none
DNS and Reverse Lookup PTR Records - Server 2003

    Question

  • this network was setup before I came on board about a month ago and I am trying to get a handle on somethings like the DNS Reverse Lookup.

    The company uses Spiceworks which is a free webbase program to gather information on each device on the network and it has a  helpdesk ticket app in it that they use.  I am not getting all the devices on the inventory list in Spiceworks and one of the reasons is because Reverse Lookup was not configured.  So I configured it to the best of knowledge, have not done it in the past so with the help of KB's I have it set up..

    configuration of DC01 server that has DNS on it.  (DC02 also has DNS on it and is configured the same way)

    General: 

    Status: Running,

    Type: Active Driectory-intergrated, 

    Replication:  All domain controllers in the AD domain,  

    Dynamics updates: Secure only

    Start of Authority(SOA):

    Serial number 10,

    Primary server: HS-DC01.HSC.local for dc01(name changed to protect the company :) ), HS-DC02-HSC.local  for dc02

    Responible person: hostmaster.HSC.local,

    Refresh interval 15 minutes,

    Retry interval 10 minutes,

    expires after 1 days,

    Minimum (default)TTL 1 hours, TTL for this record: 0:1:0:0

    Name Servers:

    HS-DC02.HSC.local              (10.10.1.14*)

    HS-DC01.HSC.local              (10.10.1.13*)

    Wins-R:

    NOTHING CHECKED   not using WINS

    Zone Transfers:

    Nothing checked off... not sure if I need to Allow Zone Transfers: and if i do, do i add the 10.10.1.14 to the DNS on DC01 and 10.10.1.13 to the DNS on DC02?

    Security:  local admin, authenicated users, domain admins, enterprise admins, enterprise domain controllers, Everyone(read only for everyone), Pre-windows 2000 compatible access and system. 

    When I first set Reverse Lookup up, the following appeared in the DNSMGMT console on both DC's DNS screens

    Reverse Lookup Zones with 10.10.1.X subnet underneath it.

    10.10.1X Subnet had

    (same as parent folder)            Start of Authority (SOA)  and Data info

    (same as parent folder)            Name Server (NS)   and data info

    10.10.1.103                             Pointer (PTR)          and data info (i did not add this one and not sure why it showed up)

    I went in and added 10.10.1.13 Pointer (PTR) for the first DC 

    Then I went into the second DC and added 10.10.1.14 Pointer (PTR)

    both of those pointers showed up in DNS on both DC's so i have 5 items in the DNSMGMT on both DC's DNS screen so it looks like they are syncing

    about an hour later after I had to do some other things i went into DNSMGMT and notice that another PTR showed up.  

    I was thinking that since I have "Dynamics updates: Secure only" it would add all the other computers to the list, however it has been over an hour and no other PTR's have appeared in the Reverse Lookup Zone.  Do I have to manually go in and add each device?   I sure hope not.

    When I do an NSLOOKUP hs30 I get

    Server: HS-DC01.HSC.local

    Address: 10.10.1.73

    however when i do NSLOOKUP 10.10.1.73 I get

    Server:HS-DC01.HSC.local 

    address: 10.10.1.13

    ****HS-DC01.HSC.local can't find 10.10.1.73: Non-existent domain

    why is that if I configured reverse lookup zone?  or could it be related to what is happening in the next paragraph?

    In reading another post with someone who had a simular problem, in one of the replies to this persons post mentioned " On the DHCP server properties there is an option to configure user credentials.  If that is set to a user account make of the following......"   

    For some strange reason (again I was not here when the network was setup), the SonicWall firewall has the DHCP configuration on it.  DHCP is NOT configured on either of the DC's.  could this be the reason Reverse Lookup is not working properly?  the problem I have is no one here knows what the password is to get into the SonicWall webbased program to do any configuration changes. the consulting company that set up the sonicwall  tells me that the password is one thing and it is not and they are not corporating with me.  As far as we know there is no backdoor entry to Sonicwall like there is if you had a Cisco unit, you have to reset the unit and start all over again and I am not willing to do that at this point since I don't know what settings are there (VPN, DHCP, and I do not want to mess anything up, this is a 24/7/365 day operation and it can not afford to be down one minute.

    If anyone can help me out I would greatly appreciate it.

    my questions once again.

    1) in the configuration of Zone Transfers:  not sure if I need to Allow Zone Transfers: and if i do, do i add the 10.10.1.14 to the DNS on DC01 and 10.10.1.13 to the DNS on DC02?

    2) In  they Dynamic Updates: Secure only---   Do I have to manually go in and add each device?

    3) NSLOOKUP issue: why is that if I configured reverse lookup zone?  or could it be related to what is happening in the next paragraph?

    4) SonicWall having DHCP configured: could this be the reason Reverse Lookup is not working properly?

    Thank you in advance

    Robin

       


    Saturday, February 02, 2013 10:05 PM

All replies

  • Hi,

    Thank you for the post.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards,


    Nick Gu - MSFT

    Friday, February 08, 2013 2:36 AM
  • Hi Robin,

    1. Based on my knowledge, Zone transfer need to configure the same zone on the destination DNS server. However, as I know, if your server is the domain controller, then you should replicate the DNS zone with AD replication but not the zone transfer. Zone transfer is used for the member servers which are not able to use the AD replication.

    2. Dynamic Update Secure only means only the register owner has the priviledge to remove/update the records. For example, if you have the workstation Win7-01 register one record 15.0.0.100 to the DNS server, and this record exist in the zone which was enabled the Secure only, then the other device such as dhcp or other client cannot update/ remove this record unless Win7-01 update itself.

    3. Nslookup is used for resolving the DNS record. If you have added the record and this client was confgiured that DNS, then nslookup should resolve it from the DNS.

    4. I'm not sure if SonicWall will cause this issue or not. But Windows DHCP itself won't cause any trouble with the PTR record.

    For more information, i suggest you to read the reference below:

    How to configure DNS dynamic updates in Windows Server 2003

    http://support.microsoft.com/kb/816592

    Using DNS servers with DHCP

    http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx

    Best Regards,

    Annie Gu

    Friday, February 08, 2013 8:23 AM
  • Just to add, I suggest disabling the SonicWall DHCP service, since it doesn't support Secure Updates in DNS. This is because Secure Updates uses AD Kerberos authentication.

    Further, configure DHCP to force update for all clients using credentials and adding the DHCP server to the DnsUpdateProxy group.

    This is all outlined in my blog with specific step by steps. It's also discussed in the thread link below.

    .

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by AnnieGu - MSFT Tuesday, March 19, 2013 9:09 AM
    Saturday, February 09, 2013 2:37 AM
  • Thank you Annie and Ace for your suggestions. :)

    I will review the links you both provided and do what I can. 

    I do know that DHCP is configured on the Sonicwall and we can not get into it since we do not have the password so I can not disable it.  :(

    After a while most of the IP addresses appeared in Reverse Lookup Zone.  There are about 7 ip addresses that have not shown up as of yet and one of them is my Windows 7 computer and the rest are XP computers.

    NSLOOKUP is working now since the Reverse Lookup was set up.

    Thanks again :)  I will post back if I have any other questions or issues.

    Robin 

    Saturday, February 09, 2013 2:57 AM
  • Looking forward to your update.

    Just an FYI, if you don't know the Sonicwall password and are not able to get it from the person that set it up, inventory the port translations configured for translations such as mail, ftp, web, etc, and reset the device and start anew. Like I said, just a suggestion. I've had to do that at more than one place in the past for customer in similar scenarios.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, February 10, 2013 5:26 AM