http://msmvps.com/blogs/dns/archive/tags/DNS/default.aspxTags: DNSenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/dns/archive/2005/03/05/37681.aspxSat, 05 Mar 2005 22:18:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:37681james4http://msmvps.com/blogs/dns/rsscomments.aspx?PostID=37681http://msmvps.com/blogs/dns/archive/2005/03/05/37681.aspx#commentsBy default, Active Directory does not require the use of reverse lookup zones to validate clients. The primary function of AD DNS is to permit the lookup of clients, services, and the all-valuable DC GUIDs for inter-DC communication. <P></P>Spiffy. <P></P>However, it appears that not everybody likes this. Now, I will be the first to admit that I don't read all of the RFCs for a given protocol or spec. OK, I will also admit that I like to lie about reading anything regarding RFCs, and in fact have better luck reading nutrition information from KFC. <P></P>The problem appears to be that certain protocols and connection methodologies just love reverse lookups. The most commonly seen implementation is with email servers. You can perform a reverse lookup on the incoming mail server connection to see if it is what it claims to be. But there are other uses for this. If you try connecting Apple OS X clients to your AD you might be greeted with various issues if you don't have a reverse lookup zone configured. In addition, I have seen some implementations of IPSec using this (although my implementations haven't needed this, that I can tell, but I always create reverse lookup zones in forests I own). <P></P>Swell. <P></P>So, why does this matter? I mean, it's easy to create one of these and manage it, right? Well, yes and no. If you have a typical network of less than 200 machines, then you are probably running a single Class C and therefore no problem. However, when you get up to 2,000 or 3,000 systems it begins to be problematic. Stretch this to a level that I design for (about 400,000 or so) in one country, well there begins to be a problem. If you manage just the backbone of AD, then you own the root and all child domain DCs, and you at least know what networks they are on. Yet, you <B>know</B> that a directory of this size means you will have several subnets per site, and you have to keep on top of them. The first step is, obviously, creating subnet objects and putting them into your sites definitions. While that's great, you would still need to manage a great deal of reverse lookup zones for every forward lookup zone. This would be classified as "not fun." I just figured I would bounce off all my fans out there (that's right, both of you, when you sober up that is) to see what you guys do.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=37681" width="1" height="1">Active DirectoryDNS