344 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
But it does solve the problem. When an internal user connects to
news.tacteam.net, a DNS query is sent to the internal DNS server, and is
resolved to the IP address of the internal news server. A user connecting
to news.tacteam.net via the Internet contacts the DNS server outside the
firewall, and receives the IP address of the Internet-located news server.
At no time do your internal resources become threatened or touched by
Internet users.
Figure 7.10 displays a simplified network layout of this configuration.
Note the two DNS servers, one internal and one external. Each of the
DNS servers will have different zone databases, and they most definitely
will not participate in zone transfer with each other.
This is the most common scenario you’ll encounter because most
organizations already have a domain name and are wary of change.
However, if you are blessed enough to be working with a new network
installation, or an unusually flexible company, the second approach is a
lot easier, and more flexible.
Figure 7.10 Network layout with same internal and external domain name.
Internal
Web
Internal
Mail
Internal
News
Proxy/DNS
Firewall
'Net Web
'Net Mail
'Net News/DNS
Internet
Internal

Proxy/DNS is
located in DMZ
internal to the
firewall.
External
Servers
External to
the Firewall
are directly
exposed.
TACTEAM.NET
TACTEAM.NET
91_tcpip_07.qx 2/25/00 11:08 AM Page 344
Troubleshooting Windows 2000 DNS Problems • Chapter 7 345
Different Intranet and Internet Domain Names
The best way to go is with different domain names representing your
intranet and Internet resources. In this case, we could have two domain
names, taccorp.net and tacteam.net. The former is used for internal
resources, and the latter for Internet resources. The internal servers
would be www.taccorp.net, mail.taccorp.net, and news.taccorp.net. The
Internet servers would be www.tacteam.net, news.tacteam.net, and
mail.tacteam.net.
The DNS server on the intranet is authoritative for the taccorp.net
zone so that all DNS requests for internal resources can be answered by
the intranet DNS server. All DNS queries for Internet resources are
answered by the external DNS server, which is authoritative for the
tacteam.net zone.
Advantages of Using Different Internal and External
Domain Names
While each zone still has to be maintained separately, with this solution

you don’t have to keep track of two different IP addresses for servers with
the same name. You also won’t have to duplicate external resources on
internal servers, since the internal clients can access the Internet servers
via the proxy through the firewall, as they would contact any other server
on the Internet (See Figure 7.11).
Proxy Configuration
The proxy server should be configured to use an internal DNS server that
is configured as a slave server. The slave will send the DNS request to its
forwarder for Internet host name resolution. The firewall should be config-
ured to allow DNS queries and responses via UDP and TCP Port 53.
Normally, DNS queries and responses use UDP Port 53, but if the
response won’t fit into a single UDP segment (i.e., the response has been
“truncated”), then the DNS server will “fall back” to TCP to accommodate
the message.
Corporate Mergers and Domain Management
If you read the business section of your local newspapers regularly, you
are aware that corporate mergers are a frequent phenomenon. Merging
companies are likely to each have its own network, and someone has the
job of making them work together as a new integrated intranet.
Let’s look at an example that builds on what we’ve done so far to see
how we handle the integration of two networks that have both an Internet
presence and corporate intranets.
91_tcpip_07.qx 2/25/00 11:08 AM Page 345
346 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
The Problem: Corporate Merger
The first company is TACteam, the one that we’ve been working with in
the previous sections. TACteam uses different domain names to identify
its intranet versus Internet resources. TACteam’s intranet resources use
private IP addresses and access Internet resources via a proxy server. The
internal domain is taccorp.net, and the Internet domain is tacteam.net.

TACteam has merged with Shinder, Inc. Shinder, Inc. maintains a sin-
gle domain name for both internal and Internet resources. They mirror
their Internet resources on their intranet, and maintain separate and dis-
tinct shinder.net zones for their intranet and Internet DNS servers. The
shinder.net DNS administrators keep track of the different IP addresses
for machines with the same name between the intranet and the Internet.
Shinder.net is an old company and has been connected to the Internet for
several years; therefore, they are using public IP addresses for their
Figure 7.11 Different internal and external domain names.
Internal
Web
Internal
Mail
Internal
News
Proxy/DNS
Firewall
'Net Web
'Net Mail
'Net News/DNS
Internet
Internal
Proxy/DNS is located in DMZ
internal to the firewall.
Resolve internal - forwards
external requests
External
External DNS Server
Resolves Internet Resources-
Acts as forwarder for

