how-to on DNS delegation?
Per-Torben
We have a network infrastucture. Multiple domain, multiple sites and
multiple dc's in every domain. All DC are GC.
Our main forest, company.local, hosts the DNS for the entire forest as one
big ad-intergrated zone. The domains are
company.local
one.company.local
two.company.local
three.company.local
I'm thinking about delegating the dns zones to their respective domain as it
seems to me to be more logical and easier to manage. What I haven't found yet
is a how-to on this so I do this in the correct order.
1.
Afaik I can't delegate a domain that's already hosted, so if I try to make a
delegation of "one.company.local", I will get a message saying that I can't
delegate it since it exists already. How do I work around that?
2.
If I delegate those subdomains as so. Will clients in another forest be able
to forward queries to company.local and still resolve hosts in
one.company.local? Without having forwarders from company.local to
one.company.local
3.
After we bought some other companies and merged them to us we have a few
other forests that we still need some access to. Would conditional forwarding
be the best way to solve this?
4.
What's the best practise regarding break-out points? I thought about having
all domains forward quesries to company.local and let company.local forward
to extarnal DNS. Any comments to that?
This involves several hundred users so I wanna be 100% sure before I change
anything.
Thank you all in advance
--
regards
Per-Torben Sørensen
Ace Fekay [MVP]
Per-Torben <PerT...@discussions.microsoft.com> typed:
Basically:
Basically to create a delegation, you rt-click your parent domain name in
the parent DNS server. If it's called domain.com, then rt-click on it and
choose new delegation. Then type in the child domain;s name, such as child1.
Then in the bottom of the wizard it will show it prefixing the name, such as
child1.domain.com. Then in the next screen type in the IP address of the DNS
server that will host the child zone in the child domain. Make absolutely
sure that the child1.domain.com DOES NOT EXIST as a separate zone in the
parent DNS. If done properly, it will show up as a grayed out folder UNDER
the domain.com zone. If you click on it, the only thing that will show up is
the nameserver name and IP of the child DNS server.
Then in the child DNS server, configure a forwarder to the parent DNS
server.
That's it!
You can take this a step further and configure a forwarder from the parent
DNS to your ISP's DNS for internet resolution.
If you have another child, such as child2.domain.com, and configured in the
same fashion as above, then you will have forest wide resolution. If a
client in child1.doman.com needs to access something by FQDN in
child2.domain.com, the query is sent to it's respective DNS, it won;t have
the answer, so then it's forwarded to the parent, but the parent doesn't
have the answer either, but it does have a reference to who does (due to the
delegation), then the request is sent to the child2.domain.com's DNS server.
To access the resource by a computer's NetBIOS name, then we'll need to
configure mutliple search suffixes on each client so it will append the
proper suffix for the query. There are scripts to help do this.
Delegation is outlined right here:
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248
(Delegation and Forwarding) - Directing queries through forwarders and
delegation:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_DirectingQueriesThroughForwarders.asp
If you are trying to delegate one that already exists, yes it will argue
with you. I would create the zone on the child DNS server, transfer the zone
using the old fahsioned method of zone transfer, then delete it from teh
parent, then delegate again. Remember, when delegating, it is saying GO
ELSEWHERE to get the zone, so it cannot exist on the delegating server
anyway.
Clients in other forests will only need their DNS to have a conditional
forward to your forest root DNS, nothing else. Let the forest root DNS
handle the recursion and devolution by the delegation you had already
created.
I don't know what you mean by Break-Out point (other than rack em up and
I'll give you the 6 ball). But if you are concerned on how to allow internet
resolution, use the current forwarding I shows above in my "basically"
section. Let the forest root handle the ISP forwarding by setting an "All
Others" forwarding to the ISP.
I hope that makes sense. This is a proven method that we have working in
multiple client sites. You can also use Stub zones, but we like the
delegation/forwarding method for ease of administration and explaining it to
current IT admins at our client sites.
--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
Per-Torben
separate zone in the
parent DNS"
That's part of the problem. child1,child2 and child 3 all exists as
subdomains in the parent DNS zone. I can't delegate since it already exists,
and I don't dare delete it and reconstruct it. It looks a little something
like this:
Foward lookup zones
|
_msdcs.domain.local
|
(some stub zones)
|
domain.local
|
_sites
|
_tcp
|
_ForestDnsZones
|
_child1
|
_child2
|
_child3
--
regards
Per-Torben Sørensen
Ace Fekay [MVP]
Per-Torben <PerT...@discussions.microsoft.com> typed:
> thank you very much for the reply. However
> "Make absolutely sure that the child1.domain.com DOES NOT EXIST as a
> separate zone in the
> parent DNS"
>
> That's part of the problem. child1,child2 and child 3 all exists as
> subdomains in the parent DNS zone. I can't delegate since it already
> exists, and I don't dare delete it and reconstruct it. It looks a
> little something like this:
>
> Foward lookup zones
>>
> _msdcs.domain.local
>>
> (some stub zones)
>>
> domain.local
> |
> _sites
> |
> _tcp
> |
> _ForestDnsZones
> |
> _child1
> |
> _child2
> |
> _child3
Of course delegation won';t work, they exists on the server and you are
telling the server to go elsewhere to recurse that zone. As I mentioned, you
must delete them.
Before you delete them, make sure you do a zone transfer (a good old fashion
zone transfer) to the child domain DNS. Once there, make it AD integrated
but set the replication scope to ONLY that domain, and NOT the forest. Once
that is done, then DELETE THE ZONE FROM THE PARENT.
That is a MUST. Once you've checked that the zone now exists only in the
parent DNS, then you MUST delete that zone in the parent.
Then do the delegation.
Ace