DNS & DHCP Questions

I will start out by saying that my knowledge of DNS is pretty limited but I understand the basics. Looking at our Windows Small Business Server 2003 system I see quite a few directories in our DNS and I was wondering if someone would take a look at the screenshot of our current DNS structure and see if it appears normal to them. See the attached screenshot. This is a small network of about 20 PCs and this is the only server which runs Active Directory, DNS and is mostly used for file & printer sharing. Since this is Small Business Server I have realized that everything with the setup is heavily based on wizards so maybe some of these things are just normal to SBS but I have been working with a Server 2008 Standard server and notice quite a few differences in the DNS structures for environments that are pretty similar. Maybe it is just the newer server OS though.

 - 1
Our domain is NEA.local and I am not sure what the "standard" directories are in DNS but I thought it was kind of strange that we had two Forward Lookup Zones; one for our actual domain "NEA.local" and then another named "_msdcs.NEA.local". What is this Forward Lookup Zone used for?

 - 2
Another thing I notice is all the entries for "Default-First-Site-Name"? Where did this name come from or what is it referring to and why is it such a generic name?

 - 3
Finally, the server is not running DHCP at this time; our RV042 router is handling that. About 6 months ago we changed all of our IP addressing on the network from 192.168.1.X to 192.168.5.x but looking around in the DNS I see that there is a Reverse Lookup Zone still in there for the 192.168.1.X subnet and not 192.168.5.X subnet. What is the best way to correct this? Is it safe to just delete the 192.168.1.X subnet and run through the "New Zone" wizard to set up a new one for the 192.168.5.X subnet? We aren't really experiencing any issues traversing the network really but I do notice as an admin that I cannot ping hardly any of the workstations expect 3 of them and I can only connect to the admin shares (\\SYSTEM\C$) on those 3 as well. The rest as far as pings don't exist on the network. Rather this has anything to do with DNS or DHCP I don't know but I would tend to think so. Would it be more beneficial to configure the server to manage DHCP as well?

I apologize for the rather vague questions on the DNS directories but I just haven't been able to find to much information through searching for what the purposes for all these directories are. They all seem to contain for the most part the same records. If anyone has any links they could share that explain the directories within DNS it would be greatly appreciated. Thanks in advance for any help.
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

1. It's a common way of setting up the zones. It must have been automatically configured which is fine. As KCTS says, the _msdcs zone contains the service records. They allow your network clients to find things, where AD is, where to change passwords, where to log on, etc, etc.

2. If you open up AD Sites and Services you'll see Default-First-Site-Name. Feel free to change it if you wish (right click, Rename).  But don't delete it, it only really comes into play when you have more than one site.

3. Yes, it's safe to delete the old zone for the old subnet.

The name resolution problems you're having suggest that you don't have many entries in your Forward Lookup Zone. If you select the zone and browse the Host (A) records, do you see any of your PCs?

Brian PiercePhotographerCommented:
A forward lookup zone is used to find a machines IP address from the name - its done automatically so when you want to contact SERVER1, a DNS lookup is used to find the IP address of SEVER1 so that you can communicate with it.

The _msdcs zone and everything under it is used by active directory - it mainly contains SRV reccords so that machines can find domain controllers and other such stuff.

It makes a lot od sence to use windows DHCP - it itegrates fully with DNS and provides all of the options, some of which are generally missing from router based DNS.

BTW - all clients (and servers - including your DC) should point at the Windows DNS server ONLY as their preferred DNS server.


another note about forward lookup zones -- think of it as "WHERE TO LOOK WHEN YOU DON'T KNOW"
if the system cannot resolve an address request, it will go to the forward lookup zone.

As for DHCP -- many admins today still feel the need to maintain granular management of everything.  Some(not many) still resist DHCP and they statically control everything.  DHCP is the most efficient way to manage your environment.  With the exception of routers, servers and printers, and a few other enterprise hosts, DHCP simplifies the entire address management process by providing a centralized management console for all DHCP activities.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

J-ReeseAuthor Commented:
@ KCTS & halejr
Thanks for the info. And after some more reading I think I will probably be moving DHCP over to the server. As far as the DHCP configuration for network printers & scanners; what is the proper way to set them up? Should set up reservations for them or do I just leave them set at their static addresses that they are at now outside of the pool?

@ Chris-Dent
In regards to the Host (A) records; each client has a record in the NEA.local FLZ and all of the IP addresses match what is in the current DHCP table in the router. This is why I thought it was a little strange.
halejr1Connect With a Mentor Commented:
I recommend that you put a strategy in place, i.e. on paper say something like this:

routers and switches address .1 -10 and .254
Servers .20 through .39
Printers .40 through .69
Workstations .100-.250
open for future
.11 through .19
.70 through .99
.251through .253

This example is for smaller networks with class-c subnets and fewer servers.  In a large enterprise you would likely have a subnet or multiple subnets dedicated for servers and resource hosts.  So in this example, all I need to do is set my DHCP scope for .100 through .250 giving me 150 hosts and I've isolated a segment for printers, etc.  Why this strategy and not just open it up for random chaos?  Well from a management prospective, I have a good handle on what my space allocation is, and if I am growing beyond that allocation, it's time for me to open up additional subnets, etc. with same standard address allocation.  Therefore when I see a host that is x.y.z.107 I know it's a workstation, and x.y.z.44 I know it's a printer -- you get the idea.  I call this managing with a PLAN.