internal DNS
TACCORP.NET
TACTEAM.NET
91_tcpip_07.qx 2/25/00 11:08 AM Page 346
Troubleshooting Windows 2000 DNS Problems • Chapter 7 347
internal network. They do not use a proxy server, but do use a firewall to
protect the intranet from Internet intruders.
Your job is to redesign the network so that all users from both
domains will be able to access both the internal and Internet resources of
both companies. The long-term goal is to migrate the shinder.net
resources over to tacteam.net and taccorp.net. but long experience dic-
tates that this is going to take a long time. You need to get the two net-
works interacting as soon as possible.
Proposed Solution
Starting at TACteam, you would configure the proxy server to include the
public network IDs that are in use at shinder.net so that they are recog-
nized as internal resources. By configuring them as internal addresses,
you ensure that DNS requests for these resources will be referred to inter-
nal DNS servers at taccorp.net, and not sent to the proxy server for reso-
lution.
On the taccorp.net internal DNS server, create a delegation for shin-
der.net and include a host A resource record for the internal DNS server
at shinder.net.
DNS zone delegation is a way of distributing the responsibility of name
resolution to other servers.
When a DNS query arrives at the taccorp.net DNS server for a
resource at shinder.net, it will now be referred to the intranet DNS server
at shinder.net based on the information included in the delegation record.
Since shinder.net is an internal resource, it won’t be going through
the proxy server. We do have a problem: How are we are going to get the

taccorp.net machines, which use private IP addresses, to communicate
with the shinder.net machines that are using public IP addresses? We can
completely wall off the intercompany link from the Internet using dedicat-
ed leased lines, but that is a very expensive proposition. A much more
cost-effective solution is to create a Virtual Private Network (VPN) over the
Internet to connect the two companies.
We would then install a VPN server at the taccorp.net site and config-
ure the VPN server to use Network Address Translation (NAT). We then
configure our routers to direct all traffic destined for the shinder.net net-
work IDs to our VPN server, which will itself route traffic to shinder.net to
use the VPN connection. The VPN connection will terminate at the VPN
NOTE
91_tcpip_07.qx 2/25/00 11:08 AM Page 347
348 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
server at shinder.net. Since both taccorp.net and shinder.net lie behind
firewalls, the firewalls will be configured to pass VPN traffic to and from
both companies.
Over on the shinder.net side, we configure their intranet DNS server
with a delegation for taccorp.net and the IP address of the taccorp.net
DNS server. Then, we configure the routers at shinder.net to direct traffic
destined for the taccorp.net network IDs to be sent to the VPN server on
the shinder.net side. NAT is not required on the shinder.net side and is
handled on the other side’s VPN. (See Figure 7.12.)
Testing the Solution
Let’s see what happens when some DNS queries are issued.
Scenario 1
A client on the taccorp.net domain wants to access the Web server for the
shinder.net domain. A DNS query is issued to the taccorp.net internal
DNS server, which contains a referral for the shinder.net domain. The tac-
corp.net DNS server queries the shinder.net DNS server through the VPN

for the IP address of www.shinder.net and receives a reply, which is sent
to the DNS client in the taccorp.com. The taccorp.net client then connects
to the shinder.net internal Web servers at www.shinder.net via the VPN
because the IP address is recognized as internal.
Scenario 2
A DNS client on the shinder.net side wishes to connect to the Internet
Web server for tacteam.net. A DNS query is sent to the shinder.net inter-
nal DNS server. The shinder.net internal DNS server is not authoritative
for the tacteam.net domain, and forwards the request to the external
shinder.net DNS server. The external shinder.net DNS is not authoritative,
and therefore will complete recursion by issuing iterative requests until
the host name is resolved. Once the IP address is received, the external
DNS server returns it to the internal DNS server, which in turn returns it
to the DNS client on the shinder.net side. The shinder.net DNS client then
connects to the tacteam.net via the Internet connection that is not the
VPN connection, since tacteam.net is dedicated to Internet resources only.
This is only one possible way you could solve this problem, but it does
give you the general idea of what the potential problems are, and some
ways you can address them.
91_tcpip_07.qx 2/25/00 11:08 AM Page 348
Troubleshooting Windows 2000 DNS Problems • Chapter 7 349
Figure 7.12 The joys of corporate mergers.
Web
Server
News
Server
Mail
Server
Proxy/DNS VPN
Web

