none
Child Domain Delegation Question RRS feed

  • Question

  • I actually have two DNS related questions:

    #1 We have an Active Directory Forest with a Forest Root Domain and a Child Domain.  We recently ran a DR test and found some issues with DNS?  In particular, systems in the Forest Root domain were unable to resolve systems in the Child Domain.  After some research I found that the Delegation in the Forest Root for the Child domain only had one DC/DNS Name Server.  Unfortunately, our DR test included cutting off communication to that server.  I am assuming I just need to add additional NS to the Child Zones delegation, ideally all of our available DNS servers in the Child Domain.  I am wondering however.  Why would there be only one NS in the zone?

    We recently finished a migration from 2008 R2 domain controllers to 2012 R2.  I know when running DCPROMO a Delegation Warning is displayed.  I am wondering if when we demoted the '08 box's it removed them.  And when we promoted the others the Account used didn't have the rights to re-add them.(Hence the warning)  Does it sound like I am on the right track?

    #2 During troubleshooting I found another interesting DNS configuration.  It involves the Replication scope for the Root and Child zones.  Both of the Zones are AD Integrated, and Set for Secure Dynamic Updates.  However, the Child Zone is set to: "All domain controllers in this domain(for Windows 2000 compatibility".  The Root Zone is set to: "All DNS Servers in this domain".  I am sure the Child setting is a holdover from when the AD was '03.  I am unsure why the root is configured that way.  I have done some research and found a few suggestions to change both to: "To all DNS servers running on domain controllers in this forest: domain.com".  Our AD is centrally managed so segmenting DNS for security is not needed.  FYI, all DC's are DNS servers.  

    Any input on either question would be welcome!

     
    Wednesday, April 27, 2016 7:58 PM

Answers

  • Hi BigSkyTech,

    >>I can do that.  I guess I was wondering if I changed both the child and root zones to: "To all DNS servers running on domain controllers in this forest: domain.com".  If I did that would I still want to add all of the child zone(s) DNS servers as name servers for it's delegated zone in the root?

    For alternate,Yes you could.

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by BigSkyTech Wednesday, May 4, 2016 1:26 PM
    Wednesday, May 4, 2016 6:42 AM

All replies

  •  I am assuming I just need to add additional NS to the Child Zones delegation, ideally all of our available DNS servers in the Child Domain.  I am wondering however.  Why would there be only one NS in the zone?

    As it is okay for you to make the zones replicated to all DCs in your forest, you can add all your DCs NS records in the zone.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, April 28, 2016 12:23 AM
  • Hi BigSkyTech,

    >> The Root Zone is set to: "All DNS Servers in this domain".  I am sure the Child setting is a holdover from when the AD was '03.  I am unsure why the root is configured that way.

    Do you mean the root zone's replication scope changed itself after delegation?

    You can use all the zone as AD integrated to replicate to all the DC by selecting replication is set to All Domain Controllers in the domain.

    How to configure DNS in parent/child domain.

    http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/

      Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 28, 2016 2:41 AM
  • Thanks for the response!

    So you are saying that it is OK to set the Root and Child Zone(s) to:"To all DNS servers running on domain controllers in this forest: domain.com"?  And to add all of the child domain DNS servers as NS in the child's domain delegation in the root domain?

    Thursday, April 28, 2016 1:34 PM
  • Cartman, Thanks for the reply

    Do you mean the root zone's replication scope changed itself after delegation?

    No, I am sure it has always been set that way. 

    You can use all the zone as AD integrated to replicate to all the DC by selecting replication is set to All Domain Controllers in the domain.

    I can do that.  I guess I was wondering if I changed both the child and root zones to: "To all DNS servers running on domain controllers in this forest: domain.com".  If I did that would I still want to add all of the child zone(s) DNS servers as name servers for it's delegated zone in the root?

    Thursday, April 28, 2016 1:39 PM
  • Hi BigSkyTech,

    >>I can do that.  I guess I was wondering if I changed both the child and root zones to: "To all DNS servers running on domain controllers in this forest: domain.com".  If I did that would I still want to add all of the child zone(s) DNS servers as name servers for it's delegated zone in the root?

    For alternate,Yes you could.

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by BigSkyTech Wednesday, May 4, 2016 1:26 PM
    Wednesday, May 4, 2016 6:42 AM
  • Cartman, 

    Thanks again for the information it was helpful!  I ended up finding the root cause of the missing Delegation Records.  We are in the processes of replacing our '08 R2 DC with '12 R2.  As my colleague demoted the existing domain controllers they were removed as Name Servers of the zone.  However, as he was promoting the child domain DC's he didn't supply alternate credentials(with rights) to add the new server to the delegation.  We manually added them all and all is good!  Just thought I would pass that along.

    Thanks again.

    Wednesday, May 4, 2016 1:26 PM