Good Luck and feedback or criticism is always welcome and most times appreciated.

One last thing, the open blocks, for future -- there is not a logical reason, other than space for those things not accounted for -- or technology that has evolved and maybe needs special attention.  You never know... the minute you make a plan that seems bullet proof, something changes....  but this does not mean that planning is a waste of time.  manage for progress, manage for success, manage for simplicity as best you can.  -ok.. so I am long winded, but you get the picture.
J-ReeseAuthor Commented:
I do already have a plan in place that I am using with our current setup on the router. Granted this is only  a network of 20 clients, 1 server, 6 printers and 1 copier/scanner on the network but I figured this out rather quickly after I came on board here and made up a plan whenever I changed our whole IP addressing scheme over because when I walked into the network there were printers all over the network mixed in with the DHCP pool and plenty of other issues.

Right now I use the following:
5.1 - Router
5.2 - WAP
5.3 - WAP
5.5 - Server
5.10 - 5.19 - Network Printers & Scanners
5.50 - 5.99 - DHCP

I just wasn't sure if the proper method was to assign static IP address to the printers or leave them on DHCP but set up reservations for them.
J-ReeseAuthor Commented:
Also, I forgot to add that I am planning to setup DHCP and make some DNS changes over this coming weekend so I am going to leave the thread open just in case I have some other questions with the DHCP configuration or still need some help figuring out why I can't access the clients or ping them over the network.
J-ReeseAuthor Commented:
Well I installed DHCP this weekend and made a few configuration changes to DNS to work with DHCP and it appears that everything is functioning normally and I haven't had any new issues resulting from the changes.

However, I still have the issue of only being able to ping and connect to admin shares on 4 of the workstations on the network out of 18 workstations that are currently up and running. I can't ping by host name or IP address and everything seems to match from DHCP to DNS to looking at the actual workstation's IP address so I don't know what is causing this. Every system in the office is on the domain and by looking at the Event Viewer logs on many of the systems I can't contact over the weekend everything appears to be fine with no errors of any type reported.

What could be the problem that I am unable to ping or connect to the admin shares of these workstations?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Windows Firewall?

I take it the name resolves to the correct IP if you run "nslookup <pcname>"?

J -- chris is probably right ... it may be a local client windows firewall issue.  Best way to t-shoot is disable WFW for one of the problem clients, wait a few seconds, then test.  If it works, then you need to look at improvising the policy to include netbios traffic and windows stuff.
J-ReeseAuthor Commented:
Yep, the workstations were resolving okay using NSLOOKUP and it sure was Windows Firewall being the culprit. Strange though how a few obviously have the exceptions enabled yet I didn't do it. I will have to look into what all they have opened up to compare to the majority of others that are not accessible.

As far as accessing the admin shares I noticed on one system I am looking at (over Remote Desktop) that in Windows Firewall | Exceptions tab that File and Printer Sharing was not allowed in the firewall so I allowed that exception and now I have access to admin shares. Which makes total sense since it is a share but I would think that setting would somehow get enabled by default when joining a system to the domain.

It turns out that enabling File and Printer sharing also opens up TCP port 445 which will then allow ping acknowledgments; but just for reference it can also be enabled individually within Windows Firewall | Advanced tab and then Settings under the ICMP section. Check the box next to Allow incoming echo request .

Are there any other benifits to enabling the other ICMP options in there? I notice there are quite a few other options that sound like they could be beneficial to network communication but I don't know if they are needed or not. I guess it is my choice but I just wonder if not having these as an allowed exception would every come up as an issue like the ping acknoledgement being disabled.

Chris DentPowerShell DeveloperCommented:

> Are there any other benifits to enabling the other ICMP options in there?

Not for simple networking, no.

You might consider setting up a few Group Policies to manage the firewall settings for you, saves messing around with it in future :)

J-ReeseAuthor Commented:
I actually just did that thinking that I don't want to go around to all these systems and it worked on the workstation I was connected to using Remote Desktop by me physically running gpupdate but is there a way I can force a gpupdate from the server to all the workstations?

It's not a necessity but I would like to see if my results work sooner than tomorrow morning :)
Chris DentPowerShell DeveloperCommented:

Only if you were to use something like PSExec wrapped up in a bit of scripting. Of course, to do that you'd need to be able to get onto the machines in the first place which might not be easy if the Firewall is still preventing access.

Might be worth a shot though, PSExec is here:


J - thanks for the recognition... I always appreciate points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.