Mail
News/DNS
Web
Server
News
Server
Mail
Server
Proxy/DNS VPN
Web
Mail
News/DNS
Internet
91_tcpip_07.qx 2/25/00 11:08 AM Page 349
350 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
DNS Zone Design and Troubleshooting
DNS domains are conceptual entities. They exist in a conceptual frame-
work we know as the Domain Name System, but the actual resource
records, such as the IP address to host name mappings, are contained
within a “physical” file known as a zone file. A single zone can contain
multiple contiguous domains. For example, a single zone can contain
microsoft.com, dev.microsoft.com, and west.dev.microsoft.com. These
domains are contiguous, meaning they lie next to each other. You could
not include msn.com in the same zone, because it is not contiguous with
the other domains. Figure 7.13 shows this domain arrangement.
Figure 7.13 Example of contiguous and noncontiguous domains.
Root DNS
.net DNS
.com DNS
microsoft DNS

msn DNS
mail
dev DNSwest DNS
Microsoft Domains are not contiguous with the MSN domains
microsoft.com
zone
msn.com
zone
Zone planning and configuration are especially important when we
work with standard DNS zones rather than Active Directory integrated
zones. We will talk more about Active Directory integrated zones later, but
be aware that the situation we discuss here is a little different with the
introduction of the Active Directory integration.
The actual management of domain resources is done via adding and
updating records in a DNS zone database. This database is created when
91_tcpip_07.qx 2/25/00 11:08 AM Page 350
Troubleshooting Windows 2000 DNS Problems • Chapter 7 351
you make a new zone in the Windows 2000 DNS server. Creating a new
zone is easy with the Windows 2000 DNS server because a wizard guides
you through the process. There’s not much of a chance of making a mis-
take when you use the wizard.
The zone database file is a text file that is located at:
%systemroot%\system32\dns\<zone_name>.dns
An example of the contents of the zone file appears in Figure 7.14.
Figure 7.14 Example zone database file for blah.com.
The zone database file is compatible with BIND (Berkeley Internet
Name Domain) zone database files used by many UNIX-based DNS
servers. In fact, you can use the DNS management console or directly edit
the zone file to manage your DNS zones.
We highly recommend that you use the DNS management console to avoid

problems related to “clumsy fingers.”
A zone is named by the topmost domain represented in a particular
zone file. For example, if our zone contains the microsoft.com and the
TIP
91_tcpip_07.qx 2/25/00 11:08 AM Page 351
352 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
dev.microsoft.com domains, then the name of the zone is the
microsoft.com zone, since microsoft.com is the topmost member of the
zone. If we had another zone that consisted of marketing.microsoft.com
and west.marketing.microsoft.com, the name of the zone would be the
marketing.microsoft.com zone, because marketing.microsoft.com is the
topmost member of the zone.
Standard Zones
Standard zones are categorized as either Primary or Secondary. When you
first create a new zone in the Windows 2000 DNS management console,
you will be configuring a Primary zone.
A Primary zone is the only read/write copy of the zone database. Because
there is only one read/write copy of the zone database file, the Primary
zone DNS server becomes a single point of failure if updates need to be
made to the zone database.
DNS was designed to have at least two DNS servers configured for
each zone. This is for fault tolerance reasons. When a copy of a zone is
maintained on another DNS server, that server is known as a Secondary
DNS server. The Secondary DNS server houses a read-only copy of the
zone database file. You cannot directly edit the copy of the zone database
file on a Secondary DNS server.
You can easily create a new zone by using the New Zone Wizard
included with the Windows 2000 DNS server. After installing the DNS
service on your computer, open the DNS management console. Right-click
on the name of your server, and select New Zone, as seen in Figure 7.15.

