What DNS Zone type should I use, a Stub, Conditional Forwarder, a Forwarder, or a Secondary Zone?? What’s the Difference??

By Ace Fekay
Originally Published 2012
Updated 3/20/2018

Intro

Ace again. DNS is a basic, yet important requirement that many still having problems wrapping their head around it.

Besides design, a huge part of DNS is understanding the differences between the zone types. Many have asked, when do I use a Stub zone, a Conditional Forwarder, or a Forwarder? Or better, what’s the difference?

I thought to put this simple comparison together compiled from past posts in the TechNet Forum.

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Secondary zones are read only copies “copied,” or “zone transferred” from a Master zone. This makes the zone data available locally (as read only, of course), instead of querying a DNS server across a WAN link. However, in many cases Secondaries are not used due to many limitations and security concerns, such as exposing all DNS zone data that a partner may not want to divulge.

In addition, Secondaries can’t be AD integrated, and the zone data is stored in a text file. So you would have to manually create a copy on all of your DNS servers.

Stub Zone

Organizations own their own AD zones. When business partners need to resolve data at a partner’s organization, there are a few options to support this requirement. Years ago, prior to Stub or Conditional Forwarders, there weren’t many options to handle this other than to use Secondary Zones and keep copies of each others zones via zone transfers.  While the solution worked well in regards to name resolution, it was not the best security-wise, due to trust level between partners, because zone data is fully exposed at the partner. This became a security concern because the partner is able to see all of their business partner’s records. When the zone was transferred to partners, who knows what they were doing with the information. If the information was made public, attackers would have a field day with all of the IPs for the networked devices.

When stub zones were made available, it became a solution to overcome this security issue. What is also beneficial about Stubs, is you can AD integrate them instead of manually creating a Stub on each individual DC. This way the zone will be available domain or forest-wide, depending on replication scope.

However, some may say due to the fact that the SOA records are included in the zone file, it may be a concern that the SOA and NS data is exposed. In such high security concerns, the better solution would be to use a Conditional forwarder.

Conditional Forwarder

This option is heavily used, and many look at them as the best regarding security concerns with zone data exposure, because no data is exposed. This option has worked very well in many environments.

With Conditional Forwarders, no information is being transerred and shared. The only thing you would need to know is one or more of your business partner’s DNS server IPs to configure it, and they don’t have to be the SOA, rather any DNS server that hosts the zone or that has a reference to the zone.

However, it does require open communication and let each other know when their DNS server IPs may change, because you must manually set them.

Windows 2003 introduced Conditional Forwarders, but it did not have the option to make it AD Integrated. If you have 10 DNS servers, you must create the Conditional Forwarder on each server manually. The AD integrated option was added to Windows 2008 or newer DNS servers, so you don’t have to manually create them on each DNS server. THis way the Conditional Forwarder will be available domain or forest-wide.

Parent-Child DNS Zone Delegation

Delegation can be used in a situation where a child domain host their own DNS zone.  Therefore in the forest root domain, you would create a delegation zone with the IPs of the DNS servers in the child domain.  This is normally performed when the child zone have their own administrators. It’s also useful they do not have access to “see” all of the forest root DNS records.

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Active Directory DNS Single Label Names

Intro

Hey everyone, Ace again. Let’s discuss this issue. I hardly see this issue any more, because it was a previously prevalent when Active Directory was introduced, since there were some confusion about AD domain naming, and many IT admins used NT4’s domain naming guidelines. Man of us are now familiar with AD’s naming convention, and have more than likely renamed or rebuilt their AD domains. However, there are still some installations with this issue. 

How did it happen? Many reasons, such as lack of research on AD’s DNS requirements, assumptions, or a simple typo when originally upgrading from NT4 or promoting your new AD domain. It doesn’t matter now, because you were brought here to find out what to do with it.

I hope you find this blog informative on this issue and what to do about it.

First, let’s discuss a little background on the necessary components at play…

FQDN

First, let’s discuss the FQDN. What is an FQDN? It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminiscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

Unfortunately, since this does not work with DNS, and Active Directory relies on DNS, therefore, it does not work with Active Directory. Stay with me. I’ll explain…

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately the old NT4 style names are not hierarchal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single label name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? As I said earlier, it doesn’t matter now, because you were brought here to find out what to do with it.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/kb/555040

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.

