none
Delegate dns subdomain administration to an active directroy user

    Question

  • Hi,

       Is it possible to set an active directory user as administrator of a dns subdomain but without permission un the father domain?

    Regards,

    Moses.

    Wednesday, September 25, 2013 3:09 PM

Answers

  • Hi,

    Looks like I was wrong about DNS resolution because, recreating the enviroment, can resolve DNS names in both zones. Maybe I  accidentally created each zone in a different DNS server  or missed something.

    Right now I am testing again with a final enviroment. The issue can be set as solved. If I find any problems I will write again with the information that Marcin asked.

    Thank you for you time and patience.

    Moses.

    Tuesday, October 01, 2013 6:41 AM
  • As long as all zones are hosted on the same group of DNS servers, this means that these servers are authoritative for their resolution - so what you are seeing now is expected

    hth
    Marcin

    Tuesday, October 01, 2013 10:57 AM
  • Thank you Ace but I think is not so complicated, besides, delegating subdomains i can not change the admin user of the subdomain, which it is needes, and all DNS servers should have all subdomains.

    As I wrote to Amy, I missed something or made something wrong, so the DNS resolution between zones in the same DNS server works, with sepparate zones I can change the administrator for that zone.

    Thank you again,

    Moses.

    I'm not sure what you mean by, "...resolution between zones in the same DNS server works," because I would expect that a DNS server would respond to queries for whatever zones a specific DNS server is authoritative for (that it hosts). If a delegation, you're simply telling DNS that it does not host the zone, but another DNS server is and to send the query to that one to resolve it.

    If you have access and admin rights on the delegated server, and if the zone is AD integrated, then you can adjust permissions on it.

    Standard Primary zones do not have security settings other than protecting the zone file in the system32\dns folder.

    But as Marcin said and that I agree with, what you're seeing is expected and default behavior.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 02, 2013 2:41 PM

All replies

  • Are you referring to permissions of DNS zones? If so, this is possible under two conditions:

    - the DNS subdomain is implemented as a separate DNS zone

    - the DNS zone is AD integrated

    hth
    Marcin

    Wednesday, September 25, 2013 3:20 PM
  • This is what I mean:

    test.domain

         '----> first.test.domain

         '----> second.test.domain

     test.domain is AD integrated. I want to set the user "test1" (for example) to have permissions in first.test.domain but no in test.domain or second.test.domain. Is this possible? In that case, how?

    Thanks,

    Moses.

    Wednesday, September 25, 2013 4:28 PM
  • No - as long as this is a single zone.

    You would need to create a separate zone for first.test.domain

    hth
    Marcin


    Wednesday, September 25, 2013 5:27 PM
  • Ok, I created a separate zone for first.test.domain but machines in test.domain can resolve dns entries from first.test.domain. Is that normal? Can I solve it?

    Regards,

    Moses.

    Wednesday, September 25, 2013 5:44 PM
  • Yes - that is expected. This will be the case as long as the DNS server the computers are pointing to is authoritative for both zones.

    What exactly do you want to accomplish? It does not look like what you stated in your original question is your only objective

    hth
    Marcin

    Wednesday, September 25, 2013 5:51 PM
  • let's see... I have a domain test.domain with several subdomains like firts.test.domain, etc. Each subdomain is a separate organization in the whole picture. Each organization has an administrator. Then, I want to delegate the subdomain administration to each organization administrator but everybody need to resolve machine names for the entire configuration.

    Problem? If I create a subdomain inside test.domain I can't change the admin user for that subdomain. In the other hand if I create a separate zone for firts.test.domain the machines in test.domain "can't" (I missed the 't in my previus post) resolve for machines in firts.test.domain.

    Conclusion: I want to delegate separeate domains (different zones or subdomains, I don't care) to different administrators and everybody has to be able to resolve for machines in all of them. Is this possible???

    Thank you for you implication.

    Moses.

    Thursday, September 26, 2013 11:21 AM
  • Then follow the approach I described earlier. Create a separate zone for each subdomain. Delegate permissions on per zone basis

    hth
    Marcin

    Thursday, September 26, 2013 11:27 AM
  • I have created a separate zone for test.domain and first.test.domain. Host in test.domain can not resolve dns entries in first.test.domain. I would like a host in test.domain could resolve host names in other zones, and for host in first.test.domain the same. I couldn't find the way to perform this. Any idea?

    With separated zones I can set the permissions that I have been looking for, but then loose the DNS resolution for host in different zones.

    Thank you.

    Moses.