Just answer the wizard’s questions, and you’ve got yourself a new zone.
Zones are populated with resource records. There are a number of dif-
ferent resource record types. The most common resource record is the
host, or A, record. This host record supplies the host name and IP
address mapping for a computer within the zone. To add a new host,
right-click on your new zone, select New Host, and then enter the host
name and the IP address as shown in Figure 7.16.
Other common resource record types you will encounter include the
NS (name server), MX (Mail Exchanger), and CNAME (canonical name)
records.
The NS record is used to define the host names of the servers that are
authoritative for a zone. This can be a Primary or Secondary DNS server
NOTE
91_tcpip_07.qx 2/25/00 11:08 AM Page 352
Troubleshooting Windows 2000 DNS Problems • Chapter 7 353
for the zone. The NS record informs machines that send DNS queries to
the DNS server that “I know what is true regarding this zone, and the
buck stops here.” Figure 7.17 shows the Name Servers tab that appears
in the domain’s Properties sheet. You can find this by right-clicking the
name of one of your domains, selecting Properties, and then clicking the
Name Servers tab.
You can add the name and IP address of another DNS server that will
be authoritative for the domain by clicking A
DD. Be sure that you’ve con-
figured the machine that you’re adding here as a Secondary DNS server
for the zone, so that it can act as an authority for the zone.
Did you notice that A
DD is grayed out in Figure 7.17? That is because
we took this screen shot from a machine that is a Secondary for the
tacteam.net zone.

Figure 7.15 Creating a new zone in the DNS management console.
91_tcpip_07.qx 2/25/00 11:08 AM Page 353
354 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
You can only define NS records for Secondary name servers on the Primary
DNS server for the zone.
The MX record is used to identify the name of the server that is the
intended destination for e-mail for a given zone. For example, mail sent to
anyone for tacteam.net, such as , would be send to the
server identified in DNS with an MX record. Figure 7.18 show the New
Resource Record MX dialog box.
Note that the “Host or domain” text box is empty. This record defines
a Mail Exchanger for the tacteam.net domain, and this record is being
created in the tacteam.net domain. By leaving this text box empty, it will
identify this record as applying to the parent domain, which is listed at
the top of the dialog box.
Figure 7.16 Adding a New Host Address record in the newly created domain.
TIP
91_tcpip_07.qx 2/25/00 11:08 AM Page 354
Troubleshooting Windows 2000 DNS Problems • Chapter 7 355
Enter the name of the mail server that will handle the mail, and then
the “Mail server priority.” This is a number from 0 to 65535 that is used
to determine an order of “priority” if there are multiple MX records for the
domain.
Lower numbers have priority over higher numbers. If two MX records for
the same domain have the same priority number, one will be chosen at
random. Mail is routed to the machine with the highest priority (lowest
priority number). If the machine doesn’t respond, the next highest priority
machine is sent the mail.
Notice that we enter the FQDN in the “Mail server” text box. There
must be a host record for that machine in order for the MX record to

properly route the mail to the destination Mail Exchanger.
The CNAME record allows you to create aliases for computers that
already have host records in the DNS database. The most common use of
the CNAME record is to allow you to use “standard” names for servers
offering services on the Internet or intranet. Servers are often named
Figure 7.17 The Name Servers tab in the domain Properties sheet.
TIP
91_tcpip_07.qx 2/25/00 11:08 AM Page 355
356 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
based on the services they provide, such as “ftp,” “www,” and “mail” for
an FTP server, Web server, and Mail server, respectively.
Figure 7.19 shows the add CNAME record Properties sheet.
In this example, EXETER is a machine on the tacteam.net network.
We really don’t want our users to have to remember the host names of all
the machines on the network, so we can create a CNAME record for each
machine based on the type of service it provides. When a DNS client
issues a query for mail.tacteam.net, it will be connected to EXETER. An
nslookup reveals the following:
C:\>nslookup -ds mail.tacteam.net.
——————
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
185.1.168.192.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 185.1.168.192.in-addr.arpa
name = constellation.tacteam.net

Figure 7.18 The New Resource Record MX dialog box.
91_tcpip_07.qx 2/25/00 11:08 AM Page 356
Troubleshooting Windows 2000 DNS Problems • Chapter 7 357
ttl = 3600 (1 hour)
——————
Server: constellation.tacteam.net
Address: 192.168.1.185
——————
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
mail.tacteam.net, type = A, class = IN
ANSWERS:
-> mail.tacteam.net
canonical name = exeter.tacteam.net
ttl = 3600 (1 hour)
-> exeter.tacteam.net
internet address = 192.168.1.186
ttl = 1200 (20 mins)
——————
Name: exeter.tacteam.net
Address: 192.168.1.186
Aliases: mail.tacteam.net
The nslookup confirms that mail.tacteam.net is indeed EXETER. You
can confirm that the alias is functional by pinging the host by its CNAME
alias. Be very careful when you enter the “Fully qualified name for target
host” in the provided text box. If you include a period at the end of the