Period. Why? good question. It’s based on the fact DNS is hierarchal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc., names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc.). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authoritative for that TLD.Such as when looking up Microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for Microsoft.com zone.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

  1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
  2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
  3. As a temporary resort, you can use the patch or band aid registry fix to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

Single Label Names and being a better Internet Neighbor

The following was posted by Microsoft’s Alan Woods in 2004:

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles – Even though they seem old, they STILL APPLY!!!

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

============================================================

Summary

I hope this helps!

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory’s Reliance on DNS – Why not to use your ISP’s DNS

Intro

Ace again. Time to re-hash why DNS is important, or actually, NEEDED for Active Directory, and Azure AD .

Consider this….

You wake up and get ready for work. You sit down and have a bowl of cereal. You crack open a full gallon of milk. Now there’s a little less in the gallon, but you know you have plenty of milk for the next couple of days. You walk out of your house and drive off to work. Upon returning, you find the milk is missing. You know you had some milk left over when you left for work in morning. You walk out front and see your neighbor just happens to be outside. You walk over to him and ask him, “Do you know what happen to my milk?” He just stares at you not knowing what you’re talking about.

Can your neighbor, an outside entity to your internal household, respond to that? The same thing is occurring when you use an outside DNS server in your NIC properties (whether on the DC, member servers and/or client machines). If  the machines are set to use an outside DNS address, then your machines are literally asking an outside entity, “What’s the IP address of my domain controller?” The outside DNS servers do NOT have that answer.

Using an ISP’s DNS

What will happen if you use an ISP’s DNS address, or a router as a DNS address on a DC or client machine, is the machine (whether a DC or client), will ask the ISP’s DNS, “What is my DC’s IP address? I need to know because I would like to send a logon request.” The ISP’s DNS doesn’t have that answer. Their DNS servers do not host the your internal AD zone name therefore, they have no information about your internal AD network. It’s like me asking that guy down the street that I’ve never met, “Hey you, where did all the beer or milk go in my refrigerator?” He won’t have that answer either. 🙂

I’ve read and responded to numerous newsgroup and forums posts requesting assistance, as well as new customers I’ve been called upon to fix issues, with such complaints as taking a long time to login, can’t access printers or mapped drives, Outlook fails to find the Exchange servers, among other issues.

I’ve also seen other errors such as GPOs not working, can’t find the domain, RPC issues, Exchange profusely failing and its services not wanting to start, users complaining they can’t get their emails, etc, when the ISP’s DNS servers are listed on a client, DCs and/or member servers, or with  DCs.

After a short investigation, I’ve come to find that the domain controllers network properties have included either an ISP’s DNS address, the ISP’s router’s IP address, or some other external DNS server as an IP address in the NIC’s properties. I’ve also observed that using a non-internal DNS addresses were also found on internal company desktops and laptops, whether the IP configuration was set by a static entry, or from DHCP (DHCP Option 006).

This type of configuration can and will lead to numerous issues with a Active Directory, from authentication issues, replication issues, to much more.

I hope this explanation provides a greater understanding on how it all works and exemplifies to not ONLY use the internal DNS server for all internal machines, but as well as in the VPN’s DHCP service for VPN clients. Keep in mind, a client machine plugged in at home, using an air card, or say sitting at Starbucks, will probably be configured with an ISP’s anyway if outside the network. That is fine. If using a VPN connected to the office, the VPN client will use that DNS to find the VPN server for your network. But once the VPN authenticates and connects, the VPN will be configured with your company’s internal DNS servers on its interface, and because the VPN interface by default is the first in the binding order, therefore the first interface it will use, will be able to logon to the domain and authenticate to the domain in order to access internal resources, which is what you want it to do.

