A Reverse Lookup Zone is necessary?

[George Hester]

Sometime ago I asked about setting up the DNS Server in Windows 2000
correctly. I had an article on it:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

and was given suggestions here. I recall that it was not necessary to make
a new Reverse Lookup zone for my situation so I didn't touch it.

In one of my domain clients Windows XP SP2 I have this warning in the Event
Viewer:

In the Event Viewer | System I have a LSASRV Warning Category SPNEGO
(Negotiator) Event 40961 and this is its Description:

The Security System could not establish a secured connection with the server
DNS/prisoner.iana.org. No authentication protocol was available

So I wrote to a Windows XP newsgroup and this was the response:

This usually means your DNS server is misconfigured and does not have a
reverse lookup zone. - Kerry Brown

So now I am a little confused. Do I have to set up a Reverse Lookup zone in
my DNS Server and if so how do I do it? It wants a Network ID. Which I
haven't the slightest idea what that is. Or it wants a Reverse lookup zone
name and again I haven't the slightest idea what that is or if it is even
necessary. My DNS Server has been configured EXACTLY the way the articles
said to do it. And so far I have had no issues with the DNS server in my
Windows 2000 clients. It is only the Windows XP client where this issue has
cropt up. How do I fix the warning above? Thanks.

 

[Ace Fekay [MVP]]

In

Sometime ago I asked about setting up the DNS Server in Windows 2000
correctly. I had an article on it:

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

and was given suggestions here. I recall that it was not necessary
to make a new Reverse Lookup zone for my situation so I didn't touch
it.

In one of my domain clients Windows XP SP2 I have this warning in the
Event Viewer:

In the Event Viewer | System I have a LSASRV Warning Category SPNEGO
(Negotiator) Event 40961 and this is its Description:

The Security System could not establish a secured connection with the
server DNS/prisoner.iana.org. No authentication protocol was
available

So I wrote to a Windows XP newsgroup and this was the response:

This usually means your DNS server is misconfigured and does not have
a reverse lookup zone. - Kerry Brown

So now I am a little confused. Do I have to set up a Reverse Lookup
zone in my DNS Server and if so how do I do it? It wants a Network
ID. Which I haven't the slightest idea what that is. Or it wants a
Reverse lookup zone name and again I haven't the slightest idea what
that is or if it is even necessary. My DNS Server has been
configured EXACTLY the way the articles said to do it. And so far I
have had no issues with the DNS server in my Windows 2000 clients.
It is only the Windows XP client where this issue has cropt up. How
do I fix the warning above? Thanks.

Some applications require a reverse zone, but they are few. Win2003 uses a
reverse zone for the SPNEGO function, a way to ID itself with Kerberos. To
eliminate the 40961 errors, create a reverse zone and make sure the DCs have
PTR entries.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[George Hester]

Well Ace thanks. Unfortunately I do not know what I should add as a Reverse
Lookup zone. What is my Network ID? I know my Domain Name and that is it.
The Server is Windows 2000 not Windows 2003. I don't have any PTR entries.
What should they be? P(oin)T(e)R(s) to what? The Router uses 192.168.2.1
that is the Gateway and my DNS Server is 192.168.2.34. DHCP is NOT
installed. The machines get the DHCP automatically.

 

[Ace Fekay [MVP]]

In

Well Ace thanks. Unfortunately I do not know what I should add as a
Reverse Lookup zone. What is my Network ID? I know my Domain Name
and that is it. The Server is Windows 2000 not Windows 2003. I don't
have any PTR entries. What should they be? P(oin)T(e)R(s) to what?
The Router uses 192.168.2.1 that is the Gateway and my DNS Server is
192.168.2.34. DHCP is NOT installed. The machines get the DHCP
automatically.

This is pretty simple. Since your subnet appears to be 192.168.2.0/24, I
would rt-click Reverse Lookup Zones, and select new, choose AD Integrated
zones (logical choice assuming this is your DC/DNS server), for the zone,
type in 192.168.2, and next next next finish (maybe too many next's.)
Go in the zone's propeties, general tab, and ensure updates are set to
either Secure and Unsecure, or Secure Only.

