Reverse Lookup setup D 4/16/2007 10:08:01 PM Hi, We have 26 sites world wide and in each site there are 2 domain controllers running Windows 2003 STD SP1. These DCs are also DNS servers for each site. There are about 20,000 computer objects in Active Directory for the entire firm. We are in process of creating reverse lookup zones for all of client subnets. I understand Active Directory integrated DNS to be more secure but is the amount of IPs that's going to be added to AD to be of any concern as it'll grow the AD database size. Or is Primary/Secondary zones a better solution for the amount of IP that will be dynamically updated? We have minimum 10MB pipe in our domestic offices and 2MB pipe for each EU and Asia offices. I'm not very concern about the bandwidth. I'm more concern about the size increase in AD. Thanks for any input.

Re: Reverse Lookup setup "Herb Martin" <news[ at ]learnquick.com> 4/17/2007 9:40:44 AM "D" <D[ at ]discussions.microsoft.com> wrote in message news:A944BDB3-C984-4746-BB22-85389EAE39DD[ at ]microsoft.com... [Quoted Text] > Hi, > > We have 26 sites world wide and in each site there are 2 domain > controllers > running Windows 2003 STD SP1. These DCs are also DNS servers for each > site. > There are about 20,000 computer objects in Active Directory for the entire > firm. We are in process of creating reverse lookup zones for all of > client > subnets. I understand Active Directory integrated DNS to be more secure > but > is the amount of IPs that's going to be added to AD to be of any concern > as > it'll grow the AD database size. Well sure it will grow the database some, about double the DNS info you have now if you are registrering all the stations Forward resource records. You can do some experimenting for the exact numbers but let's assume that each DNS reverse record is about 100 bytes. 20,000 x 100 = 2 Meg. There will some overhead and we might be wrong a bit so let's double that and call it: 4 Meg for increased database size. Even if I have missed it by a lot, almost certainly under 10 Meg increase. But before we assume that this "doesn't matter" let's ask WHY you will be creating the reverse zone(s)? Reverse zones are practically unimportant for internal machines except for admin convenience. So perhaps you are going to use this so you can look up an IP and find the name of the machine. Do you have another reason? Are the reasons important to you? (See below we'll pick up here.) > Or is Primary/Secondary zones a better > solution for the amount of IP that will be dynamically updated? We have > minimum 10MB pipe in our domestic offices and 2MB pipe for each EU and > Asia > offices. I'm not very concern about the bandwidth. I'm more concern > about > the size increase in AD. Thanks for any input. I don't believe the size is going to be a big problem for you (see above) but replicating all of that data for NO PURPOSE seems like an issue worth considering, and if you will do that, then replicating it EFFICIENTLY (compression, incremental, multi-mastered) using AD Integration would seem to be worth the effort -- remember the DCs are the DNS servers so they will be doing (most of) the storage in any case (excluding AD overhead.) What about putting each zone in a single site, in each DC and never replicating the data offsite? This would be a primary/secondary but would only keep a small portion (1/26 on average but likely varying in large vs. small sites) on each pair of DCs. Since subnets are the natural division of Reverse zones, each local DC set would have the records ONLY for the machine locally there. Then you could delegate or Conditionally forward these zones from your main or central site DCs with all of the other DCs conditionally forwarding to that set of DCs OR to the other sites DCs if you really want to increase the efficiency and don't mind the extra work of creating those forwards (You can script this if you have to do it 26 times -- using DNSCmd.exe) -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)

Re: Reverse Lookup setup D 4/17/2007 3:12:02 PM Thanks for the detail reply. I, personally, don't have any use for the reverse lookup on the client subnet and am against the idea of creating it because of it's nonimportance. The reason we need it now is that we've purchased a device that's going to monitor end point devices on our network and to properly resolve names, a reverse lookup is required. "Herb Martin" wrote: [Quoted Text] > > "D" <D[ at ]discussions.microsoft.com> wrote in message > news:A944BDB3-C984-4746-BB22-85389EAE39DD[ at ]microsoft.com... > > Hi, > > > > We have 26 sites world wide and in each site there are 2 domain > > controllers > > running Windows 2003 STD SP1. These DCs are also DNS servers for each > > site. > > There are about 20,000 computer objects in Active Directory for the entire > > firm. We are in process of creating reverse lookup zones for all of > > client > > subnets. I understand Active Directory integrated DNS to be more secure > > but > > is the amount of IPs that's going to be added to AD to be of any concern > > as > > it'll grow the AD database size. > > Well sure it will grow the database some, about double the DNS info you have > now if you are registrering all the stations Forward resource records. > > You can do some experimenting for the exact numbers but let's assume that > each DNS reverse record is about 100 bytes. 20,000 x 100 = 2 Meg. > There will some overhead and we might be wrong a bit so let's double that > and call it: 4 Meg for increased database size. Even if I have missed it > by > a lot, almost certainly under 10 Meg increase. > > But before we assume that this "doesn't matter" let's ask WHY you will > be creating the reverse zone(s)? > > Reverse zones are practically unimportant for internal machines except for > admin convenience. So perhaps you are going to use this so you can look > up an IP and find the name of the machine. > > Do you have another reason? Are the reasons important to you? > (See below we'll pick up here.) > > > Or is Primary/Secondary zones a better > > solution for the amount of IP that will be dynamically updated? We have > > minimum 10MB pipe in our domestic offices and 2MB pipe for each EU and > > Asia > > offices. I'm not very concern about the bandwidth. I'm more concern > > about > > the size increase in AD. Thanks for any input. > > I don't believe the size is going to be a big problem for you (see above) > but > replicating all of that data for NO PURPOSE seems like an issue worth > considering, > and if you will do that, then replicating it EFFICIENTLY (compression, > incremental, > multi-mastered) using AD Integration would seem to be worth the effort -- > remember the DCs are the DNS servers so they will be doing (most of) the > storage in any case (excluding AD overhead.) > > What about putting each zone in a single site, in each DC and never > replicating > the data offsite? This would be a primary/secondary but would only keep a > small portion (1/26 on average but likely varying in large vs. small sites) > on each > pair of DCs. > > Since subnets are the natural division of Reverse zones, each local DC set > would > have the records ONLY for the machine locally there. > > Then you could delegate or Conditionally forward these zones from your main > or central site DCs with all of the other DCs conditionally forwarding to > that > set of DCs OR to the other sites DCs if you really want to increase the > efficiency > and don't mind the extra work of creating those forwards (You can script > this if you have to do it 26 times -- using DNSCmd.exe) > > > -- > Herb Martin, MCSE, MVP > http://www.LearnQuick.Com > (phone on web site) > > >