The Usual Suspects That Can Cause Issues with AD Communications, long logon times, etc

Here is a summarized list of possible causes, but NOT limited to:

  1. Single label name Active Directory DNS domain name (extremely problematic).
  2. SRV records missing. This can be due to DNS or network interface card (NIC) mis-configuration.
  3. Disjointed namespace.- AD domain name doesn’t match the Primary DNS Suffix and/or the zone name.
  4. Using an ISP’s or some other DNS server that is not hosting the AD zone or that doesn’t have a reference to it, in IP properties of the DCs and clients.
  5. DHCP Client service disabled on the DCs (a required service even if statically configured)
  6. DCs are possibly multihomed. A multihomed DC has more than one unteamed NIC, more than one IP and/or RRAS installed such as for VPN purposes, which makes it problematic if not configured properly (more info on this below).
  7. A third party firewall or security application is installed blocking traffic.
  8. Antivirus software blocking functionality
  9. Antispyware blocking functionality

AD & DNS Configuration

When I’ve visited a customer site to fix issues and noticing the DNS entries are incorrect on the DC(s), upon interviewing the parties involved that had configured the machines, simply stated they were not aware of this requirement.

Usually it simply comes down to a simple misunderstanding of AD and how DNS works, as well as the Client Side Resolver Service.  Some ISPs will tell their customers that they need to use the router as a DNS address, or that they need to use their DNS servers out on the internet, or they warn them that they will not resolve internet names. The ISP customer service reps are not well versed with how AD and DNS works, and frankly provide misguided advise.

Keep in mind, if a DC goes down for whatever reason, or simply not be available because the clients can’t “find” the DC,, so will your Exchange server, AD domain functions, mapped drive access, printer access, etc. If the DC actually went down, such as hardware failure, this is a worst case scenario and wouldn’t matter to config your machines with the ISP’s DNS. If you need, you can configure your own workstation to the ISP’s during such a crisis in case you need outside communication to research the problem, but you must change it back to your internal DNS once you’re done researching the issue and/or you’ve fixed the problem.

FYI about AD, DNS, authentication, finding the domain, GPOs, RPC issues,ISP’s DNS servers, etc

Active Directory stores it’s resources and service locations in DNS in the form of SRV records (those folder names with the underscores in them). These records are used for a multitude of things, such as finding the domain when a client logons, domain replication from one DC to another, authentication, and more.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?”, whenever it needs to perform a function, (such as a logon request, replication request, querying and applying GPOs, etc). Unfortunately, the ISP’s DNS does not have that info and they reply with an “I dunno know”, and things just fail. Unfortunately, the ISP’s DNS doesn’t have information or records about your internal private AD domain, and they shouldn’t have that sort of information.

Therefore, with an AD infrastructure, all domain members (DCs, clients and servers), must only use the internal DNS server(s).

If for instance a user wanted to log on, part of the logon process involves the machine to find where the DCs are. The machine will ask DNS, “Where is my domain controller?” If the machine is properly set to use only the internal DNS servers, it will be able to respond with an answer, thus the user can logon.

If the machine asks the 4.2.2.2 DNS server, “Where is my domain controller?”, will it have that answer? No, unfortunately not.

Also, it is highly recommended to not use your firewall or router as a DNS or DHCP server. If you are using your NT4 as a DNS server in your AD domain, change it over to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD’s SRV requirements and dynamic updates. Windows DHCP service supports additional features for DNS Dynamic updates, as well as other features, that a router or firewall’s DHCP server does not support.

 

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider’s (ISP’s) DNS servers or any other DNS other than the DNS hosting the AD zone, otherwise…
http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (whether it was upgraded or not, this is full of useful information relating to AD and DNS, among other info):
http://support.microsoft.com/?id=555040

The DNS Client Side Resolver Service

Another question that has come up is, “Why can’t I use the ISP’s address as the second entry?” This will cause problems as well, due to the way the client side resolver works, which is the resolver service that runs on all machines – DC or workstation – that queries DNS and what to do with the answer. Yes, the domain controller, too, after all the domain controlleris also a DNS client, because it will query DNS to “find” itself.

The Client Side Resolver will query the first DNS server listed in the NIC’s properties. If that server doesn’t respond, it will remove it from the ‘eligible resolver list” for 15 “minutes and go on to the next one in the list. So say if the client happens to try to authenticate to AD in order to access a printer, and it’s stuck on the ISP’s, it will fail to connect until the 15 minute time out period expires and the list resets.

