicate to on these two networks..
We’ll “AND” the source IP and the source mask of then we’ll
compare the result to the “ANDING” of the destination IP and source mask

10001110.10011011.00110101.00001100 Source
11111111.11111111.11111111.11000000 Source MASK
10001110.10011011.00110101.00000000 = Result of Anding the above two.

10001110.10011011.00110101.01011010 Destination
11111111.11111111.11111111.11000000 Source Mask
10001110.10011011.00110101.01000000 = Results of Anding the above two.
Are the results equal???
No, they are not, so therefore, we can state in order for the source machine IP to communicate with the destination IP in this case, we need a router between them.

Determine the # of Networks Required in a Scenario

The above was done based on the number of IPs the customer needed. Now let’s turn it around in a different scenario and determine the # of networks required in a scenario.

If a customer has 800 machines per location and they have about 30
locations, and they will be adding about 20 more locations in the next year
or so, what IP range can I give them and what mask will handle this?
Also state how many IP address that this mask will handle.

In this case, the # of networks (locations) are important and will be the
bases of this problem.

Now add 20 + 30 = 50 networks.

We’ll take the 50 and comvert to binary:

Convert this to all 1’s = 111111
this is the # of network bits, so we’ll need to put this on the left in the


This will not work because the two “0’s” cannot handle 800 hosts.

So we’ll move the mask in by one octet into the third octet so it becomes a class B mask.

Which equals to:

Now we will select an IP range out of inventory:, and break it down into it’s cooresponding subnets: to to to to to to to
ETC, up to 64 ranges

In this list, the total number of IPs per range = 10 bits, which is 1024 IPs (1022 usable).
And the total number of networks = 6 bits, which is 64 subnets.

Another example with a different number of IPs required:

Classful is easy to understand because it directly relates to the IP
address. Classless is soley based on the bits. Matter of fact, the bits
directly relate to a classful IP anyway. It’s easy to learn once you
understand what the bits are all about. Like this:

Example of Class C Mask:
Change that to bits:

So you can see there are 24 bits in the mask, (which takes up the left 3
octets) which is the network side. The host side is always 0’s.

In that case, the 8 0’s says this mask can handle 254 hosts or IPs. That’s
alot if someone doesn;’t need that many and is wasteful.

So say a customer only needs 20 IP addresses for their network

We’ll take the 20 and translate that to binary, which equals 10100. Not
concerned with the results, but rather how manybits are in the results,
which in this case is 5 bits.

So we’ll change the mask to handle 5 bits (which is called subnetting:), so
then it looks like this:
Which equals to (use your calculator to plug in 11100000 and change it to

So now there are 27 bits in the network side, and only 5 in the hosts side.

So the 3 octets of the network are still 24, but the last octet is chopped,
which we call subnetted. So the subnet portion is 3 bits. Make sense so far?

The 5 bits on the hosts side in binary (if all were 1’s), translates to a
maximum of 32 in decimal, so it means this mask can only handle 32 hosts,
but you can’t use the first or the last, so it really handles 30, but then
the router takes up one, so it really will handle 29 machines.

Now look at the subnetted bits, the 3 bits. That tells you how many little
networks of 30 hosts there are. 2 bits translates to 8 in decimal, so now
you just created 8 mini networks of 30 IPs each.

What are the IP address start and stop points you ask? Good question.

Look at the first significant bit in the last octet: It’s the “1” left of
the zeroes, and is in the 32 spot in binary.

The bits are as such:
128 64 32 16 8 4 2 1

So that first “1” is in the 32 spot. That is what we call our “Delta” in
this case.

So we’ll chart it out:

So let’s plug in an IP range, say
The first range will be: to to to to to to to to
So there are 8 usuable ranges.

Make sense?

Keep in mind, with this mask, if a machine, or tries to communicate with a machine, or, you’ll need a router because they are on different
networks. That is because the mask defines the network it’s on and how many IPs it can

This was a simple example. This can be used too for the third octet. If you
want to have say 900 hosts, it will be equal to 1110000100, which is 10
bits, and the mask would look like this:

Which is equal to:

See what I mean? The rest is up to you!

Just apply this to what that article is talking about.


Related Links


Google Search: “IP subnetting history”

Request for Comments: RFC 1918 – Address Allocation for Private Internets, Network Working Group, 1996
Describes address allocation for private internets. The allocation permits full network layer connectivity among all hosts inside an enterprise as well as among all public hosts of different enterprises

IP Subnetting, A Graphical Approach – Part 1

IP Subnetting, A Graphical Approach – Part 2

Subnetting Part 1