how-to on DNS delegation? Per-Torben 4/16/2007 12:38:01 PM Hello. We have a network infrastucture. Multiple domain, multiple sites and multiple dc's in every domain. All DC are GC. Our main forest, company.local, hosts the DNS for the entire forest as one big ad-intergrated zone. The domains are company.local one.company.local two.company.local three.company.local I'm thinking about delegating the dns zones to their respective domain as it seems to me to be more logical and easier to manage. What I haven't found yet is a how-to on this so I do this in the correct order. 1. Afaik I can't delegate a domain that's already hosted, so if I try to make a delegation of "one.company.local", I will get a message saying that I can't delegate it since it exists already. How do I work around that? 2. If I delegate those subdomains as so. Will clients in another forest be able to forward queries to company.local and still resolve hosts in one.company.local? Without having forwarders from company.local to one.company.local 3. After we bought some other companies and merged them to us we have a few other forests that we still need some access to. Would conditional forwarding be the best way to solve this? 4. What's the best practise regarding break-out points? I thought about having all domains forward quesries to company.local and let company.local forward to extarnal DNS. Any comments to that? This involves several hundred users so I wanna be 100% sure before I change anything. Thank you all in advance -- regards Per-Torben Sørensen

Re: how-to on DNS delegation? "Ace Fekay [MVP]" <PleaseAskMe[ at ]SomeDomain.com> 4/17/2007 9:29:50 PM In news:5C6E9A24-6394-4C9C-A0E4-B199C9F5ADFF[ at ]microsoft.com, Per-Torben <PerTorben[ at ]discussions.microsoft.com> typed: [Quoted Text] > Hello. > > We have a network infrastucture. Multiple domain, multiple sites and > multiple dc's in every domain. All DC are GC. > > Our main forest, company.local, hosts the DNS for the entire forest > as one big ad-intergrated zone. The domains are > company.local > one.company.local > two.company.local > three.company.local > > I'm thinking about delegating the dns zones to their respective > domain as it seems to me to be more logical and easier to manage. > What I haven't found yet is a how-to on this so I do this in the > correct order. > > 1. > Afaik I can't delegate a domain that's already hosted, so if I try to > make a delegation of "one.company.local", I will get a message saying > that I can't delegate it since it exists already. How do I work > around that? > > > 2. > If I delegate those subdomains as so. Will clients in another forest > be able to forward queries to company.local and still resolve hosts in > one.company.local? Without having forwarders from company.local to > one.company.local > > 3. > After we bought some other companies and merged them to us we have a > few other forests that we still need some access to. Would > conditional forwarding be the best way to solve this? > > 4. > What's the best practise regarding break-out points? I thought about > having all domains forward quesries to company.local and let > company.local forward to extarnal DNS. Any comments to that? > > This involves several hundred users so I wanna be 100% sure before I > change anything. > > > Thank you all in advance Basically: Basically to create a delegation, you rt-click your parent domain name in the parent DNS server. If it's called domain.com, then rt-click on it and choose new delegation. Then type in the child domain;s name, such as child1. Then in the bottom of the wizard it will show it prefixing the name, such as child1.domain.com. Then in the next screen type in the IP address of the DNS server that will host the child zone in the child domain. Make absolutely sure that the child1.domain.com DOES NOT EXIST as a separate zone in the parent DNS. If done properly, it will show up as a grayed out folder UNDER the domain.com zone. If you click on it, the only thing that will show up is the nameserver name and IP of the child DNS server. Then in the child DNS server, configure a forwarder to the parent DNS server. That's it! You can take this a step further and configure a forwarder from the parent DNS to your ISP's DNS for internet resolution. If you have another child, such as child2.domain.com, and configured in the same fashion as above, then you will have forest wide resolution. If a client in child1.doman.com needs to access something by FQDN in child2.domain.com, the query is sent to it's respective DNS, it won;t have the answer, so then it's forwarded to the parent, but the parent doesn't have the answer either, but it does have a reference to who does (due to the delegation), then the request is sent to the child2.domain.com's DNS server. To access the resource by a computer's NetBIOS name, then we'll need to configure mutliple search suffixes on each client so it will append the proper suffix for the query. There are scripts to help do this. Delegation is outlined right here: 255248 - HOW TO Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain: http://support.microsoft.com/?id=255248 (Delegation and Forwarding) - Directing queries through forwarders and delegation: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_DirectingQueriesThroughForwarders.asp If you are trying to delegate one that already exists, yes it will argue with you. I would create the zone on the child DNS server, transfer the zone using the old fahsioned method of zone transfer, then delete it from teh parent, then delegate again. Remember, when delegating, it is saying GO ELSEWHERE to get the zone, so it cannot exist on the delegating server anyway. Clients in other forests will only need their DNS to have a conditional forward to your forest root DNS, nothing else. Let the forest root DNS handle the recursion and devolution by the delegation you had already created. I don't know what you mean by Break-Out point (other than rack em up and I'll give you the 6 ball). But if you are concerned on how to allow internet resolution, use the current forwarding I shows above in my "basically" section. Let the forest root handle the ISP forwarding by setting an "All Others" forwarding to the ISP. I hope that makes sense. This is a proven method that we have working in multiple client sites. You can also use Stub zones, but we like the delegation/forwarding method for ease of administration and explaining it to current IT admins at our client sites. -- Ace Innovative IT Concepts, Inc (IITCI) Willow Grove, PA This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer Infinite Diversities in Infinite Combinations Having difficulty reading or finding responses to your post? Instead of the website you're using, try using OEx (Outlook Express or any other newsreader), and configure a news account, pointing to news.microsoft.com. Anonymous access. It's free - no username or password required nor do you need a Newsgroup Usenet account with your ISP. It connects directly to the Microsoft Public Newsgroups. OEx allows you o easily find, track threads, cross-post, sort by date, poster's name, watched threads or subject. It's easy: How to Configure OEx for Internet News http://support.microsoft.com/?id=171164 "Quitting smoking is easy. I've done it a thousand times." - Mark Twain

Re: how-to on DNS delegation? Per-Torben 4/18/2007 6:16:01 AM thank you very much for the reply. However "Make absolutely sure that the child1.domain.com DOES NOT EXIST as a separate zone in the parent DNS" That's part of the problem. child1,child2 and child 3 all exists as subdomains in the parent DNS zone. I can't delegate since it already exists, and I don't dare delete it and reconstruct it. It looks a little something like this: Foward lookup zones | _msdcs.domain.local | (some stub zones) | domain.local | _sites | _tcp | _ForestDnsZones | _child1 | _child2 | _child3 -- regards Per-Torben Sørensen "Ace Fekay [MVP]" wrote: [Quoted Text] > In news:5C6E9A24-6394-4C9C-A0E4-B199C9F5ADFF[ at ]microsoft.com, > Per-Torben <PerTorben[ at ]discussions.microsoft.com> typed: > > Hello. > > > > We have a network infrastucture. Multiple domain, multiple sites and > > multiple dc's in every domain. All DC are GC. > > > > Our main forest, company.local, hosts the DNS for the entire forest > > as one big ad-intergrated zone. The domains are > > company.local > > one.company.local > > two.company.local > > three.company.local > > > > I'm thinking about delegating the dns zones to their respective > > domain as it seems to me to be more logical and easier to manage. > > What I haven't found yet is a how-to on this so I do this in the > > correct order. > > > > 1. > > Afaik I can't delegate a domain that's already hosted, so if I try to > > make a delegation of "one.company.local", I will get a message saying > > that I can't delegate it since it exists already. How do I work > > around that? > > > > > > 2. > > If I delegate those subdomains as so. Will clients in another forest > > be able to forward queries to company.local and still resolve hosts in > > one.company.local? Without having forwarders from company.local to > > one.company.local > > > > 3. > > After we bought some other companies and merged them to us we have a > > few other forests that we still need some access to. Would > > conditional forwarding be the best way to solve this? > > > > 4. > > What's the best practise regarding break-out points? I thought about > > having all domains forward quesries to company.local and let > > company.local forward to extarnal DNS. Any comments to that? > > > > This involves several hundred users so I wanna be 100% sure before I > > change anything. > > > > > > Thank you all in advance > > > Basically: > Basically to create a delegation, you rt-click your parent domain name in > the parent DNS server. If it's called domain.com, then rt-click on it and > choose new delegation. Then type in the child domain;s name, such as child1. > Then in the bottom of the wizard it will show it prefixing the name, such as > child1.domain.com. Then in the next screen type in the IP address of the DNS > server that will host the child zone in the child domain. Make absolutely > sure that the child1.domain.com DOES NOT EXIST as a separate zone