FQDN to truly fully qualify the record, it will not work. Try it both ways to
confirm that this is true.
Ever wonder why they call it a canonical record? Here are some definitions
that will explain things: Canonical: Music. Having the form of a canon.
Canon: Music. A composition or passage in which the same melody is
repeated by one or more voices, overlapping in time in the same or a
related key. So, a CNAME record allows multiple host names to “sing” for
the same computer!
TIP
91_tcpip_07.qx 2/25/00 11:08 AM Page 357
358 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Zone Transfer
How does the information contained in the zone database file on the
Primary DNS server find its way to its Secondary DNS servers? This shar-
ing of information is done via a mechanism know as a zone transfer (see
Figure 7.20). For standard zones, this is merely copying the zone data-
base resource records from the Primary DNS server to its designated
Secondaries.
A vocabulary lesson is in order here. The Primary DNS server that is
transferring the zone database to its Secondary is typically referred to as a
“Master” server. The other side of the Master—that is, the machine
receiving the zone database entries—is sometimes referred to as a “slave”
server, a Secondary, or the DNS server receiving a copy of the zone entries.
We prefer to stay away from using the term slave, since “slave DNS server”
has a very specific meaning, and its not related to zone transfer. Just keep
this in mind when you’re reading various references about zone transfers.
Be aware that a Secondary DNS server can be a Master DNS server to
another Secondary DNS server. Confusing, huh? Here’s how it works: A
Figure 7.19 The add CNAME record Properties sheet.
NOTE

91_tcpip_07.qx 2/25/00 11:08 AM Page 358
Troubleshooting Windows 2000 DNS Problems • Chapter 7 359
Secondary DNS server has a copy of a zone database that it received from
a Primary DNS server. This Secondary DNS server can transfer the read-
only copy that it has to another Secondary DNS server, in which case it
becomes a Secondary Master. Also, a Primary DNS server for one zone,
such as shinder.net, can become a secondary server DNS server for
another zone, such as microsoft.com. Try this: Configure your DNS server
at home as a Primary DNS server for your local domain. Then connect to
your ISP in the usual way, and see if you can become a Secondary to
your ISP’s DNS server (of course, you won’t really be a Secondary because
there is no NS record for your computer, although you could make one on
your server if you wish).
You now have a read-only copy of your ISP’s publicly available DNS
records, and your DNS server is both a Primary and a Secondary DNS
server.
Figure 7.20 Zone transfers between Primary and Secondary DNS servers.
dns.tacteam.net
dns.shinder.netdns1.shinder.net
dns.shinder.net is Primary for
shinder.net. Zone transfer takes place
between shinder.net Primary (master)
and dns1.shinder.net which is
Secondary for the shinder.net zone
Zone Transfer
In this example, the shinder.net zone Primary DNS server is the master
server during a zone transfer to its Secondary, dns1.shinder.net. When
the shinder.net zone is transferred to the tacteam.net Primary,
dns.shinder.netbecomes a master server. This displays how Secondary
DNS servers become master servers, and how Primary's can become

"slaves"
dns1.shinder.net becomes a master
DNS server as it transfers the
shinder.net zone to the Primary
DNS server for the tacteam.net zone,
dns.tacteam.net
91_tcpip_07.qx 2/25/00 11:08 AM Page 359
360 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Several things can trigger a zone transfer from a Primary DNS to a
Secondary, including:
■
The refresh interval has expired.
■
The Secondary server has booted up.
■
The Primary DNS server is configured to notify Secondaries
when changes take place.
Refresh Interval
The refresh interval is the period the Secondary DNS server waits between
requests for a zone transfer from the Primary. This value is part of the
Start of Authority (SOA) resource record, which is the first record created
for a new domain. You can view the values contained in the SOA record
for a domain by double-clicking the SOA record in the domain. You will
see a dialog box similar to the one in Figure 7.21.
Figure 7.21 The Start of Authority record for the tacteam.net domain.
By default, the refresh interval is 15 minutes. If the Primary server
does not respond when the Secondary tries to contact it, it will try again
based on the value in the “Retry interval” text box. If the Secondary is not
able to contact the Primary at all for the period of time defined in the
“Expires after” text box, the Secondary will no longer respond to queries