To summarize, if there are multiple DNS entries on a machine (whether a DC, member server or client), it will ask the first entry first. If it doesn’t have the answer, it will go to the second entry after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes at which time the list is reset back to the original order. This can cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. Now if the ISP’s is the first one, obviously it will be knocked out when a client is trying to login. This can be noticed by a really really logon time period the client will experience before it goes to the second one, your internal DNS. Therefore, the first one is knocked out for 15 minutes. Then let’s say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or using it’s Root Hints, it will resolve both internal and external internet addresses.

In summary, based on the way the client side resolver service algorithm works, you simply can’t mix an ISP or some other DNS server that doesn’t host the AD zone name or have some sort of reference to it, whether using a conditional forwarder, stub, secondary or general forwarder, or expect problems. Read the following for more detail and understanding of the client side resolver service algorithm.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Then if I don’t use the ISP’s DNS address in my machines, how will it resolve internet names?

For Internet resolution, the Root Hints will be used by default, unless a root zone exists. The root zone actually looks like a period that you normally type at the end of a sentence, such as a  dot “.” zone. If a root zone exists, delete it, and restart the DNS server service.

Therefore, the recommended “best practice” to insure full AD and client functionality is to point all machines ONLY to the internal server(s), and configure a forwarder to your ISP’s DNS server properties (rt-click DNS servername, properties, Forwarders tab). This way all machines query your DNS and if it doesn’t have the answer, it asks outside. If the forwarding option is grayed out, delete the Root zone (that dot zone). If not sure how to perform these two tasks, please follow one of the articles listed below, depending on your operating system, for step by step.

300202 – HOW TO Configure DNS for Internet Access in Windows Server 2000 (Configure Forwarding) :
http://support.microsoft.com/?id=300202

323380 – HOW TO Configure DNS for Internet Access in Windows Server 2003 (Configure Forwarding) :
http://support.microsoft.com/?id=323380

How to Configure Conditional Forwarders in Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2
http://technet.microsoft.com/en-us/library/cc754941.aspx

DNS Conditional Forwarding in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

825036 – Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?id=825036

 

Multihomed Domain Controllers

Another issue I’ve encountered is when a non-SBS domain controller has been configured with mutiple NICs, IP addresses, and/or RRAS. This is another problematic configuration that is dubbed as a “multihomed domain controller.” Multihomed DCs are extremely problematic if not configured correctly, however to configure one correctly involves a multitude of steps including registry changes to alter DNS registration. However, this blog is not intended to discuss multihomed DCs, rather to discuss using an ISP’s DNS address in your network. For more information on multihomed DCs, please read the following link to my blog on it, and how to configure it.

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters:
http://blogs.dirteam.com/blogs/acefekay/archive/2009/08/03/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

 

Summary

If you have your ISP’s DNS addresses in your IP configuration (all DCs, member servers and clients), they need to be REMOVED and ONLY use the internal DNS server(s). This will cause numerous problems with AD.

 

Related Links

291382 – Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?id=291382

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (whether it was upgraded or not, this is full of useful information relating to AD and DNS, among other info):
http://support.microsoft.com/?id=555040

Domain Controller’s Domain Name System Suffix Does Not Match Domain Name:
http://support.microsoft.com/?id=257623

Clients cannot dynamically register DNS records in a single-label forward lookup zone:
http://support.microsoft.com/?id=826743

300684 – Information About Configuring Windows 2000 for Domains with Single-Label DNS Names
http://support.microsoft.com/?id=300684

828263 – DNS query responses do not travel through a firewall in Windows Server 2003:
http://support.microsoft.com/?id=828263

============================================================

Summary

I hope this provided a good understanding of DNS!!!

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2] clip_image0043[2] clip_image0063[2] clip_image0083[2] clip_image0103[2] clip_image0123[2] clip_image0143[2] clip_image0163[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

How to Create a Delegated Subnet Reverse Zone

You really, really want to host your public DNS records? If you do, you may also want to host your public IP range, instead of having to call your ISP every time you need a reverse (PTR) entry created or updated.

The key thing is setting the NS records in your zone file to the nameservers that are authorative for the zone based on ARIN and remove all iterations of your own nameservers.

Follow the syntax to create the delegated subnetted zone by using the syntax for “Child subnetted reverse lookup zone file” in the following article. But you must keep in mind, this MUST be done using a Standard Primary zone, so if it’s an AD Integrated zone, you must revert it to a Standard Primary zone so you can work on the zone files. Once you’re done you can change it back to AD Integrated, if you so desire.