in the > parent DNS. If done properly, it will show up as a grayed out folder UNDER > the domain.com zone. If you click on it, the only thing that will show up is > the nameserver name and IP of the child DNS server. > > Then in the child DNS server, configure a forwarder to the parent DNS > server. > > That's it! > > You can take this a step further and configure a forwarder from the parent > DNS to your ISP's DNS for internet resolution. > > If you have another child, such as child2.domain.com, and configured in the > same fashion as above, then you will have forest wide resolution. If a > client in child1.doman.com needs to access something by FQDN in > child2.domain.com, the query is sent to it's respective DNS, it won;t have > the answer, so then it's forwarded to the parent, but the parent doesn't > have the answer either, but it does have a reference to who does (due to the > delegation), then the request is sent to the child2.domain.com's DNS server. > > To access the resource by a computer's NetBIOS name, then we'll need to > configure mutliple search suffixes on each client so it will append the > proper suffix for the query. There are scripts to help do this. > > Delegation is outlined right here: > > 255248 - HOW TO Create a Child Domain in Active Directory and Delegate the > DNS Namespace to the Child Domain: > http://support.microsoft.com/?id=255248 > > (Delegation and Forwarding) - Directing queries through forwarders and > delegation: > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_DirectingQueriesThroughForwarders.asp > > > > If you are trying to delegate one that already exists, yes it will argue > with you. I would create the zone on the child DNS server, transfer the zone > using the old fahsioned method of zone transfer, then delete it from teh > parent, then delegate again. Remember, when delegating, it is saying GO > ELSEWHERE to get the zone, so it cannot exist on the delegating server > anyway. > > Clients in other forests will only need their DNS to have a conditional > forward to your forest root DNS, nothing else. Let the forest root DNS > handle the recursion and devolution by the delegation you had already > created. > > I don't know what you mean by Break-Out point (other than rack em up and > I'll give you the 6 ball). But if you are concerned on how to allow internet > resolution, use the current forwarding I shows above in my "basically" > section. Let the forest root handle the ISP forwarding by setting an "All > Others" forwarding to the ISP. > > I hope that makes sense. This is a proven method that we have working in > multiple client sites. You can also use Stub zones, but we like the > delegation/forwarding method for ease of administration and explaining it to > current IT admins at our client sites. > > > -- > Ace > Innovative IT Concepts, Inc (IITCI) > Willow Grove, PA > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft MVP - Directory Services > Microsoft Certified Trainer > > Infinite Diversities in Infinite Combinations > > Having difficulty reading or finding responses to your post? > Instead of the website you're using, try using OEx (Outlook Express > or any other newsreader), and configure a news account, pointing to > news.microsoft.com. Anonymous access. It's free - no username or password > required nor do you need a Newsgroup Usenet account with your ISP. It > connects directly to the Microsoft Public Newsgroups. OEx allows you > o easily find, track threads, cross-post, sort by date, poster's name, > watched threads or subject. It's easy: > > How to Configure OEx for Internet News > http://support.microsoft.com/?id=171164 > > "Quitting smoking is easy. I've done it a thousand times." - Mark Twain > > >

Re: how-to on DNS delegation? "Ace Fekay [MVP]" <PleaseAskMe[ at ]SomeDomain.com> 4/19/2007 2:16:20 AM In news:EABB4B4B-400A-4F9C-907F-1BB3C967BB27[ at ]microsoft.com, Per-Torben <PerTorben[ at ]discussions.microsoft.com> typed: [Quoted Text] > thank you very much for the reply. However > "Make absolutely sure that the child1.domain.com DOES NOT EXIST as a > separate zone in the > parent DNS" > > That's part of the problem. child1,child2 and child 3 all exists as > subdomains in the parent DNS zone. I can't delegate since it already > exists, and I don't dare delete it and reconstruct it. It looks a > little something like this: > > Foward lookup zones >> > _msdcs.domain.local >> > (some stub zones) >> > domain.local > | > _sites > | > _tcp > | > _ForestDnsZones > | > _child1 > | > _child2 > | > _child3 Of course delegation won';t work, they exists on the server and you are telling the server to go elsewhere to recurse that zone. As I mentioned, you must delete them. Before you delete them, make sure you do a zone transfer (a good old fashion zone transfer) to the child domain DNS. Once there, make it AD integrated but set the replication scope to ONLY that domain, and NOT the forest. Once that is done, then DELETE THE ZONE FROM THE PARENT. That is a MUST. Once you've checked that the zone now exists only in the parent DNS, then you MUST delete that zone in the parent. Then do the delegation. Ace