locked
AD- DNS - Reverse Lookup Zone RRS feed

  • Question

  • Hi Team,

    Our Infra : Windows 2k8R2 with 5 Dcs with AD- DNS

    DCDIAG successfully passed DNS. in NSLOOKUP , we didnt see the name resolution is not perfect.

    In our DNS console ,  we have didnt have reverse lookup zones. In AD-DNS also , reverse lookup zone requires....? it doesnt create as like fwd lookup zones?

    Else we need to create it manually.


    Thanks SUBBURAJ.T

    Tuesday, September 4, 2012 7:26 AM

Answers

  • Reverse lookup zone is not created automatically you need to create the same.Reverse lookup zones and PTR resource records are not necessary for Active Directory to work, but you need them if you want clients to be able to resolve FQDNs from IP addresses. Also, PTR resource records are commonly used by some applications to verify the identities of clients.See below link how to add reverse lookup zone.

    Adding a Reverse Lookup Zone
    http://technet.microsoft.com/en-us/library/cc961414.aspx

     Ensure the following dns setting on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Also make sure the IPv6 is configured to dynamic (Automatically).

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by VenkatSP Wednesday, September 5, 2012 12:25 AM
    • Marked as answer by Miya Yao Monday, September 10, 2012 8:17 AM
    Tuesday, September 4, 2012 7:38 AM
  • correction 

    Hi Team,

    Our Infra : Windows 2k8R2 with 5 Dcs with AD- DNS

    DCDIAG successfully passed DNS. in NSLOOKUP , we see the name resolution is not perfect.

    In our DNS console ,  we have didnt have reverse lookup zones. In AD-DNS also , reverse lookup zone requires....? it doesnt create as like fwd lookup zones?

    Else we need to create it manually.


    Thanks SUBBURAJ.T


    Thanks SUBBURAJ.T

    Hi,

    Agree with Sandesh, reverse is not created automatically. you need to create it manually.

    For NSLOOKUP, Is this issue only with nslookup name resolution?

    Are you facing any name resolution problem with internet browsing, etc?

    If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.

    To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

    EDNS0 (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    DNS Forwarders Problems in Windows 2008 R2 DNS Services
    http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx



    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by VenkatSP Wednesday, September 5, 2012 12:25 AM
    • Marked as answer by Miya Yao Monday, September 10, 2012 8:17 AM
    Tuesday, September 4, 2012 8:46 AM

All replies

  • correction 

    Hi Team,

    Our Infra : Windows 2k8R2 with 5 Dcs with AD- DNS

    DCDIAG successfully passed DNS. in NSLOOKUP , we see the name resolution is not perfect.

    In our DNS console ,  we have didnt have reverse lookup zones. In AD-DNS also , reverse lookup zone requires....? it doesnt create as like fwd lookup zones?

    Else we need to create it manually.


    Thanks SUBBURAJ.T


    Thanks SUBBURAJ.T

    Tuesday, September 4, 2012 7:29 AM
  • Reverse lookup zone is not created automatically you need to create the same.Reverse lookup zones and PTR resource records are not necessary for Active Directory to work, but you need them if you want clients to be able to resolve FQDNs from IP addresses. Also, PTR resource records are commonly used by some applications to verify the identities of clients.See below link how to add reverse lookup zone.

    Adding a Reverse Lookup Zone
    http://technet.microsoft.com/en-us/library/cc961414.aspx

     Ensure the following dns setting on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Also make sure the IPv6 is configured to dynamic (Automatically).

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by VenkatSP Wednesday, September 5, 2012 12:25 AM
    • Marked as answer by Miya Yao Monday, September 10, 2012 8:17 AM
    Tuesday, September 4, 2012 7:38 AM
  • correction 

    Hi Team,

    Our Infra : Windows 2k8R2 with 5 Dcs with AD- DNS

    DCDIAG successfully passed DNS. in NSLOOKUP , we see the name resolution is not perfect.

    In our DNS console ,  we have didnt have reverse lookup zones. In AD-DNS also , reverse lookup zone requires....? it doesnt create as like fwd lookup zones?

    Else we need to create it manually.


    Thanks SUBBURAJ.T


    Thanks SUBBURAJ.T

    Hi,

    Agree with Sandesh, reverse is not created automatically. you need to create it manually.

    For NSLOOKUP, Is this issue only with nslookup name resolution?

    Are you facing any name resolution problem with internet browsing, etc?

    If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.

    To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

    EDNS0 (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    DNS Forwarders Problems in Windows 2008 R2 DNS Services
    http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx



    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by VenkatSP Wednesday, September 5, 2012 12:25 AM
    • Marked as answer by Miya Yao Monday, September 10, 2012 8:17 AM
    Tuesday, September 4, 2012 8:46 AM
  • Hi Team,

    Our Infra : Windows 2k8R2 with 5 Dcs with AD- DNS

    DCDIAG successfully passed DNS. in NSLOOKUP , we didnt see the name resolution is not perfect.

    In our DNS console ,  we have didnt have reverse lookup zones. In AD-DNS also , reverse lookup zone requires....? it doesnt create as like fwd lookup zones?

    Else we need to create it manually.


    Thanks SUBBURAJ.T

    You are correct here, you need to create the reverse lookup zones manually. By default, when new forest is created forward lookup zones are created automatically where as same is not true for the reverse lookup zone. You got to create it manually irrespective of whether its AD-Integrated DNS or non-AD Integrated DNS zone.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, September 4, 2012 9:10 AM
  • AFAIK AD does not use reverse dns.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, September 4, 2012 1:39 PM
  • AD needs the Forward lookup zone and its created automatically if you need reverse lookup too then you have to manually create it

    Refer below if you want to create one

    http://technet.microsoft.com/en-us/library/cc844043(v=ws.10)


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Tuesday, September 4, 2012 7:03 PM