No reverse zones in an W2K AD forest.

[Bill]

A year ago I build a new W2K forest (root domain) and
then "upgraded" an NT4.0 domain into a second domain in
the forest. Prior to that we had a standard public DNS
structure for mostly non-MS (i.e Unix) devices and a few
WindowOS hosted services.

At the time of the migration (upgrade) to W2K we created
new internal-only forward zones for the W2K-AD on a couple
of the W2K DCs (we tied these to the traditional DNS
structure via glue records and forwards).

Because I didn't want to break the existing in-arpa
reverse zones at that time I elected not to change my
reverse zones to dynamic zones. Thus, my AD zones have
been running for a year without being able to do any
reverse lookups, but nothing appears to be broken. All
services (servers/clients) appear to work fine.

Does any MS OSs use/do reverse zone lookups?

What are the consequences of not having any in-addr.arpa
entries (no dynamic in-addr.arpa zones) for my AD forest,
domains, DCs, Clients. I'm even running E2K successfully
(having recently migrated from Exch5.5), at least as far
as I can tell.

Does AD (or the MS operating systems themeselves) require
or use reverse DNS lookups for any critical network
functionality.

If I had the reverse zones set dynamic (instead of the
current/original static zones) what AD records would be
populated into them, thus what am I missing (or breaking)
by not having reverse dynamic zones for my AD
infrastructure.

 

[Herb Martin]

A year ago I build a new W2K forest (root domain) and
then "upgraded" an NT4.0 domain into a second domain in
the forest. Prior to that we had a standard public DNS
structure for mostly non-MS (i.e Unix) devices and a few
WindowOS hosted services.

At the time of the migration (upgrade) to W2K we created
new internal-only forward zones for the W2K-AD on a couple
of the W2K DCs (we tied these to the traditional DNS
structure via glue records and forwards).

Because I didn't want to break the existing in-arpa
reverse zones at that time I elected not to change my
reverse zones to dynamic zones. Thus, my AD zones have
been running for a year without being able to do any
reverse lookups, but nothing appears to be broken. All
services (servers/clients) appear to work fine.

Does any MS OSs use/do reverse zone lookups?

Not for anything critical. The reverse zones actually have
no direct relationship to a domain.

What are the consequences of not having any in-addr.arpa
entries (no dynamic in-addr.arpa zones) for my AD forest,
domains, DCs, Clients. I'm even running E2K successfully
(having recently migrated from Exch5.5), at least as far
as I can tell.

It is just a mental fiction that a reverse zone would ever
correspond to either a DNS forward zone or to an AD
domain.

Such obvious corresponding is in the mind of use humans
and never explicit in DNS.

Of course as you mention, services could be dependent on
such -- only SMTP is likely to run into such on a regular
basis.

Does AD (or the MS operating systems themeselves) require
or use reverse DNS lookups for any critical network
functionality.

Not to my knowledge -- I usually set up reverse zones but I
don't worry about it if they aren't there.

If I had the reverse zones set dynamic (instead of the
current/original static zones) what AD records would be
populated into them, thus what am I missing (or breaking)
by not having reverse dynamic zones for my AD
infrastructure.

Just the reverse records for machine that can register themselves
OR for machine which might be registered by your DHCP
server (a setting you get to choose.)

Also note, the "registrant" must be able to locate the reverse
zone and find the dynamic Master(s).
[/QUOTE]

 

[bill]

Herb, thanks for your answers.

One more item...

I have a remote site connected to us via a (45MB)
microwave connection which contains a single DC from
the "user" domain - for fail-over purposes.

I'm thinking of adding an additional site within the
forest using ADSS because I see that particular DC
answering a lot for the main site (for example, it's
always selected as the site license server).

I understand you need to configure the IP-subnet(s) for
each site when you have more than one site. So my follow-
on question is.

Will not having reverse zones cause any problems if I add
an additional site to the existing forest.

thanks again for the answers above, they were very
informative. - bill

 

[Herb Martin]

Herb, thanks for your answers.

One more item...

I have a remote site connected to us via a (45MB)
microwave connection which contains a single DC from
the "user" domain - for fail-over purposes.

I'm thinking of adding an additional site within the
forest using ADSS because I see that particular DC
answering a lot for the main site (for example, it's
always selected as the site license server).

Yes, a site is a "group of subnets separated from other
by a WAN line" *

Don't follow any 'bandwidth threshold' rules -- if it looks
like a separate "location" then it's a Site.

*Occasionally there might be very specific reasons to
extend this rule, but almost always that is to MORE sites,
not less. For instance, you just want people to use a
certain DC set even though they are connect to other DCs
by a high speed LAN. (You might wish to use DCs in the
same building or department even if you have LAN lines
connecting them but that is a SPECIAL case.)

I understand you need to configure the IP-subnet(s) for
each site when you have more than one site. So my follow-
on question is.

Will not having reverse zones cause any problems if I add
an additional site to the existing forest.

No. They really aren't related (in any technical sense.)

What concerns you?

You really should add that Site though -- and a separate
Site license server for each site (doesn't have to be a DC.)

thanks again for the answers above, they were very
informative. - bill

You are very welcome.

 

[Bill]

Not trying to be redundant but, Thanks "again" for all the
explanations" - bill.