How are the machines getting DHCP automatically if you do not have DHCP
installed? Do you mean your router is handling it? If so, I suggest and
highly recommend to disable it on the router and use Microsoft DHCP, since
Microsoft DHCP supports Option 081, which is DNS Dynamic Updates that works
flawlessly with Microsft DNS. The router doesn't.

Ace

 

[George Hester]

OK thanks Ace. Yes it obtains the DHCP through the router. I have had no
issue so far except what I see in the client Windows XP Event Log. Why did
you say /24? As far as I can tell I have the full range from 192.168.2.2 to
192.168.2.254 available. The router now determines what IP addresses are
assigned to all the machines on the Network in the Domain. And they never
change. Just let me know how you arrived at /24 and what that means
exactly and I think I can take it from there. Thanks.

 

[Ace Fekay [MVP]]

In

OK thanks Ace. Yes it obtains the DHCP through the router. I have
had no issue so far except what I see in the client Windows XP Event
Log. Why did you say /24?
As far as I can tell I have the full range from 192.168.2.2 to
192.168.2.254 available.
The router now
determines what IP addresses are assigned to all the machines on the
Network in the Domain. And they never change. Just let me know how
you arrived at /24 and what that means exactly and I think I can take
it from there. Thanks.

A /24 is the CIDR (Classless Inter-Domain Routing,) means there are 24 bits
in the subnet mask, leaving 8 bits for the hosts. In this case, the mask is
255.255.255.0, The '255' in the mask signifies the 24 "1s" (ones), and the 0
on the end signifies 8 "0s" (zeros.) The 8 zeros gives you a usable range of
254 hosts (2 ^ 8), which are .1 to .254.

I would honeslty suggest to use Microsoft's DHCP and support Option 081,
which is DNS Dynamic Updates. The router does not support Opton 081. It
works flawlessly with Microsoft's DNS server for dynamic updates. Another is
Option 015, which is the Connection Specific Suffix for your machines, which
you configure to be your AD DNS domain name. There a host of other
configurable options as well. Most of all, they're designed to work
together.

Curious, 192.168.2.34 is your DNS server for your network, correct? Is this
the only one set in all your machines or are there any others, such as the
ISP?

Also, do you have forwarding configured in DNS properties?

Ace

 

[Ace Fekay [MVP]]

In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
made this post, which I then commented about below:

Typo...

This:

I would honeslty suggest to use Microsoft's DHCP and support Option
081, which is DNS Dynamic Updates.

Should read as this:

I would honeslty suggest to use Microsoft's DHCP *WHICH* support Option
081, which is DNS Dynamic Updates.

Ace

 

[George Hester]

Hi Ace. I will try to answer your three questions.

1) "Curious, 192.168.2.34 is your DNS server for your network, correct? " -
Yes

2) "Is this the only one set in all your machines or are there any others,
such as the
ISP?" - The router has it's ISP set by the ISP using DHCP. All my machines
on the network are in 192.168.2.# where # is 34 on the Server, # is 57 on
the Windows XP client and so on. The Router is not set to obtain DNS from
the ISP. It is set to obtain DSN from my Server. All the machines on the
Network receive their DNS from my server. But not the DHCP. Hence the IP
addresses of all the machines on the Network obtain their address from the
Router. But they never change.

3) "Also, do you have forwarding configured in DNS properties?" - Yes.

I haven't seen the need for putting the DHCP in the server as I do not have
any issues the way it is now. Except for this Warning in the XP Client.
This occurs nowhere else and my understanding to fix it is to enable a
Reverse Lookup Zone. But I really do not see how this is going to matter.
I was provided this link:

http://support.microsoft.com/kb/174419/

and as far as I can tell this is if I have subdomains. I do NOT have
subdomains. But that's what I hear. The XP warning is a direct result of
not having configured a Reverse Lookup Zone.

