Reverse Lookup Zones With Multiple Active Directory Domains On The Same Subnets

active-directorydomain-name-systemwindows-server-2008-r2

I have 3 subnets, lets call them 10.10.10.1/24, 10.10.10.2/24, and 10.10.10.3/24. I also have an Active Directory Forest (all DCs/FFL/DFL @ Server 2008 R2) with 2 subdomains, we will call them contoso.com, a.contoso.com, and b.contoso.com.

Organizing forward lookup zones is easy, contoso.com zon on the contoso.com domain controllers, a.contoso.com zone on the a.contoso.com domain controller, etc.

Reverse lookup zones are becoming an issue. For instance, the reverse lookup zone for 10.10.10.1 is on the DNS servers in contoso.com, but some servers in the a.contoso.com and b.contoso.com domains are also on the 10.10.10.1 subnet. As a result, when a server on the 10.10.1 subnet is a member of the a.contoso.com subdomain, there is no reverse lookup zone for the 10.10.10.1 subnet.

AFAIK, if I create the reverse lookup zone for 10.10.10.1 in the b.contoso.com domain, it will create the recors, but DNS servers in the contoso.com domain will be unaware of it. What is the proper procesure to get correct reverse lookup information across the board automatically?

Best Answer

Create the rDNS zone(s) in the parent domain. Configure the rDNS zone to be Active Directory integrated, configure the zone replication to "To all DNS servers running on domain controllers in this forest".

Related Solutions

How to manually create the _msdcs DNS zone for a domain that was created pre S2K3

If the "folder" you see under the domain zone is grey, and not looking like the others, then its not a separate instance of the _msdcs zone. It is a zone delegation, meaning that "everything under this sub domain is managed as a zone itself".

Don't delete anything.

Everything is just as its supposed to be if you've followed the How-to article up until this step, given that "_msdcs.contoso.com" did not previously exist.

Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces the DC's to register their SRV records in the _msdcs zone

SCOM 2012 DNS Forwarder Availability Monitor

Answer found, and it's a bit unpleasant (at least if you were expecting the people creating management packs to actually know what they are doing).

Extracted from the monitor's description:

This monitor verifies forwarder availability by performing an NSLOOKUP on the targeted forwarder.

The script executes nslookup -timeout=<value> -querytype=<type> <name> <server>

<type> is A, NS, SOA.

<name> is target DNS name to resolve. If unconditional forwarder, the override value is used else the forwarder domain name is used.

<server> is the name of the server where the NSLOOKUP query occurs.
The value is $Target/Property[Type="DNS!Microsoft.Windows.DNSServer.Library.Server"]/ListeningIP$ which provides a listing of all IP addresses that the current DNS server is listening on.

<value> is timeout seconds/3 because timeout seconds is used to set the maximum time the script can run.

Unconditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.microsoft.com 10.0.0.5 would query server 10.0.0.5 for the DNS name for www.microsoft.com. In this case, you would set the actual timeout seconds to 90 monitor override.

Conditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.msn.com 10.0.0.5 would query server 10.0.0.5 for the actual name of the conditional forwarder targeted by this monitor.

What this means is that the SCOM agent will try to perform queries like these ones:

nslookup -timeout=30 -querytype=a domainB.dom <server>
nslookup -timeout=30 -querytype=a someotherzone.local <server>
nslookup -timeout=30 -querytype=a 0.0.10.in-addr.arpa <server>

This would work for the main AD domain's DNS zone (because DCs automatically register themselves as empty A records for that zone), but would fail for "someotherzone.local", which didn't have any empty A record (I can confirm that, after manually creating one, the alert disappeared and the monitor returned to green).

The third query, of course, would always fail, because it just doesn't make any sense at all to look for an A record in a reverse lookup zone.

Resolution: override the DNS Forwarder Availability Monitor to perform a NS or SOA query for the forwarded zone instead of an A query.
Which is what it should have been doing from the very beginning.

Best Answer

Related Solutions

How to manually create the _msdcs DNS zone for a domain that was created pre S2K3

SCOM 2012 DNS Forwarder Availability Monitor

Related Topic