How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003
http://support.microsoft.com/kb/174419

Let’s try this example:

IP Subnet example: 192.168.10.160/27 (or 255.255.255.224)
IP Subnet Range:   192.168.10.160 to 192.168.10.191

If you take a look at that KB article I posted, it shows the exact steps needed to create it. That’s how I did it!

Let’s see if I can do it for your subnet range. I am not guaranteeing it will work, because it’s also reliant on how your ISP has it delegated.

Your IP subnet,  192.168.10.173 /255.255.255.224, indicates it is part of a range starting with 192.168.10.160 to 192.168.10.191, which give you 32 addresses in the range, 30 usable, assuming one is of course the router (gateway), which makes it 29 usable IPs.

Therefore, if this range was delegated to you, then the key IP to look at, which actually “Describes” the network block, as 192.168.10.160/27 or 192.168.10.160/255.255.255.224.

Based on the above:

Let’s run through the steps…

  1. Ask the ISP to delegate the subnetted zone, 192.168.10.160/27 to your hostname servers (you need two of them).
  2. Then to create the zone name, we must base it on your subnet starting IP and the subnet bit count.
  3. The IP subnet is  192.168.10.160/27
              The starting IP of this subnet = 192.168.10.160
              The bit count of this subnet = 27
    Therefore the syntax will be:
              <SubnetStartIP>-<SubnetBits>.10.168.192-in-addr.arpa
               OR
              160-27.10.168.192.in-addr.arpa.dns zone
  4. Based on that, create an ARPA (reverse) zone called 160-27.10.168.192.in-addr.arpa.dns zone.
  5. Then save it as a Standard Primary Zone (not an AD Integrated zone).
  6. Stop the DNS Server Service – In the DNS console, right click the server name, choose Stop.
  7. Then go into the file (system32\dns folder), and change all NS iterations from your server.InternalDomainName.com to the ISP’s. such as ns.ISP’sAuthorativeServer.com.
    (Please read the KB article for more information on how the zone file should be configured.)
  8. Save the file.
  9. Then Start the DNS Service – In the DNS console, right click the server name, choose Start.
  10. Then right-click the zone, choose Reload.
  11. Then right-click the zone, properties, Nameserver tab, remove your own server as an NS record only keeping the authorative server.
  12. Create a PTR record, such as for 192.168.10.173, under the zone, and call it whatever you want, such as ace.WhateveYourZoneNameIs.com.

Test it

Run nslookup or DIG to test a query to 192.168.10.173 internally and trying it using an external public nameserver.

If it doesn’t work, go through the above steps again. Follow the syntax EXACTLY.
If it does work, pour yourself a cold one.

 

References:

Technet Thread: “How to setup a Reverse lookup zone on windows 2008 server with IP address 65.19.134.173 and subnetmask 255.255.255.224.”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/7c81a129-efa2-4b88-80bb-591c4119beb4/

Thread title: “Reverse DNS smaller than /24 (v4)”
 http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4147e8fe-43d8-4eff-a890-a0e1e31a96ea/#bd664835-05b3-4d53-9b08-d845b177d9d2

 

By Ace Fekay

Comments are welcomed.

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor
   www.delcocomputerconsulting.com

DNS Dynamic Updates in a Workgroup

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

www.delcocomputerconsulting.com

Prelude

So the machines and devices you want to register into DNS are not in an Active Directory. Therefore, that means none of your Windows computers have been configured with a Primary DNS Suffix. When you join a computer to a domain, one of the many things that occur on the computer is that the Primary DNS Suffix is automatically configured, which matches the name of the AD DNS domain name, which should also be identical to the DNS zone name.

And further, as we already know, that’s what a computer needs to register into a zone with the same name. If you weren’t aware of this basic requirement, you can catch up on how Dynamic DNS registration works by reading my other blog:

AD & Dynamic DNS Updates Registration Rules of engagement
https://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement

Primary DNS Suffix

However, workgroup computers normally do not have a Primary DNS Suffix, unless you’ve already manually configured all of them. Neither do other devices, such as mobile phones, tablets and other non-Microsoft products.