But as for the DHCP I'll be testing that out soon. And thanks for the
explanation of the /24.

 

[Ace Fekay [MVP]]

In

Hi Ace. I will try to answer your three questions.

1) "Curious, 192.168.2.34 is your DNS server for your network,
correct? " - Yes

2) "Is this the only one set in all your machines or are there any
others, such as the
ISP?" - The router has it's ISP set by the ISP using DHCP. All my
machines on the network are in 192.168.2.# where # is 34 on the
Server, # is 57 on the Windows XP client and so on. The Router is
not set to obtain DNS from the ISP. It is set to obtain DSN from my
Server.

You mean your router is set to use YOUR DNS server, not "obtain" DNS. DNS is
a service to "give" answers to queries. Clients "find" the Active Directory
domain by querying DNS.

All the machines on the Network receive their DNS from my
server. But not the DHCP.

I'm sorry, I don't understand the above statement. You mean your machines
are using your DNS server for name resolution? DHCP can hand out DNS
addresses for a client machine's IP configuration.

Hence the IP addresses of all the
machines on the Network obtain their address from the Router. But
they never change.

I suggest to disable DHCP on the router and use your Windows server for DHCP
based on the technical reasons I previously posted. Using a router for DHCP
is fine and dandy for home users, but not for an AD infrastructure.

3) "Also, do you have forwarding configured in DNS properties?" - Yes.
Good

I haven't seen the need for putting the DHCP in the server as I do
not have any issues the way it is now. Except for this Warning in
the XP Client. This occurs nowhere else and my understanding to fix
it is to enable a Reverse Lookup Zone. But I really do not see how
this is going to matter. I was provided this link:

http://support.microsoft.com/kb/174419/
and as far as I can tell this is if I have subdomains. I do NOT have
subdomains. But that's what I hear. The XP warning is a direct
result of not having configured a Reverse Lookup Zone.

Good article on how to configure a reverse zone. Yes, the SPNEGO error will
disappear once a reverse zone is conifigured.

But as for the DHCP I'll be testing that out soon. And thanks for the
explanation of the /24.

It's YOUR call George. I'm just suggesting and recommending to configure
your infrastructure (no matter how small or large) the correct way in the
way it was intended. I can understand if this is a home network to rely on a
router's DHCP service, however, in a business environment, I wouldn't touch
a router's service other than routing, NAT or firewalling.

Good luck!

Ace

 

[George Hester]

I think I have no alternative other than putting the DHCP in. I have no
subdomains doesn't that make Reverse Lookup Zones null and void.?

 

[Ace Fekay [MVP]]

In

I think I have no alternative other than putting the DHCP in. I have
no subdomains doesn't that make Reverse Lookup Zones null and void.?

George,

I don't understand what you mean by null and void? You want to eliminate
your current errors, correct? The reverse zone will eliminate that error. It
will also give you the ability to lookup up names if you know the IP. It
will also eliminate the unsightly 'can't find server' message when you
initialize nslookup.

Ace

 

[George Hester]

OK Ace. I did as you suggested. Microsoft has a little different way of
doing it in this article:

http://support.microsoft.com/kb/174419/ using Advanced View and then
delegating. I was trying to set up the Primary Parent Zone and it didn't
seem to be going right. So I went to your suggestion.

The result of which was a new Reverse Lookup zone192.168.2.x Subnet. When
that is selected I have 2 entries there:

Name Type
Data
(same as parent folder) Start of Authority
[4]MyMachineName.MyDomainName.com.,admin.MyDomanName.com.
(same as parent folder) Name Server
MyMachineName.MyDomainName.com.

I then tried nslookup but I still get the cannot find server. Seems to me
this worked once before but now it doesn't.

What did I do wrong?

 

[Ace Fekay [MVP]]

In

OK Ace. I did as you suggested. Microsoft has a little different
way of doing it in this article:

http://support.microsoft.com/kb/174419/ using Advanced View and then
delegating. I was trying to set up the Primary Parent Zone and it
didn't seem to be going right. So I went to your suggestion.

