Windows dns reverse lookup zone not updating

Needless to say, I had them walk me through every step they took from beginning to end…and not one mention of someone deleting static records.

Yet they swore up and down (literally) that they bloody well vanished, which is why they had to restore the original reverse zone from backup. Imagine finding yourself as an IT administrator faced with over 50,000 reverse DNS records that are placed comfortably in one single, large, super zone.

When you have reverse DNS zones that are smaller, aka more specific to a smaller subnet, like a /24 vs.

windows dns reverse lookup zone not updating-45

There’s a maintenance window coming up, and you’re probably thinking…”Okay, let’s create some smaller AD-integrated zones of the larger one.” But being a safe IT admin, you want to make sure you have a rollback plan in the event something unexpected happens, as there’s a lot of applications/devices out there that rely on reverse DNS. You want to take a backup of the existing super zone before you start? Also, you think to yourself…”I’ll just create the smaller zones, and leave the big one too…that way I can simply delete the zones I create if something goes wrong in the event I need to revert my changes.” Now it comes time for the actual work to be performed. ” You then begin to remove all the reverse DNS zones that were created, and a sigh of relief is had by all. “Let’s just restore the original zone file, cycle services, and the records will come back.” Believing you know the correct method of restoring an AD-integrated zone, you then stop the DNS server service on one of the DCs, copy the backup file to C:\Windows\System32\DNS of a DC, rename it accordingly to 10. Panic temporarily ensues, judgement is clouded and you cycle DNS services again a few more times. ( My customer ended up calling into support at this point and opening up a SEV A case as multiple services were impacted.

New zones are created to match existing network blocks (let’s say 50 of them or so), and the original 10.super zone is left intact. “Well, let’s undo what we did and go back to the original 10.zone that’s still there! DNS and then start up the DNS server service again. After many hours on the phone, CSS was able to finally get the records that were stored in AD, along with the backup file, to repopulate the original zone file across the DNS servers. From what I gathered, some static entries were also tombstoned at some point in time as well.

Point is, if you have a large super zone for reverse DNS records…leave it alone!

And if you have tons of reverse zones, look to consolidating them following this.

Once it got to the newer zones, as the static records weren’t there…then reverse lookup fails. Feel free to lab it up on your own and test various scenarios.

Watch how the simplest action can either save or wreck an environment.

Notice that there was only one NS record in the subfolder above in ?

This means that when those new reverse zones were created to break up the larger one, the DNS server would process lookup requests by the referrals from the delegated subzone record to the NS server listed there, then on to those newer, more specific zones.

For example’s sake, let’s say it’s 10.which happens to be an AD-integrated zone. The reverse zones were deleted from the environment, looking at the DNS management console you can see they are gone, AND you can see that the original zone is there. You even have other machines working fine and able to do reverse lookups without a problem. So why are those certain devices and apps not working as expected?

Normally this is totally fine and actually recommended to do from our standpoint as it’s easier to manage. You go look in the original reverse DNS zone of 10.in-addr.arpa…and the STATIC reverse DNS entries that correspond to the same devices/apps…are…gone. But quick research shows those can be safely ignored from some online posts.

PFE Tim Beasley here coming to you live from the warm, cozy sands of Bora Bora…Pfft yeah. But I digress, I am writing this post to hopefully shed some light on a bizarre issue I recently faced at one of my dedicated (DSE) customer sites.

Tags: , ,