| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
"Tom Linger" <tlinger_at_fuse.net> wrote in message
news  E98F7CB-BC97-4FFE-A1DD-...>I was able to create the subdomain by right-clicking on the dns zone and >selecting "New Delegation". Unfortunately, I am not able to set >permissions on the "delegation". The second part of what I need to do is >to set permissions for the subdomain and allow administrators from another >office to manage records. How do I do this? > > > Tom > The Domain Admins of the child domain have the ability to create the child zone. Matter of fact, prior to creating the delegation at the parent site, there are a couple of things that should have been done. First, if it is, make sure the parent zone is no longer in the ForestDnsZones partition (replicated forest wide). If that was just changed, you have to wait for replication. Then the child zone needs to be created on the child DC/DNS servers. Then you delegate. Remember, a delegation is saying the parent zone will ask the child DNS servers to resolve any queries for the child zone. But basically the domain admins of the child can already perform the tasks because the zone exists on THEIR DNS server. Are you asking that you want a non-child domain admin to perform the task? Don't forget to configure a forwarder from the child to the parent, and then the parent to the ISP's DNS server(s) as well as making sure the child DCs, member servers and clients ONLY use the child DNS servers, not the parent domain DNS servers. Here are my notes on delegation. I hope they help. ================================================== ================ How to delegate a child domain from the parent When creating a child domain, you have two DNS design choices regarding which DNS servers you want to use for the new child domain. By default, the parent.com zone's Replication scope is set to Domain DNS Servers. This means it is only available to the parent.com's DC/DNS servers, and not to any of the child domain's DC/DNS servers. So if you were to set the child domain DCs to use themselves as DNS, they will not find their own zone. To overcome that, you have two parent-child design choices: 1. If you want to use themselves for DNS in the parent and child domains, and to simplify it, you can change the parent.com zone's Replication scope to Forest DNS Servers. This way the zone will be available to all DC/DNS servers in the whole forest. The following link shows how to check and/or change replication scopes, that is if this is the desired design based on your company's requirements. How to change replication scopes: http://technet.microsoft.com/en-us/l.../cc784148.aspx 2. If you want the child domain's admins to have control of their own resources, including DNS for their own domain, you can delegate the child zone to the child domain's DC/DNS servers. To do this, you would first create a child zone under the child zone's DC/DNS servers called child.parent.com. Then in the parent domain's DNS server, right click parent.com, choose New Delegation, type in 'child' (without the quotes), and provide the child domain's DC/DNS servers names and IP addresses. Do not change the parent zone's Replication scope. Then in the child domain's DC/DNS servers, configure a forwarder to the parent domain's DC/DNS servers. The following link has info for you to read up on concerning these steps. How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain: http://support.microsoft.com/kb/255248 More specific information regarding how to configure Child domain delegation and DNS configuration: Assuming you have the parent AD domain (the forest root) and zone already created and functional, and you've already ran dcpromo on a machine to make it a child domain DC. When you run dcpromo, you want it to use the forest root domain's DNS server to simplify things so it will register into a subfolder (the child zone) under the parent zone. Make sure the parent DCs are only using their own DNS servers in their IP properties. If they show the local loopback, 127.0.0.1, which is what dcpromo puts in there, change it to the actual IP addresses. Do the same with the child DCs for now, meaning they are using the forest root domain DCs for DNS for the time being. Make sure the replication scope on the parent domain's zone, we'll call domain.com, is set to Domain wide (the middle button). This puts it in the DomainDnsZones application partition for the parent domain. If set to Forest wide (the top button), it will cause a major issue with delegation. This is because of the delegation design. You don't want the zone forest wide in a parent-child delegation. Create a zone on the child domain DC, which we'll call, child.domain.com, on the child. The replication scope should be set the same to it's own domain's DomainDnsZones app partition. Create a reverse zones on the parent for each subnet in the parent domain's location, and set the replication scope to DomainWide (the middle button). DO NOT create a delegation for this zone. Create a reverse zone on the parent for the child domain's location, and set the replication scope to DomainWide (the middle button). Create a delegation for this zone to the child. Make sure the zones all allow updates. Follow the steps in the following article to create the delegation: How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain: http://support.microsoft.com/kb/255248 Make sure you configure a forwarder from the child DNS servers to the parent DNS, and then from the parent to your ISP's DNS. Change the DNS IPs on the child DCs to use their own DC's as their DNS servers. Since there is more than one domain, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is twofold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn't work it is a GC. ========================== -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| The local domain controller could not connect with - 2008 | boe | Active Directory | 9 | 11-22-2009 02:05 AM |
| cant log into child domain | sawyer | Active Directory | 10 | 11-03-2009 03:46 PM |
| Re: Incorrect server name | Ace Fekay [MCT] | Windows Server | 4 | 10-28-2009 03:17 PM |
| Re: Migrate from one 2003 Domain to another 2003 Domain | Meinolf Weber [MVP-DS] | Server Migration | 0 | 10-22-2009 08:35 AM |
| Active Directory Domain Membership | paulstanding | Windows Vista Administration | 1 | 06-15-2007 03:50 PM |
Linear Mode
