Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Best Way to Setup DNS server for subdomain in windows 2003 AD and restrict the access to DNS Records

Posted on 2006-07-04
7
Medium Priority
?
746 Views
Last Modified: 2012-05-05
Hi

We are on process of adding sub domain in our existing domain (windows 2003 AD). When we try adding sub domain with DCPROMO it automatically creates sub domain in our Main DNS server and administrator from all sites can see whole DNS structure...

We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records. If possible we don't want to show the administrator of one domain the records of other domain.

We were wondering if any one could point us to right direction in setting up DNS server in our environment.

Thank you
0
Comment
Question by:agurung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 17036651
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17036988
The admins from the child domain cannot change anything in the other zones anyway.  They should only be able to administer their own zone.

You can make the child zone AD Integrated, then simply install DNS on the child domain and it should replicate down locally.  Then change the scope on the child domain DNS server (on that zone) so it replicated only to all DNS servers in the domain.  After this you should be able to delete the zone off the main server.  I feel there should be no reason to do that though since the other admins should not be able to touch anything that isn't in their own domain zone.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17039780
I would suggest you get the terminology right too.  There is no such thing as a subdomain; a domain, is a domain, is a domain.

You probably mean a zone.

Unless you're inside of a LAN, anyone on the Internet can see those zone records; that's how the Internet works.

You can block zone transfers, and some data, but if it's outside of your LAN everyone has to see the zone for it to work.

You also have lots of options, secure zone transfers, notifies, and other things to limit what people can do with DNS zones and records.  In the DNS Manager, under the zone you want to manage, the Properties dialogue will show most of the options for dynamic updates, security, and zone transfers.

Set them accordingly and they are configurable by IP Address, Name Servers, and/or users, specifically.

This solves this wish: "We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records."

As for not seeing the zones, if you mean as in their Active Directory DNS Manager, you have to ask if they should be in everyone's Active Directory across domains.  It sounds like that is what you have, based on a single name server being shared among all administrators.  Above, you can narrow down what they can change, but if they all have the same Active Directory Name Server DNS Server, you would have to specifically deny read permissions on a per user basis.  That can get very tricky.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:agurung
ID: 17040127
Thanks Guys

problem we are facing is when ever we try installing DNS server on one of the test DC(for sub dmanin) it brings up exact copy of DNS entry as per our main DNS server and local admin has all permission on every level of DNS.

Any idea why this is happening?

Thank you
0
 

Author Comment

by:agurung
ID: 17040170
Hi GinEric

We are using internal DNS for our AD and we use our ISP's DNS for external names. What we have is as below

    internal.com (Main Domain)
    test.internal.com (Sub Domain)

When we did DCPromo as child domain of existing domain on one of our sties test sub domain or zone (test.internal.com) was created automatically on our DNS server by AD(windows 2003). As this is our branch office we do not want them to be able to changed DNS records in internal.com but they should be able to do that on test.internal.com

hope this is bit clearer

Thank you
0
 
LVL 19

Expert Comment

by:feptias
ID: 17040812
Hi agurung

I am getting confused by the comments in this thread because there is a lack of clarity about the differences between Windows domains, internal DNS domains and public DNS domains. If you are using DCPROMO to create a child domain in Windows then it automatically creates a 2-way trust relationship between child and parent domains. If you don't even trust the administrators in the branch office to be able to *read* the DNS records of the parent domain then I wonder if this is the right approach for you.

Are you saying that you don't want administrators in the branch to be able to make changes or additions to the DNS records in the parent zone or that you don't even want them to be able to read (have visibility of) those records?

It is common practice to select different names for internal Windows domains to those names that are used on the public Internet - e.g. mycompany.local and mycompany.com.  Perhaps if you made that separation between public and internal domain names then it would also help you to see more clearly what is the right structure for your Windows domains (without being influenced by naming conventions that you want to show to the outside world).
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 800 total points
ID: 17041740
The zone "internal.com" (per your example) should not propogate to the child domain DNS server.  The only zones you should see are _msdcs.internal.com and test.internal.com (on the child domain DNS server).

If you look at the properties of the "internal.com" zone on the parent server you should see the replication scope is set to replicate only with all DNS servers in the domain - which means it should NOT be available on the child domain's DNS server.

The _msdcs zone will because it's in the Application Partition and replicates to all DNS servers in the Forest.  This zone holds the SRV records for all DCs in the Forest.

I'm still wondering why you think the admins on the child domain can alter the parent domain zone.

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question