If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.
DNS and Subnet Priortization & DNS Round Robin – Which one Supercedes?
This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.
Preface on Subnet Priortization and Round Robin:
Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.
If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.
In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.
Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.
Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can’t test AD Sites responses.
You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.
Subnet Priortization and Round Robin Logic:
Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.
If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.
However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.
If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it’s own subnet.
The following passage on the specific logic was quoted from:
Configuring Subnet Prioritization
- If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
- The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
- If Enable round robin is deselected and the value of LocalNetPriority is 1:
- The server returns the records in local net priority order. It does not rotate among available addresses.
- If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
- The server rotates among the available records in the order in which the records were added to the database.
- If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
- The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.
Subnet Priortization and Round Robin Example:
The following example was quoted from:
Configuring IP Addressing and Name Resolution
For example, suppose there are three Web servers that all host the Web
page for www.reskit.com and they are all located on different subnets.
The DNS name server for the network contains the following resource records:
When a Windows XP Professional–based
computer’s DNS resolver (client) receives a response to the query for
the A record of www.reskit.com, it returns A records in order,
starting with the IP addresses from subnets to which the computer is
For example, if a computer with the IP address
172.17.64.93 is queried for www.reskit.com, the resolver returns the
resource records in the following order:
Subnet prioritization prevents the
resolver from choosing the first IP address returned in the DNS query
and using the DNS server’s round robin feature (defined in RFC 1794.)
With round robin enabled, the server rotates the order of resource
records returned when multiple A resource records exist for a queried
DNS domain name.
Thus, in the example described earlier, if a user
queried for www.reskit.com, the name server replies to the first
client request by ordering the addresses as follows:
It replies to the second client request by ordering the addresses as follows:
It replies to the third client request by ordering the addresses as follows:
With round robin enabled, if clients are configured to use the first
IP address in the list that they receive, different clients will use
different IP addresses, thus balancing the load among multiple network
resources with the same name. However, if the resolvers are configured
for subnet prioritization, the resolvers reorder the list to favor IP
addresses from networks to which they are directly connected, reducing
the effectiveness of the round robin feature.
Although subnet prioritization does reduce network traffic across
subnets, in some cases you might prefer to have the round robin
feature work as described in RFC 1794. If so, you can disable the
subnet prioritization feature on your clients by adding the registry
entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
the following registry subkey:
Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet
Yep, that’s correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it’s a Class C subnet, well more accurately, it’s set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.
The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.
This can be accomplished with the DNSCMD command.
For example, using DNSCMD to set the default settings for a 255.255.255.0 subnet, is:
Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF
For anything other than a Class C, we need to alter the “/LocalNetPriorityNetMask” value to the environment’s subnet.
The last two characters in the value used for a Class C subnet (“0x000000FF”) is “FF.” This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to “FF” in Hex.
Taking that into account, we can view a simple table with the base Class subnets:
For the base Classes, the values are:
To set it for something other than the default classes, such as for example a /22 (255.255.252.0 or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0’s to 1’s and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF
Another example, if you have a /27 (255.255.255.224 or 11111111.11111111.11111111.11100000), convert the 0’s to 1’s –> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F
Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.
Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
Note: Of course, some of the values can’t be used in the table, but I created the table to show all possible binary values.
