parent/child domain, DNS question "Jay" <jay[ at ]nospam.com> 5/15/2007 8:12:44 PM I have one domain, DOMAIN.EDU, as my 'production' domain. I have created a child domain, AC.DOMAIN.EDU, which student workstations will be able to authenticate against. They need to be able to log onto a workstation using credentials stored in the parent domain but I am trying to remove their ability to 'touch' my DOMAIN.EDU DCs directly. DOMAIN.EDU is AD integrated on my production DCs. I need the clients on AC.DOMAIN.EDU to be able to see the SRV records for AC.DOMAIN.EDU, but NOT DOMAIN.EDU. I have tried using a delegated zone per MS KB 255248, but that doesn't work. I need the clients on AC.DOMAIN.EDU to be able to perform DDNS updates against the AC.DOMAIN.EDU DCs. I am hoping to use the DC on AC.DOMAIN.EDU as my DNS servers for those clients, and use AD integrated zones. Does this make sense? Any ideas? Blake

Re: parent/child domain, DNS question "Jay" <jay[ at ]nospam.com> 5/15/2007 8:15:13 PM Actually, that KB article may have worked. I'll update shortly. "Jay" <jay[ at ]nospam.com> wrote in message news:%23$kKn1ylHHA.3996[ at ]TK2MSFTNGP06.phx.gbl... [Quoted Text] >I have one domain, DOMAIN.EDU, as my 'production' domain. I have created a >child domain, AC.DOMAIN.EDU, which student workstations will be able to >authenticate against. They need to be able to log onto a workstation using >credentials stored in the parent domain but I am trying to remove their >ability to 'touch' my DOMAIN.EDU DCs directly. > > DOMAIN.EDU is AD integrated on my production DCs. I need the clients on > AC.DOMAIN.EDU to be able to see the SRV records for AC.DOMAIN.EDU, but NOT > DOMAIN.EDU. > > I have tried using a delegated zone per MS KB 255248, but that doesn't > work. I need the clients on AC.DOMAIN.EDU to be able to perform DDNS > updates against the AC.DOMAIN.EDU DCs. I am hoping to use the DC on > AC.DOMAIN.EDU as my DNS servers for those clients, and use AD integrated > zones. > > Does this make sense? Any ideas? > > Blake

Re: parent/child domain, DNS question "Herb Martin" <news[ at ]learnquick.com> 5/15/2007 10:08:22 PM "Jay" <jay[ at ]nospam.com> wrote in message news:%23$kKn1ylHHA.3996[ at ]TK2MSFTNGP06.phx.gbl... [Quoted Text] >I have one domain, DOMAIN.EDU, as my 'production' domain. I have created a >child domain, AC.DOMAIN.EDU, which student workstations will be able to >authenticate against. They need to be able to log onto a workstation using >credentials stored in the parent domain but I am trying to remove their >ability to 'touch' my DOMAIN.EDU DCs directly. > > DOMAIN.EDU is AD integrated on my production DCs. I need the clients on > AC.DOMAIN.EDU to be able to see the SRV records for AC.DOMAIN.EDU, but NOT > DOMAIN.EDU. > > I have tried using a delegated zone per MS KB 255248, but that doesn't > work. I need the clients on AC.DOMAIN.EDU to be able to perform DDNS > updates against the AC.DOMAIN.EDU DCs. I am hoping to use the DC on > AC.DOMAIN.EDU as my DNS servers for those clients, and use AD integrated > zones. > > Does this make sense? Any ideas? Separate issues (and components to the solution): 1) Parent DNS resolves child DNS delegate to child (or parent holds child DNS zone or conditionally forwards) 2) Child DNS resolves parent child conditionally forwards, holds secondary for parent etc 3) Child DNS accepts Dynamic updates. child has either a Primary with dynamic updates or better is an AD Integrated DNS server with (secure only) dynamic updates When holding a zone it can be: 1) Secondary (works for all DNS servers) 2) Stub (only Win2003) 3) Conditional forwarding (only Win2003) 4) Forest DNS-DC scope AD Integrated (only Win2003 & same forest) -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site)