[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Best Way to Setup DNS server for subdomain in windows 2003 AD and restrict the access to DNS Records

Posted on 2006-07-04
7
Medium Priority
?
747 Views
Last Modified: 2012-05-05
Hi

We are on process of adding sub domain in our existing domain (windows 2003 AD). When we try adding sub domain with DCPROMO it automatically creates sub domain in our Main DNS server and administrator from all sites can see whole DNS structure...

We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records. If possible we don't want to show the administrator of one domain the records of other domain.

We were wondering if any one could point us to right direction in setting up DNS server in our environment.

Thank you
0
Comment
Question by:agurung
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 17036651
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17036988
The admins from the child domain cannot change anything in the other zones anyway.  They should only be able to administer their own zone.

You can make the child zone AD Integrated, then simply install DNS on the child domain and it should replicate down locally.  Then change the scope on the child domain DNS server (on that zone) so it replicated only to all DNS servers in the domain.  After this you should be able to delete the zone off the main server.  I feel there should be no reason to do that though since the other admins should not be able to touch anything that isn't in their own domain zone.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17039780
I would suggest you get the terminology right too.  There is no such thing as a subdomain; a domain, is a domain, is a domain.

You probably mean a zone.

Unless you're inside of a LAN, anyone on the Internet can see those zone records; that's how the Internet works.

You can block zone transfers, and some data, but if it's outside of your LAN everyone has to see the zone for it to work.

You also have lots of options, secure zone transfers, notifies, and other things to limit what people can do with DNS zones and records.  In the DNS Manager, under the zone you want to manage, the Properties dialogue will show most of the options for dynamic updates, security, and zone transfers.

Set them accordingly and they are configurable by IP Address, Name Servers, and/or users, specifically.

This solves this wish: "We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records."

As for not seeing the zones, if you mean as in their Active Directory DNS Manager, you have to ask if they should be in everyone's Active Directory across domains.  It sounds like that is what you have, based on a single name server being shared among all administrators.  Above, you can narrow down what they can change, but if they all have the same Active Directory Name Server DNS Server, you would have to specifically deny read permissions on a per user basis.  That can get very tricky.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:agurung
ID: 17040127
Thanks Guys

problem we are facing is when ever we try installing DNS server on one of the test DC(for sub dmanin) it brings up exact copy of DNS entry as per our main DNS server and local admin has all permission on every level of DNS.

Any idea why this is happening?

Thank you
0
 

Author Comment

by:agurung
ID: 17040170
Hi GinEric

We are using internal DNS for our AD and we use our ISP's DNS for external names. What we have is as below

    internal.com (Main Domain)
    test.internal.com (Sub Domain)

When we did DCPromo as child domain of existing domain on one of our sties test sub domain or zone (test.internal.com) was created automatically on our DNS server by AD(windows 2003). As this is our branch office we do not want them to be able to changed DNS records in internal.com but they should be able to do that on test.internal.com

hope this is bit clearer

Thank you
0
 
LVL 19

Expert Comment

by:feptias
ID: 17040812
Hi agurung

I am getting confused by the comments in this thread because there is a lack of clarity about the differences between Windows domains, internal DNS domains and public DNS domains. If you are using DCPROMO to create a child domain in Windows then it automatically creates a 2-way trust relationship between child and parent domains. If you don't even trust the administrators in the branch office to be able to *read* the DNS records of the parent domain then I wonder if this is the right approach for you.

Are you saying that you don't want administrators in the branch to be able to make changes or additions to the DNS records in the parent zone or that you don't even want them to be able to read (have visibility of) those records?

It is common practice to select different names for internal Windows domains to those names that are used on the public Internet - e.g. mycompany.local and mycompany.com.  Perhaps if you made that separation between public and internal domain names then it would also help you to see more clearly what is the right structure for your Windows domains (without being influenced by naming conventions that you want to show to the outside world).
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 800 total points
ID: 17041740
The zone "internal.com" (per your example) should not propogate to the child domain DNS server.  The only zones you should see are _msdcs.internal.com and test.internal.com (on the child domain DNS server).

If you look at the properties of the "internal.com" zone on the parent server you should see the replication scope is set to replicate only with all DNS servers in the domain - which means it should NOT be available on the child domain's DNS server.

The _msdcs zone will because it's in the Application Partition and replicates to all DNS servers in the Forest.  This zone holds the SRV records for all DCs in the Forest.

I'm still wondering why you think the admins on the child domain can alter the parent domain zone.

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Screencast - Getting to Know the Pipeline

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question