No fret. We can make this work without a Primary DNS Suffix. After all, non-Windows devices, such as phones and tables, do not have such a setting to configure.

There are actually a number of ways to get this to work. One way is to force the Primary DNS Suffix on your Windows workgroup computers by using a registry script (outlined later below). However, that will only be good for your Windows computers. What about those non-Windows devices?

To register your Windows computers and non-Windows devices, an easier way to go about it is to use Windows Server DHCP to register all leases into the DNS zone. We can do this by using the DHCP service on a non-AD joined Windows Server configured with DHCP credentials, DHCP Option 015, and configured to force all leases to register into the zone whether the device has the ability to register on its own or not.

The credentials allows DHCP to own the record, so in case the device leaves and returns at a later date and gets a new IP, the DHCP service can update the old host record in DNS with the new IP. Without credentials, the device will update, but it may not be able to update its old record, which then you may wind up with duplicate host entries in the zone. Of course, we wouldn’t want that.

Use Windows DHCP to Force Register All Leases

The first thing we need is a Windows Server with the DHCP and DNS services installed and running. To provide a 30,000’ view of what’s involved, we start by creating a regular, non-Administrator, local user account on the server that will be used to configure the DHCP scope to use as credentials for registration. And to stress what I just said, it does NOT have to, nor should it be, an Administrator account. It should just be a plain-Jane user account, but give it a really strong password. In an AD domain environment, the credentials would be a plain-old AD Domain User account. But in this case, it’s a local User account. Then configure DHCP to force update all records, whether the entity can register or not.

Zone’s NS & SOA Entries

For the DNS service to properly work, the DNS server itself must have its own host (A) record reregistered into the zone, as well as registered its record as an NS record in the zone’s properties. This means that the Windows server DNS is installed on, must be configured with a Primary DNS Suffix matching one of the zones that DNS will be authoritative for (meaning that DNS is hosting the zone). We usually pick the main zone for the company environment. Once configured, then this part will automatically occur. If it doesn’t have a Primary DNS Suffix, then this automatic part will not happen.

You can easily tell if any Windows computer has a Primary DNS Suffix by a simple ipconfig /all, however I’m sure you already know if your server has one configured one or not, since this must be manually done on a workgroup computer. As stated, an AD joined computer (server or workstations) will automatically configure itself with a Primary DNS Suffix that matches the AD DNS domain name,

Detailed Steps:

  1. First, assuming you haven’t already installed DNS and created a zone in DNS, let’s go ahead and install and create your zone.
  1. You can install the DNS service Role (yes, it’s a Role, not a Feature), using Server Manager in Windows Server 2008, 2008 R2, 2012, and newer.
    Install a DNS Server
    http://technet.microsoft.com/en-us/library/cc725925.aspx
  2. Once installed, create your zone, such as adatum.com. Also in the zone properties, make sure you allow Updates. And note, with DNS on a non-DC, the only option you have is either “None,” or “Nonsecure and secure.” You have no choice other than “Nonsecure and secure.”
    (Click image to see a larger version of the image in a new window)
  • Obviously it’s important that the DNS & DHCP server is set to a static IP configuration. Pick an IP, and stick to it. Then make sure that the server itself is ONLY using its own IP for DNS entry in its NIC. No others must be in here, otherwise you’ll get unexpected and possibly undesired results.
    (Click image to see a larger version of the image in a new window)
    1. I need to stress that this is extremely important.
    2. If you have any computers in the environment that have a static IP address configured (not getting an IP from DHCP), you must also make sure they are configured with only your own Windows DNS server’s IP.
    3. If you’ve configured it with your ISP’s DNS, because you thought that’s what you need for internet resolution, then that’s wrong, and more importantly, that computer will not register nor be able to resolve internal hosts. 
    4. Same thing using your router (either ISP provided, or something you bought from a retail store such as a Linksys, Dlink, etc). Do not use your router as a DNS address. They are not DNS servers, and they only proxy to an external DNS, which is useless if you are running DNS internally.
    5. And no, you CAN’T mix internal and external DNS entries. It doesn’t work that way. It’s not a DNS server thing, rather it’s based on a DNS client, specifically it’s based on how the client side resolver algorithm works. For a technical explanation for the technically curious, please read my blog explaining it:
    6. http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    7. The DNS server can use Root Hints to resolve internet names. Or you can configure a Forwarder:
    8. Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
      http://technet.microsoft.com/en-us/library/cc754941.aspx
      (Click image to see a larger version of the image in a new window)

