Sub-domain in Active Directory Integrated Zone

Discussion in 'DNS Server' started by Tom Linger, Nov 23, 2009.

  1. Tom Linger

    Tom Linger Guest

    I am looking to create a sub-domain in our Active Directory Integrated zone
    and to delegate management of the dns zone records. How do I create the
    sub-domain dns zone? If I right-click on the existing zone, I do not get
    the ability to create a zone under this zone. The only option that I have
    found so far is to right-click on the server and create a zone there.
     
    Tom Linger, Nov 23, 2009
    #1
    1. Advertisements

  2. Tom Linger

    Chris Dent Guest

    Right click and create a Delegation. If the same server is hosting the
    zone you can also add it as a Primary zone on that server. Otherwise
    point the delegation at the server you want to host the zone.

    Chris
     
    Chris Dent, Nov 23, 2009
    #2
    1. Advertisements

  3. Tom Linger

    Tom Linger Guest

    I was able to create the subdomain by right-clicking on the dns zone and
    selecting "New Delegation". Unfortunately, I am not able to set permissions
    on the "delegation". The second part of what I need to do is to set
    permissions for the subdomain and allow administrators from another office
    to manage records. How do I do this?


    Tom
     
    Tom Linger, Nov 25, 2009
    #3
  4. The Domain Admins of the child domain have the ability to create the child
    zone.

    Matter of fact, prior to creating the delegation at the parent site, there
    are a couple of things that should have been done. First, if it is, make
    sure the parent zone is no longer in the ForestDnsZones partition
    (replicated forest wide). If that was just changed, you have to wait for
    replication. Then the child zone needs to be created on the child DC/DNS
    servers. Then you delegate.

    Remember, a delegation is saying the parent zone will ask the child DNS
    servers to resolve any queries for the child zone.

    But basically the domain admins of the child can already perform the tasks
    because the zone exists on THEIR DNS server. Are you asking that you want a
    non-child domain admin to perform the task?

    Don't forget to configure a forwarder from the child to the parent, and then
    the parent to the ISP's DNS server(s) as well as making sure the child DCs,
    member servers and clients ONLY use the child DNS servers, not the parent
    domain DNS servers.

    Here are my notes on delegation. I hope they help.


    ==================================================================
    How to delegate a child domain from the parent

    When creating a child domain, you have two DNS design choices regarding
    which DNS servers you want to use for the new child domain.

    By default, the parent.com zone's Replication scope is set to Domain DNS
    Servers. This means it is only available to the parent.com's DC/DNS servers,
    and not to any of the child domain's DC/DNS servers. So if you were to set
    the child domain DCs to use themselves as DNS, they will not find their own
    zone.

    To overcome that, you have two parent-child design choices:

    1. If you want to use themselves for DNS in the parent and child domains,
    and to simplify it, you can change the parent.com zone's Replication scope
    to Forest DNS Servers. This way the zone will be available to all DC/DNS
    servers in the whole forest. The following link shows how to check and/or
    change replication scopes, that is if this is the desired design based on
    your company's requirements.

    How to change replication scopes:
    http://technet.microsoft.com/en-us/library/cc784148.aspx

    2. If you want the child domain's admins to have control of their own
    resources, including DNS for their own domain, you can delegate the child
    zone to the child domain's DC/DNS servers. To do this, you would first
    create a child zone under the child zone's DC/DNS servers called
    child.parent.com. Then in the parent domain's DNS server, right click
    parent.com, choose New Delegation, type in 'child' (without the quotes), and
    provide the child domain's DC/DNS servers names and IP addresses. Do not
    change the parent zone's Replication scope. Then in the child domain's
    DC/DNS servers, configure a forwarder to the parent domain's DC/DNS servers.
    The following link has info for you to read up on concerning these steps.

    How To Create a Child Domain in Active Directory and Delegate the DNS
    Namespace to the Child Domain:
    http://support.microsoft.com/kb/255248

    More specific information regarding how to configure Child domain delegation
    and DNS configuration:

    Assuming you have the parent AD domain (the forest root) and zone already
    created and functional, and you've already ran dcpromo on a machine to make
    it a child domain DC. When you run dcpromo, you want it to use the forest
    root domain's DNS server to simplify things so it will register into a
    subfolder (the child zone) under the parent zone.

    Make sure the parent DCs are only using their own DNS servers in their IP
    properties. If they show the local loopback, 127.0.0.1, which is what
    dcpromo puts in there, change it to the actual IP addresses. Do the same
    with the child DCs for now, meaning they are using the forest root domain
    DCs for DNS for the time being.

    Make sure the replication scope on the parent domain's zone, we'll call
    domain.com, is set to Domain wide (the middle button). This puts it in the
    DomainDnsZones application partition for the parent domain. If set to Forest
    wide (the top button), it will cause a major issue with delegation. This is
    because of the delegation design. You don't want the zone forest wide in a
    parent-child delegation.

    Create a zone on the child domain DC, which we'll call, child.domain.com, on
    the child. The replication scope should be set the same to it's own domain's
    DomainDnsZones app partition.

    Create a reverse zones on the parent for each subnet in the parent domain's
    location, and set the replication scope to DomainWide (the middle button).
    DO NOT create a delegation for this zone.

    Create a reverse zone on the parent for the child domain's location, and set
    the replication scope to DomainWide (the middle button). Create a delegation
    for this zone to the child.

    Make sure the zones all allow updates.

    Follow the steps in the following article to create the delegation:
    How To Create a Child Domain in Active Directory and Delegate the DNS
    Namespace to the Child Domain:
    http://support.microsoft.com/kb/255248

    Make sure you configure a forwarder from the child DNS servers to the parent
    DNS, and then from the parent to your ISP's DNS.

    Change the DNS IPs on the child DCs to use their own DC's as their DNS
    servers.

    Since there is more than one domain, it is HIGHLY recommended to have a
    minimum two DCs in for each domain. The reason is twofold, one because of
    redundancy, the other is because of the IM role conflict on a GC in a
    multidomain forest. If you are going to have a GC at the child domain,
    especially if it is in a remote location, just keep in mind of this required
    rule. On one of the DCs in each domain you will make one of the DCs a GC,
    and move the Infrastructure Master role from the GC to the non-GC. This is
    functional basics of domain design and FSMO role placement and the way this
    specific role works, or rather doesn't work it is a GC.
    ==========================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Nov 25, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.