The result of which was a new Reverse Lookup zone192.168.2.x Subnet.
When that is selected I have 2 entries there:

Name Type
Data
(same as parent folder) Start of Authority
[4]MyMachineName.MyDomainName.com.,admin.MyDomanName.com.
(same as parent folder) Name Server
MyMachineName.MyDomainName.com.

I then tried nslookup but I still get the cannot find server. Seems
to me this worked once before but now it doesn't.

What did I do wrong?

I don't see a PTR entry for your DNS server name. Isn't the IP 192.168.2.34?
What's the name of the machine?

Is your DNS server the only one in the machine's IP properties?

Can you post an unedited ipconfig /all please?

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

OK Ace. I did as you suggested. Microsoft has a little different
way of doing it in this article:

http://support.microsoft.com/kb/174419/ using Advanced View and then
delegating. I was trying to set up the Primary Parent Zone and it
didn't seem to be going right. So I went to your suggestion.

The result of which was a new Reverse Lookup zone192.168.2.x Subnet.
When that is selected I have 2 entries there:

Name Type
Data
(same as parent folder) Start of Authority
[4]MyMachineName.MyDomainName.com.,admin.MyDomanName.com.
(same as parent folder) Name Server
MyMachineName.MyDomainName.com.

I then tried nslookup but I still get the cannot find server.

Are you sure it doesn't say "Can't find server name for address
<IPAddressofDNSserver>"?

You need to create a PTR record for the IP of the server, or turn dynamic
updates on it the zone and run ipconfig /registerdns

 

[George Hester]

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : hester
Primary DNS Suffix . . . . . . . : hesterloli.com
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hesterloli.com

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : F5D5000, PCI Card/Desktop Network PCI
Card
Physical Address. . . . . . . . . : 00-30-BD-6D-F1-ED

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.2.32

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.32


--

George Hester
_________________________________
"Ace Fekay [MVP]"

In

OK Ace. I did as you suggested. Microsoft has a little different
way of doing it in this article:

http://support.microsoft.com/kb/174419/ using Advanced View and then
delegating. I was trying to set up the Primary Parent Zone and it
didn't seem to be going right. So I went to your suggestion.

The result of which was a new Reverse Lookup zone192.168.2.x Subnet.
When that is selected I have 2 entries there:

Name Type
Data
(same as parent folder) Start of Authority
[4]MyMachineName.MyDomainName.com.,admin.MyDomanName.com.
(same as parent folder) Name Server
MyMachineName.MyDomainName.com.

I then tried nslookup but I still get the cannot find server. Seems
to me this worked once before but now it doesn't.

What did I do wrong?

I don't see a PTR entry for your DNS server name. Isn't the IP 192.168.2.34?
What's the name of the machine?

Is your DNS server the only one in the machine's IP properties?

Can you post an unedited ipconfig /all please?

Ace

 

[George Hester]

OK I just did that. Thanks. Hopefully this will remove the warning on the
Windows XP client.

--

George Hester
_________________________________

OK Ace. I did as you suggested. Microsoft has a little different
way of doing it in this article:

http://support.microsoft.com/kb/174419/ using Advanced View and then
delegating. I was trying to set up the Primary Parent Zone and it
didn't seem to be going right. So I went to your suggestion.

The result of which was a new Reverse Lookup zone192.168.2.x Subnet.
When that is selected I have 2 entries there:

Name Type
Data
(same as parent folder) Start of Authority
[4]MyMachineName.MyDomainName.com.,admin.MyDomanName.com.
(same as parent folder) Name Server
MyMachineName.MyDomainName.com.

I then tried nslookup but I still get the cannot find server.

Are you sure it doesn't say "Can't find server name for address
<IPAddressofDNSserver>"?

You need to create a PTR record for the IP of the server, or turn dynamic
updates on it the zone and run ipconfig /registerdns