Solved

Best Way to Setup DNS server for subdomain in windows 2003 AD and restrict the access to DNS Records

Posted on 2006-07-04
7
734 Views
Last Modified: 2012-05-05
Hi

We are on process of adding sub domain in our existing domain (windows 2003 AD). When we try adding sub domain with DCPROMO it automatically creates sub domain in our Main DNS server and administrator from all sites can see whole DNS structure...

We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records. If possible we don't want to show the administrator of one domain the records of other domain.

We were wondering if any one could point us to right direction in setting up DNS server in our environment.

Thank you
0
Comment
Question by:agurung
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 17036651
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17036988
The admins from the child domain cannot change anything in the other zones anyway.  They should only be able to administer their own zone.

You can make the child zone AD Integrated, then simply install DNS on the child domain and it should replicate down locally.  Then change the scope on the child domain DNS server (on that zone) so it replicated only to all DNS servers in the domain.  After this you should be able to delete the zone off the main server.  I feel there should be no reason to do that though since the other admins should not be able to touch anything that isn't in their own domain zone.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17039780
I would suggest you get the terminology right too.  There is no such thing as a subdomain; a domain, is a domain, is a domain.

You probably mean a zone.

Unless you're inside of a LAN, anyone on the Internet can see those zone records; that's how the Internet works.

You can block zone transfers, and some data, but if it's outside of your LAN everyone has to see the zone for it to work.

You also have lots of options, secure zone transfers, notifies, and other things to limit what people can do with DNS zones and records.  In the DNS Manager, under the zone you want to manage, the Properties dialogue will show most of the options for dynamic updates, security, and zone transfers.

Set them accordingly and they are configurable by IP Address, Name Servers, and/or users, specifically.

This solves this wish: "We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records."

As for not seeing the zones, if you mean as in their Active Directory DNS Manager, you have to ask if they should be in everyone's Active Directory across domains.  It sounds like that is what you have, based on a single name server being shared among all administrators.  Above, you can narrow down what they can change, but if they all have the same Active Directory Name Server DNS Server, you would have to specifically deny read permissions on a per user basis.  That can get very tricky.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:agurung
ID: 17040127
Thanks Guys

problem we are facing is when ever we try installing DNS server on one of the test DC(for sub dmanin) it brings up exact copy of DNS entry as per our main DNS server and local admin has all permission on every level of DNS.

Any idea why this is happening?

Thank you
0
 

Author Comment

by:agurung
ID: 17040170
Hi GinEric

We are using internal DNS for our AD and we use our ISP's DNS for external names. What we have is as below

    internal.com (Main Domain)
    test.internal.com (Sub Domain)

When we did DCPromo as child domain of existing domain on one of our sties test sub domain or zone (test.internal.com) was created automatically on our DNS server by AD(windows 2003). As this is our branch office we do not want them to be able to changed DNS records in internal.com but they should be able to do that on test.internal.com

hope this is bit clearer

Thank you
0
 
LVL 19

Expert Comment

by:feptias
ID: 17040812
Hi agurung

I am getting confused by the comments in this thread because there is a lack of clarity about the differences between Windows domains, internal DNS domains and public DNS domains. If you are using DCPROMO to create a child domain in Windows then it automatically creates a 2-way trust relationship between child and parent domains. If you don't even trust the administrators in the branch office to be able to *read* the DNS records of the parent domain then I wonder if this is the right approach for you.

Are you saying that you don't want administrators in the branch to be able to make changes or additions to the DNS records in the parent zone or that you don't even want them to be able to read (have visibility of) those records?

It is common practice to select different names for internal Windows domains to those names that are used on the public Internet - e.g. mycompany.local and mycompany.com.  Perhaps if you made that separation between public and internal domain names then it would also help you to see more clearly what is the right structure for your Windows domains (without being influenced by naming conventions that you want to show to the outside world).
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 200 total points
ID: 17041740
The zone "internal.com" (per your example) should not propogate to the child domain DNS server.  The only zones you should see are _msdcs.internal.com and test.internal.com (on the child domain DNS server).

If you look at the properties of the "internal.com" zone on the parent server you should see the replication scope is set to replicate only with all DNS servers in the domain - which means it should NOT be available on the child domain's DNS server.

The _msdcs zone will because it's in the Application Partition and replicates to all DNS servers in the Forest.  This zone holds the SRV records for all DCs in the Forest.

I'm still wondering why you think the admins on the child domain can alter the parent domain zone.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now