NetMask Binary CIDR Comments LocalPriorityNet Value
255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr) 0x00000000
255.255.255.254 11111111.11111111.11111111.11111110 /31 Unuseable 0x00000001
255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable 0x00000003
255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable 0x00000007
255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable 0x0000000F
255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable 0x0000001F
255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable 0x0000003F
255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable 0x0000007F
255.255.255.0 11111111.11111111.11111111.00000000 /24 “Class C” 254 useable 0x000000ff
255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C’s 0x000001FF
255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C’s 0x000003FF
255.255.248.0 11111111.11111111.11111000.00000000 /21 8 Class C’s 0x000007FF
255.255.240.0 11111111.11111111.11110000.00000000 /20 16 Class C’s 0x00000FFF
255.255.224.0 11111111.11111111.11100000.00000000 /19 32 Class C’s 0x00001FFF
255.255.192.0 11111111.11111111.11000000.00000000 /18 64 Class C’s 0x00003FFF
255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C’s 0x00007FFF
255.255.0.0 11111111.11111111.00000000.00000000 /16 “Class B” 0x0000ffff
255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B’s 0x0001FFFF
255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B’s 0x0003FFFF
255.248.0.0 11111111.11111000.00000000.00000000 /13 8 Class B’s 0x0007FFFF
255.240.0.0 11111111.11110000.00000000.00000000 /12 16 Class B’s 0x000FFFFF
255.224.0.0 11111111.11100000.00000000.00000000 /11 32 Class B’s 0x001FFFFF
255.192.0.0 11111111.11000000.00000000.00000000 /10 64 Class B’s 0x003FFFFF
255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B’s 0x007FFFFF
255.0.0.0 11111111.00000000.00000000.00000000 /8 “Class A” 0x00ffffff
254.0.0.0 11111110.00000000.00000000.00000000 /7 0x01FFFFFF
252.0.0.0 11111100.00000000.00000000.00000000 /6 0x03FFFFFF
248.0.0.0 11111000.00000000.00000000.00000000 /5 0x07FFFFFF
240.0.0.0 11110000.00000000.00000000.00000000 /4 0x0FFFFFFF
126.96.36.199 11100000.00000000.00000000.00000000 /3 0x1FFFFFFF
192.0.0.0 11000000.00000000.00000000.00000000 /2 0x3FFFFFFF
188.8.131.52 10000000.00000000.00000000.00000000 /1 0x7FFFFFFF
0.0.0.0 00000000.00000000.00000000.00000000 /0 IP subnet definition 0xFFFFFFFF
You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.
More info on this value and setting:
Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS
Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems
Windows Vista, Windows 7 and Windows 2008 behaves a bit differently, than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here’s more info, and keep in mind in mind it doesn’t mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:
Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default
Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
DWORD = OverrideDefaultAddressSelection
Value data: = 1
DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)
However, AD Sites should prevail in an AD environment. An AD client’s GetDcList functions will use Sites to determine which DC or GC to communicate with.
Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.
To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :
DWORD = OverrideDefaultAddressSelection
Value data: = 0
If Active Directory Sites Are Involved with AD Aware Services:
AD Sites provide two basic things: Logon & Authentication control to
limit the auth request to only a GC/DC in it’s own site, and
replication traffic control between Sites. Replication is compressed
in Site to Site communications. Good for the WAN link. AD enabled apps
also use AD Sites.
You would first create a new Site giving it a unique Site Name. Then
create an IP Subnet Object that represents the subnet or subnets of
the location (you may and can create multiple IP SUbnet Objects if
needed), then associate the IP Subnet to the Site Name.
In the Site link, you will notice the default replication period is 3
hours. You can chop that down to as low as 15 minutes. You can’t go
lower, because that is the max time allotted for all DCs within a site
to be able to replicate changes between each other. If DCs are added,
the KCC jumps in and re-evaluates the intra site connection objects
between DCs to optimize and keep within the 15 minute alotment.
A standalone would rely simply on DNS’ ability to provide responses
either as Subnet prioritized, or Round Robin.
However, with AD Sites, and this works for AD enabled services and
entities (such as Exchange, client machines, etc). So AD aware apps
and services adds an extra twist and can be used to your advantage.
That was why I was asking if you are using ISA. ISA can be published
into AD, and set by GPO. This way a client in SiteA will always use
the ISA in SiteA.
However, if standalone servers are in use, and you can disable Round Robin.
Thank you!!! Source: http://msmvps.com/blogs/acefekay/archive/2010/05/29/dns-and-subnet-priortization-amp-dns-round-robin.aspx
You need to enable this individually on each domain controller. This setting is not replicated. I pushed this setting via GPO using the corresponding registry entries:
^ DWORD; Value: 0×00000001 (decimal 1)
^ DWORD; Value: 0x0000ffff (decimal 65535) — for /16 subnet; use 0x00ffffff for /8 or 0x000000ff for /24, etc.