for that domain.
91_tcpip_07.qx 2/25/00 11:08 AM Page 360
Troubleshooting Windows 2000 DNS Problems • Chapter 7 361
Once the Secondary is able to contact the Primary again, it will start
to answer queries again for the domain. This is to ensure that invalid and
outdated information isn’t passed to DNS clients making queries for that
zone.
DNS Notify
A Windows 2000 DNS server supports DNS Notify, which allows the
Primary DNS server to initiate the zone transfer, rather than the
Secondary. In a sense, this is a “push” mechanism for zone transfer. This
is a very handy feature to ensure that your servers have an up-to-date
copy of the zone information contained on the Primary DNS server. Each
time a change is made to the zone database, the Primary will either con-
tact all its Secondary DNS servers, as they are defined on the Name
Servers tab, or you can create a customized list of servers to which the
updates will be sent. Figure 7.22 shows the Zone Transfers tab on the
taccorp.net domain Properties sheet. The Notify dialog box appears after
you click N
OTIFY on the Zone Transfers tab.
Figure 7.22 The Zone Transfers tab and the Notify dialog box.
91_tcpip_07.qx 2/25/00 11:08 AM Page 361
362 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Request for Information Query
When a Secondary DNS server requests a zone transfer, either from initi-
ating the request itself, or after having been “reminded” to make the
request after a notify message, it will issue a query for the SOA record on
the Primary DNS server. The Secondary DNS server will examine the “seri-
al number” on the Primary DNS server’s SOA record. If the serial number
on the Primary is higher than the one on its own SOA record for the zone,

it will request, via another query, transfer of zone database information.
This request for information query can be either a request for the
entire zone database file, or for just those records that have changed
since the last time it received a zone transfer. The AXFR query transfers
the entire zone database file, and is the only type of transfer mechanism
available to downlevel DNS servers, such as Windows NT 4.0. Windows
2000 DNS servers support the IXFR query, where only the records that
have changed are sent to the Secondary DNS server. The IXFR query is
clearly less bandwidth intensive than the AXFR query.
Fast Transfer
Another mechanism that Windows 2000 uses to lessen bandwidth
requirements of zone transfers is to use a “compressed” form of resource
record transfer sometimes known as a fast transfer.
If you use BIND DNS servers version 4.x or lower, they will not be able to
accept fast transfers, and the zone transfer will fail. If you have problems
with zone transfers to BIND Secondaries, you can disable fast transfers.
Be aware that this is a feature that applies to all zones configured on
a single server, and suppression of fast transfers cannot be done on a
granular basis. Figure 7.23 shows the Advanced tab on the DNS server’s
Properties sheet. You can get there by right-clicking the server name itself
in the DNS management console, and clicking Properties.
Your primary problems related to zone transfers when you implement
your Windows 2000 DNS solution will usually be related to compatibility
issues with downlevel (all other) DNS servers. Keep this in mind when
troubleshooting zone transfer difficulties.
WARNING
91_tcpip_07.qx 2/25/00 11:08 AM Page 362
Troubleshooting Windows 2000 DNS Problems • Chapter 7 363
Reverse Lookup Zones
The type of queries we’ve been dealing with up to this point are often

referred to as forward lookups. A forward lookup is when you send the
name of the destination host in order to obtain the IP address associated
with that name. The opposite is known as a reverse lookup. When you do
a reverse lookup, you already know the IP address, and you want to
obtain the host name associated with that IP address.
Reverse lookups are not something that can be easily accomplished
using forward lookup zones. Think of forward lookup zones as something
similar to a phone book. A phone book is indexed using people’s last
names. If you want to find a telephone number quickly, you just go to the
letter of the alphabet for the last name, and then go down the alphabeti-
cal list until you find the name. The phone number is right next to the
person’s name. What if we already knew the phone number, and wanted
to find out whose name goes with that phone number? Since the phone
book is indexed using names, our only alternative would be to look at
every phone number in the book and hope to be lucky and find that it’s
one in the front of the book (assuming that we start looking in the front
first).
Figure 7.23 The Advanced tab on the DNS server’s Properties sheet.
91_tcpip_07.qx 2/25/00 11:08 AM Page 363
364 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
This clearly isn’t a very efficient method to search the IP address
namespace. At one time, inverse lookups were used to trawl the IP
addresses namespace, but these were very limited because they searched
forward lookup zones. As we have seen, that is very time consuming and
inefficient.
The in-addr.arpa Domain
To solve the problem, a new domain was created, the in-addr.arpa
domain. The in-addr.arpa domain indexes host names based on IP
addresses, and makes reverse lookups much more efficient and speedy.
You can create reverse lookup zones easily using the Windows 2000