Re: Reverse Lookup setup "Herb Martin" <news[ at ]learnquick.com> 4/17/2007 8:18:07 PM "D" <D[ at ]discussions.microsoft.com> wrote in message news:886EDF23-87CF-43C3-8C1F-FF7748F65B38[ at ]microsoft.com... [Quoted Text] > Thanks for the detail reply. I, personally, don't have any use for the > reverse lookup on the client subnet and am against the idea of creating it > because of it's nonimportance. The reason we need it now is that we've > purchased a device that's going to monitor end point devices on our > network > and to properly resolve names, a reverse lookup is required. That pretty much falls under the scope of "admin convenience" since presumably some admin wants that monitoring software. If you have any more questions let us know. We're happy to help. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site) > "Herb Martin" wrote: >> "D" <D[ at ]discussions.microsoft.com> wrote in message >> news:A944BDB3-C984-4746-BB22-85389EAE39DD[ at ]microsoft.com... >> > Hi, >> > >> > We have 26 sites world wide and in each site there are 2 domain >> > controllers >> > running Windows 2003 STD SP1. These DCs are also DNS servers for each >> > site. >> > There are about 20,000 computer objects in Active Directory for the >> > entire >> > firm. We are in process of creating reverse lookup zones for all of >> > client >> > subnets. I understand Active Directory integrated DNS to be more >> > secure >> > but >> > is the amount of IPs that's going to be added to AD to be of any >> > concern >> > as >> > it'll grow the AD database size. >> >> Well sure it will grow the database some, about double the DNS info you >> have >> now if you are registrering all the stations Forward resource records. >> >> You can do some experimenting for the exact numbers but let's assume that >> each DNS reverse record is about 100 bytes. 20,000 x 100 = 2 Meg. >> There will some overhead and we might be wrong a bit so let's double that >> and call it: 4 Meg for increased database size. Even if I have missed >> it >> by >> a lot, almost certainly under 10 Meg increase. >> >> But before we assume that this "doesn't matter" let's ask WHY you will >> be creating the reverse zone(s)? >> >> Reverse zones are practically unimportant for internal machines except >> for >> admin convenience. So perhaps you are going to use this so you can look >> up an IP and find the name of the machine. >> >> Do you have another reason? Are the reasons important to you? >> (See below we'll pick up here.) >> >> > Or is Primary/Secondary zones a better >> > solution for the amount of IP that will be dynamically updated? We >> > have >> > minimum 10MB pipe in our domestic offices and 2MB pipe for each EU and >> > Asia >> > offices. I'm not very concern about the bandwidth. I'm more concern >> > about >> > the size increase in AD. Thanks for any input. >> >> I don't believe the size is going to be a big problem for you (see above) >> but >> replicating all of that data for NO PURPOSE seems like an issue worth >> considering, >> and if you will do that, then replicating it EFFICIENTLY (compression, >> incremental, >> multi-mastered) using AD Integration would seem to be worth the >> effort -- >> remember the DCs are the DNS servers so they will be doing (most of) the >> storage in any case (excluding AD overhead.) >> >> What about putting each zone in a single site, in each DC and never >> replicating >> the data offsite? This would be a primary/secondary but would only keep >> a >> small portion (1/26 on average but likely varying in large vs. small >> sites) >> on each >> pair of DCs. >> >> Since subnets are the natural division of Reverse zones, each local DC >> set >> would >> have the records ONLY for the machine locally there. >> >> Then you could delegate or Conditionally forward these zones from your >> main >> or central site DCs with all of the other DCs conditionally forwarding to >> that >> set of DCs OR to the other sites DCs if you really want to increase the >> efficiency >> and don't mind the extra work of creating those forwards (You can script >> this if you have to do it 26 times -- using DNSCmd.exe) >> >> >> -- >> Herb Martin, MCSE, MVP >> http://www.LearnQuick.Com >> (phone on web site) >> >> >>