  • Configure a Primary DNS Suffix on your Windows Servers that’s hosting DNS. To do that:
    Go to Start
    Right-click Computer, properties
    In the computer name tab click change settings
    Then click change
    Then click More
    Type your domain name here.
    Click Ok a few of times, and restart the server.
    (Click image to see a larger version of the image in a new window)

  • After the restart, make sure it registered into the your zone, for example, contoso.com. You can simple check by running an ipconfig /all. Look for the Primary DNS Suffix name.
    (Click image to see a larger version of the image in a new window)

    For more information on all the info that an ipconfig /all provides, please read the following:
  • Why do we ask for an ipconfig /all, when we try to help diagnose AD issues and other issues?
    https://blogs.msmvps.com/acefekay/2013/03/02/why-do-we-ask-for-an-ipconfig-all-when-we-try-to-help-diagnose-ad-issues/

  • In the contoso.com zone properties, Nameserver tab. Make sure it registered itself. If not, manually add it by clicking Add, then type in the server’s FQDN, and click Resolve. If all things are configured correctly, then it should resolve it. Click OK.
    (Click image to see a larger version of the image in a new window)
  • On the “Start of Authority (SOA)” tab click “Browse…” next to the Primary server field and browse for the server’s A record in the contoso.com zone. Click OK.
    (Click image to see a larger version of the image in a new window)
  • Repeat step 4 for the reverse zone, and any other zones you’ve created in DNS.
  • DHCP Options
    1. DHCP Option 015 must be set to your zone, such as adatum.com. This provides a way to work for the interface to use that zone for registration, as well as for the DHCP server to use it to register into the zone.
    2. DHCP Option 006 must be set to only your internal DNS servers. Do not use your router as a DNS address (it’s really not a DNS server anyway), or your ISP’s DNS servers.
      (Click image to see a larger version of the image in a new window)
  • Configure scavenging. The scavenging NoRefresh and Refresh values combined should add up to or greater than the lease length. For example, if the DHCP lease length is 8 days, then the NoRefresh value should be 4, and the Refresh value should be 4.
    More info:
  • Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

  • In DHCP properties, DNS tab (note -this tab is actually DHCP Option 081, even though it doesn’t say it), choose to force DHCP to update all records whether a DHCP client asks or not. And configure it to register records for machines that can’t.
    (Click image to see a larger version of the image in a new window)
  • Configure a user account to be used for DHCP Credentials (as I said above), then go into DHCP, IPv4, properties, Advanced, Credentials, and enter the credentials.
    (Click image to see a larger version of the image in a new window)
  • Restart the DHCP service.
  • It should now work.
  •  

    Example of what you should see after it’s configured and working:

    (Click image to see a larger version of the image in a new window)

    Other notes and references:

    There are a number of ways to get this to work. Read the following discussion for more info:

    Technet thread: “Server 2008 R2: DNS records not dynamically registering in workgroup situation” 12/31/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2380872f-2e71-49eb-8fbb-87f980920fc7/

    Registry summarized:

    Not that this will work for your non-Windows devices, but I’m providing this information if you want to only configure your Windows computers.

    You can create and remotely run a registry script for the interface on the workgroup machines using a tool called PSEXEC (free download from Microsoft). Of course you must have the local admin account credentials on all your computers to run this remotely, and the remote Registry service started, and possibly antivirus software and Windows firewall configured to allow this.

    You’ll want to target and populate the following two registry entries with your zone name, such as adatum.com:

    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain
    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain

    Using the above two keys, try this VB script:
    SET WSHShell = CreateObject(“WScript.Shell”)
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain”, “adatum.com“, “REG_SZ”
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain”, “adatum.com“, “REG_SZ”

    If you are in an AD Environment

    Oh, and if you’re curious how DHCP should be configured in an AD environment to force updates, etc, read my blog on it, please:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a “pen” icon, and more…
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Summary

    I hope you’ve found this helpful. Any suggestions, errors, comments, etc., are all welcomed!

    Ace Fekay