DNS management console. Just right-click your computer name in the
console, and select New Zone. That will start the New Zone Wizard that
walks you through the process of creating new zones, either forward or
reverse lookup. The wizard will ask what type of zone you want to create,
and you will select Reverse Lookup Zone rather than forward. The wizard
will ask for the network ID and automatically create a zone database file
based on your answers.
Note the construction of the reverse lookup zone database file. The
name of the file is the network ID in reverse, so if you created a reverse
lookup zone for 192.168.1.0, the name of the reverse lookup zone would
be 1.168.192.in-addr.arpa. This is because queries are examined and exe-
cuted from right to left, just as they are with forward lookup zones.
Pointer Records
A pointer record (PTR) is created for each computer included in the reverse
lookup zone. The pointer record can be created when a new host record is
entered, or you can create one separately.
Our experience is that the PTR records are not always created when
entering a new host address, so you will want to check the PTR records for
all hosts you create on the DNS server. One problem that we’ve run into is
that the dynamic update information sent to the DNS server doesn’t always
update the PTR record reliably. Therefore, if you are having problems with
reverse lookups, check to make sure the PTR record is correct.
The following is an example of the contents of a reverse lookup zone
database file:
TIP
91_tcpip_07.qx 2/25/00 11:08 AM Page 364
Troubleshooting Windows 2000 DNS Problems • Chapter 7 365
;
; Database file 1.168.192.in-addr.arpa.dns for 1.168.192.in-addr.arpa zone.
; Zone version: 20

;
@ IN SOA constellation.tacteam.net. tshinder.tacteam.net. (
20 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL
;
; Zone NS records
;
@ NS constellation.tacteam.net.
;
; WINSR (NBSTAT) lookup record
;
@ WINSR L2 C900 (tacteam.net. )
;
; Zone records
;
1 PTR starfleet.tacteam.net.
9 PTR falcon-nx.tacteam.net.
16 PTR stablazer.tacteam.net.
185 PTR constellation.tacteam.net.
186 PTR exeter.tacteam.net.
19216813 PTR daedalus.tacteam.net.
2 PTR defiant.tacteam.net.
203 PTR NOSTROMO.blah.com.
254 PTR neuro.tacteam.net.
3 PTR daedalus.tacteam.net.
2 PTR defiant.tacteam.net.
55 PTR neuro.blah.com.

Here’s a very handy tip that will save you a lot of time and grief when
you create a new forward lookup zone. You may have noticed that after
having created a new forward lookup zone, your nslookup DNS queries
either fail or give you timeout error messages. You can fix this quickly by
creating a reverse lookup zone for the network ID on which the DNS serv-
er is located, and then creating a PTR record for the DNS server itself.
91_tcpip_07.qx 2/25/00 11:08 AM Page 365
366 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Although you are not required to create reverse lookup zones, you might
find queries execute faster once you’ve put one in place. If you are running
any type of security or IP diagnostic software, reverse lookup zones are a
must.
Active Directory Integrated Zones
The standard zone file is stored in a dedicated text-based file on the DNS
server. Windows 2000 DNS servers allow you the option of “integrating”
your zone database files into the Active Directory. There are several
advantages to integrating your DNS zones into the Active Directory,
including:
■
Taking advantage of the Active Directory Replication Engine
■
Per Property zone transfer mechanism
■
Secure zone transfers and updates
■
Multimaster DNS topology
One of the major design issues and problems you have to deal with
relates to where you place your DNS servers. When working with stan-
dard DNS zones, you have to consider the optimal placement of both your
domain controllers and your DNS servers. When you integrate your DNS

