Adding a Reverse Lookup Zone

The Active Directory Installation wizard does not automatically add a reverse lookup zone and PTR resource records, because it is possible that another server, such as the parent server, controls the reverse lookup zone. You might want to add a reverse lookup zone to your server if no other server controls the reverse lookup zone for the hosts listed in your forward lookup zone. Reverse lookup zones and PTR resource records are not necessary for Active Directory to work, but you need them if you want clients to be able to resolve FQDNs from IP addresses. Also, PTR resource records are commonly used by some applications to verify the identities of clients.

The following sections explain where to put reverse lookup zones and how to create, configure, and delegate them. For information about any of the IP addressing concepts discussed in the following sections, see "Introduction to TCP/IP" in this book.

Planning for Reverse Lookup Zones

To determine where to place your reverse lookup zones, first gather a list of all the subnets in your network, and then examine the class (A, B, or C) and type (class-based or subnetted) of each subnet.

To simplify administration, create as few reverse lookup zones as possible. For example, if you have only one class C network identifier (even if you have subnetted your network), it is simplest to organize your reverse lookup zones along class C boundaries. You can add the reverse lookup zone and all the PTR resource records on an existing DNS server on your network.

Subdomains do not need to have their own reverse lookup zones. If you have multiple class C network identifiers, for each one you can configure a reverse lookup zone and PTR resource records on the primary name server closest to the subnet with that network identifier.

However, organizing your reverse lookup zones along class C boundaries might not always be possible. For example, if your organization has a small network, you might have received only a portion of a class C address from your ISP. Table 6.3 shows how to configure your network with each type of subnet.

Table 6.3 Planning Reverse Lookup Zones

Configuring a Standard Reverse Lookup Zone

The following procedures describe how to add a reverse lookup for a class C network ID.

To add a reverse lookup zone

1. In Control Panel, double-click Administrative Tools and then double-click DNS.
2. Optionally, if the server to which you want to add a reverse lookup zone does not appear in the list, right-click DNS, click Connect to Computer, and then follow the instructions to add the desired server.
3. To display the zones, click the server name.
4. Right-click the Reverse Lookup Zones folder, and click New Zone. A zone configuration wizard appears.

Windows 2000-based clients and Windows 2000 DHCP servers can automatically add PTR resource records, or you can configure PTR resource records at the same time as when you create A resource records; otherwise, you might want to add PTR resource records manually.

To add PTR resource records

1. In Control Panel, double-click Administrative Tools and then double-click DNS.
2. To display the zones, click the server name.
3. Right-click the zone in the Reverse Lookup Zones folder, point to New, and then point to Pointer.
4. To create the PTR resource record, follow the instructions in the dialog box.

Note

If you can't select the Pointer field because it is shaded, double-click the zone.

Configuring and Delegating a Classless In-addr.arpa Reverse Lookup Zone

Many organizations divide class C networks into smaller portions. This process is referred to as "subnetting a network." If you have subnetted a network, you can create corresponding subnetted reverse lookup zones, as specified in RFC 2317. Although your network has been subnetted, you do not need to create corresponding subnetted reverse lookup zones. It is an administrative choice. DNS servers and zones are independent of the underlying subnetted infrastructure.

However, in certain situations, you might want to create and delegate classless reverse lookup zones. If you own one class C address, and you want to distribute the addresses in the range to several different groups (for example, branch offices), but you do not want to manage the reverse lookup zones for those addresses, you would create classless reverse lookup zones and delegate them to those groups. For example, suppose that an ISP has a class C address and has given the first 62 addresses to Reskit. The ISP can include records in its zone indicating that the name server on Reskit has information about that portion of the namespace. Reskit can then manage that portion of the namespace by including resource records with the IP address–to–host mappings, also known as a classless in-addr.arpa reverse lookup zone.

The following sections, explain the syntax of classless reverse lookup zones and describe how to delegate and configure reverse lookup zones by using the preceding example. For more information about delegating reverse lookup zones, see the Request for Comments link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Search for RFC 2317, "Classless in-addr.arpa delegation."