    Friday, September 27, 2013 7:15 AM
  • Did you create both zones on the same DNS server? Are the both AD integrated with the same replication scope? Is the host in test.domain that cannot resolve dns entries in first.test.domain points to the domain controller where you made the changes as its primary DNS server?

    Post the output of:

    dnscmd /enumzones from the domain controller where you created the zones

    IPCONFIG /ALL from the domain controller where you created the zones

    IPCONFIG /ALL from the host in test.domain that cannot resolve dns entries in first.test.domain

    hth
    Marcin

    Friday, September 27, 2013 11:10 AM
  • Hi Moses,

    In order to solve this issue efficiently, would you please provide the information as Marcin mentioned?

    In addition , are there any records in the new zone which point to the parent DNS zone?

    Here are some links below that might be helpful to you:

    Diagnosing Name Resolution Problems

    http://technet.microsoft.com/en-us/library/cc959340.aspx

    Create a Zone Delegation

    http://technet.microsoft.com/en-us/library/cc753500.aspx

    Best Regards,

    Amy Wang
    Monday, September 30, 2013 2:36 AM
    Moderator
  • In an AD environment there are different methods to design DNS to support a forest.

    For example, if you have a company with headquarters located in NYC with a forest root domain called company.local, and a division in France, due to legal and administrative reasons, you may want to create a child AD domain for the France location, install DNS on those DCs, and then manually create the child zone on those DC/DNS servers (such as ParisDC1.france.company.local.  Then in the NYC office DCs, create a delegation for france.company.local, and point the delegation to the DCs in that domain.

    So basically, when you delegate a child zone to another DNS server, it is assumed that that "other" DNS server will host that zone and will NOT host the parent zone (which you previously referred to as the "father" zone).

    Therefore, since it does not host the parent zone, how are the child domain DNS servers able to resovle the parent zone? Easy. Configure a conditional or general forwarder from the child domain DC/DNS servers to the parent domain DC/DNS servers.

    If you have multiple child delegated zones, you need to perform one more step by configuring search suffixes. For example, in first.test.domain.com, you create a search suffix for second.test.domain.com, and in second.test.domain.com's machines, create a search suffix for first.test.domain.com.

    This way a query for something in the parent zone from a machine in first.test.domain.com will ask it's DNS server, but it doesn't have the answer, but it sees that you've configured a conditional forwarder for the parent zone, therefore the request is passed on.

    I have the steps outlined and explained in my blog. This is based on AD. If you're intentions are non-AD, the rules still apply. It's basically just designing DNS to support an infrastructure.

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 30, 2013 4:04 AM
  • Hi,

    Looks like I was wrong about DNS resolution because, recreating the enviroment, can resolve DNS names in both zones. Maybe I  accidentally created each zone in a different DNS server  or missed something.

    Right now I am testing again with a final enviroment. The issue can be set as solved. If I find any problems I will write again with the information that Marcin asked.

    Thank you for you time and patience.

    Moses.

    Tuesday, October 01, 2013 6:41 AM
  • Thank you Ace but I think is not so complicated, besides, delegating subdomains i can not change the admin user of the subdomain, which it is needes, and all DNS servers should have all subdomains.

    As I wrote to Amy, I missed something or made something wrong, so the DNS resolution between zones in the same DNS server works, with sepparate zones I can change the administrator for that zone.

    Thank you again,

    Moses.

    Tuesday, October 01, 2013 6:54 AM
  • As long as all zones are hosted on the same group of DNS servers, this means that these servers are authoritative for their resolution - so what you are seeing now is expected

    hth
    Marcin

    Tuesday, October 01, 2013 10:57 AM
  • Thank you Ace but I think is not so complicated, besides, delegating subdomains i can not change the admin user of the subdomain, which it is needes, and all DNS servers should have all subdomains.

    As I wrote to Amy, I missed something or made something wrong, so the DNS resolution between zones in the same DNS server works, with sepparate zones I can change the administrator for that zone.

    Thank you again,

    Moses.

    I'm not sure what you mean by, "...resolution between zones in the same DNS server works," because I would expect that a DNS server would respond to queries for whatever zones a specific DNS server is authoritative for (that it hosts). If a delegation, you're simply telling DNS that it does not host the zone, but another DNS server is and to send the query to that one to resolve it.

    If you have access and admin rights on the delegated server, and if the zone is AD integrated, then you can adjust permissions on it.

    Standard Primary zones do not have security settings other than protecting the zone file in the system32\dns folder.

    But as Marcin said and that I agree with, what you're seeing is expected and default behavior.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, October 02, 2013 2:41 PM