> Read inline please.
>
> In news:A965CBE3-8713-45EC-A1AE-21C754E7793A[ at ]microsoft.com,
> Fred Berestoff <FredBerestoff[ at ]discussions.microsoft.com> typed:
> > Hi, I have a single dns namespace called corp.com that is distributed
> > accross 50+ sites around the country. Is there a preferred way to
> > implement the reverse lookup zones? We use the private class c
> > network addressing scheme of 192.168.x.x and we also have 50+
> > networks as part of our dns namespace.
> >
> > My questions are:
> > 1. Should our reverse lookup zones be active directory integrated?
> > (we have 10 dc's) My initial sense is that we should have these AD
> > integrated so they are replicated throughout our network, but I am
> > concerned about how much additional traffic this would generate.
> 10 DCs for 50+ sites sounds like you're short on DCs zone replication is a
> minor part of Network traffic, especially since you have way less than one
> DC per site. Authentication traffic is going to make up the bulk of your
> network traffic between sites.
>
> >
> > 2. Is there a security risk in allowing unsecured updates to these
> > zones?
> Any time you allow unsecured updates to any zone it increases the likelihood
> that there are going to be un-authorized updates to the zone.
>
> > If we only allow secured updates then non domain members like
> > printers etc will not get a ptr record in the reverse lookup zone.
> > (can a dhcp server update reverse lookup zones on behalf of their
> > clients as well as forward lookup zones?)
> A Win2k3 DHCP server will be able to update secure zones for you.
>
> >
> > 3. I have seen other reverse lookup zones that aggregate the various
> > networks from one for every network, to a single reverse lookup zone
> > that includes all the networks.
> >
> > for example: instead of having 50+ reverse lookup zones for
> > 192.168.1.x, 192.168.2.x, 192.168.3.x etc, there is a single reverse
> > lookup zone for 192.168.x.x (which essentially includes all of the
> > individual networks in its scope)
> >
> > Is there a preferred method to do this? Are there any issues with
> > using a single reverse lookup zone that gets replicated via active
> > directory to all of our dns servers?
> There are really no issues one way or the other. However, reverse lookup
> zones are not required for Active Directory functionality, some applications
> require reverse lookup zones. For instance, nslookup will perform a PTR
> lookup for the DNS server it is using. If there is no PTR for the DNS server
> it uses, you get the "Can't find server name for address <IPAddressofDNS>"
> when starting nslookup, and you will get unknown server in the nslookup
> response.
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
>
http://www.lonestaramerica.com/>
http://support.wftx.us/>
http://message.wftx.us/> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
>
http://home.in.tum.de/~jain/software/oe-quotefix/> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
>
http://www.oehelp.com/OEBackup/Default.aspx> ===================================
>
>
>