Note

Dynamic update does not work with classless in-addr.arpa zones. If you need to dynamically update PTR resource records, do not use classless zones.

Syntax of a Classless In-addr.arpa Reverse Lookup Zone

You can use the following notation to specify the name of the classless in-addr.arpa reverse lookup zone:

<subnet-specific label>.<octet>.<octet>.<octet>.in-addr.arpa

where octet specifies an octet of the IP address range. The octets are specified in reverse order of the order in which they appear in the IP address.

Although subnet-specific label could be comprised of any characters allowed by the authoritative DNS server, the most commonly used formats include the following:

• <minimum value of the subnet range>-<maximum value of the subnet range>
• <subnet>/<subnet mask bit count>
• <subnet ID>

Subnet specifies which segment of the class C IP address this network is using. Subnet mask bit count specifies how many bits the network is using for its subnet mask. Subnet ID specifies a name the administrator has chosen for the subnet.

For example, suppose that an ISP has a class C address 192.168.100.0 and has divided that address into four subnets of 62 hosts per network, with a subnet mask of 255.255.255.192, and given the first 62 host addresses to a company with the DNS name Reskit.com. The name of the classless reverse lookup zone can use any of the following syntax lines:

• 0-26.100.168.192.in-addr.arpa
• 0/26.100.168.192.in-addr.arpa
• Subnet1.100.168.192.in-addr.arpa

You can use any of this syntax in Windows 2000 DNS by entering the zones into a text file. For more information about creating and delegating subnetted reverse lookup zones through text files, see the Microsoft TechNet link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Search Microsoft TechNet using the phrases "subnetted reverse lookup zone" and "Windows NT."

Delegating a Classless Reverse Lookup Zone

You never need to delegate a classless reverse lookup zone, even if your network is subnetted. However, there are a few cases in which you might want to delegate a classless reverse lookup zone. For example, you might want to do so if you gave a merged organization a portion of your class C address, or if you had a remote subnetted network and wanted to avoid sending replication or zone transfer traffic across a wide area link.

Figure 6.10 shows how an administrator for a class C reverse lookup zone would then configure its DNS server.

Enlarge figure

Figure 6.10 Reverse Lookup Delegations

You can delegate and create classless reverse lookup zones from within the DNS console.

To delegate a classless reverse lookup zone

1. On the DNS server for your domain, create a reverse lookup zone.

   For the preceding example, create the reverse lookup zone 100.168.192.in-addr.arpa. The reverse lookup zone is added on the server for ISP.com, not Reskit.com.

2. Right-click the reverse lookup zone that you created, point to New Delegation.
3. In the New Delegation wizard, enter the name of the delegated domain and the name and IP address of the delegated name server. In the preceding example, the delegated domain is 0-26.
4. Right-click the reverse lookup zone and click New alias.
5. Add CNAME records for all the delegated addresses.

   For example, for the IP address 192.168.100.5, create a CNAME record of 5 that points to 5.0-26.100.168.192.in-addr.arpa.

6. Create the classless reverse lookup zone in the subdomain, by following the procedure in the following section.

Configuring a Classless In-addr.arpa Reverse Lookup Zone

You must configure a classless reverse lookup zone if one has been delegated to you. In the preceding example, an administrator for an ISP delegated a reverse lookup zone to Reskit.com, and an administrator for Reskit.com must therefore configure a classless reverse lookup zone. Figure 6.11 shows how Reskit.com would configure its classless reverse lookup zone.

Enlarge figure

Figure 6.11 Classless Reverse Lookup Zone

To create a classless reverse lookup zone

1. In the DNS console, click the server name to display configuration detail it, right-click the Reverse Lookup Zones folder, and then click Create a New Zone. The Add New Zone wizard appears.
2. When you reach the Network ID page, in the field named Enter the name of the zone directly, enter the name of the classless reverse lookup zone.

   For example, type 0-26.100.168.192.in-addr.arpa.

Then add any necessary PTR resource records in that zone.

© 1985-2000 Microsoft Corporation. All rights reserved.