zones, they are stored on domain controllers, and you no longer have to
plan separate placement and replication topologies for DNS and domain
controllers.
All DNS servers that use directory integrated zones are Primary DNS
servers. This solves the problem wherein the standard Primary DNS zone
server is a single point of failure. This is especially important when work-
ing with Dynamic DNS update. Standard DNS zones that experience a
failure of the Primary DNS server for the zone will not be able to complete
dynamic updates, which can lead to disintegration of name services
integrity. Therefore, directory integrated DNS zones are multimaster. Each
DNS server for a directory integrated zone is a Master DNS server, and
replicates its DNS database information to other domain controllers based
on your Active Directory replication design.
Common Problems with Integrated DNS Zones
You might incur some problems when working with Active Directory inte-
grated DNS zones.
NOTE
91_tcpip_07.qx 2/25/00 11:08 AM Page 366
Troubleshooting Windows 2000 DNS Problems • Chapter 7 367
“Loose Consistency”
Since every DNS server is a Primary, two different administrators could
make changes on the same record. The same machine could have address
records pointing to two different IP addresses, or a CNAME record for
www could point to two different address records. The zone becomes frac-
tionated at this point, or what Microsoft refers to as “loosely consistent.”
The name conflict will resolve itself by accepting the resource record
with the most recent timestamp as valid. But until then, you will have
some incongruities in your name resolution scheme. The optimal solution
is to limit manual updates to the zone to a single administrator. The des-
ignated administrator can be located anywhere, because he can open any

zone from any location using the DNS management console.
Advantages of Active Directory Integration
There are several advantages to integrating the DNS zones with Active
Directory.
Reduction of Network Traffic
Zone transfer traffic is decreased by using Active Directory integrated
zones because the entire record is not replicated during transfer; only the
changed properties are sent to other AD integrated zone. If you have large
zones, and zone transfer traffic is eating up a significant amount of your
bandwidth, consider integrating it with the Active Directory.
You do not need to include DNS notify for the Active Directory inte-
grated zones. The DNS server will poll the Active Directory every 15 min-
utes for changes to the zone.
Enhanced Security
Another major advantage of Active Directory enabled zones is improved
security. Standard zones allow you to set up a modicum of security by
configuring the IP addresses of machines that are allowed to request a
zone transfer. Typically, this list includes the machines you have placed
in the DNS server list in the zone’s Properties sheet, although you can
add other IP addresses if you wish. If you enable the zone to accept
dynamic updates, any machine will be allowed to update a host and
pointer record in the zone.
The Active Directory enabled zone allows for secure dynamic updates.
Windows 2000 DNS clients can update their own addresses and pointer
records on either a standard Windows 2000 zone or a Directory integrated
zone.
91_tcpip_07.qx 2/25/00 11:08 AM Page 367
368 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
The resource records are not secure in a standard zone, and any computer
claiming a name can update a resource record for a particular DNS client.

Active Directory enabled zones employ Kerberos authentication mechanisms
to prevent “outlaw” DNS clients from falsely updating a legitimate resource
record.
Ownership Disputes
With secure DNS zone updates, only the “owner” of the record can update
a resource record. This improves overall security, but it can cause some
problems you might have to deal with.
For example, let’s say that you are using a DHCP server to assign IP
addresses to Windows 2000 clients. The default behavior for Windows
2000 DNS clients is to update their own address records and to allow the
DHCP server to update the pointer record. The DNS client therefore
“owns” the address record, and the DHCP server “owns” the pointer
record.
Now let’s suppose the DHCP server that you have been using crashes.
You have a backup DHCP server, so you might not worry about it too
much. However, when the backup DHCP server tries to update the pointer
record for the DNS client, it won’t be able to—because it doesn’t own that
pointer record!
Another situation where you might run into problems is when you are
working with downlevel clients. Suppose that you have a Windows NT 4.0
computer that has been receiving its IP addressing information from a
Windows 2000 DHCP server. The Windows 2000 DHCP server has been
acting as a “proxy” for the downlevel client and has been registering the
downlevel DNS client’s address record and pointer record for it.
What happens after you upgrade the downlevel client to Windows
2000? The Windows 2000 DNS client is now capable of updating its own
DNS information. Unfortunately, when the upgraded client tries to do
this, it will not be able to, since the DHCP server that originally registered
its address and pointer records owns them.
The solution to these problems is to place the DHCP servers into a

special group known as the DnsUpdateProxy group. When a DHCP server
creates an entry for a machine in DNS that is a member of this group, no
security information is attached to the record. For example, let’s say a
DHCP server creates an address record and a pointer record for a
NOTE
91_tcpip_07.qx 2/25/00 11:08 AM Page 368