Solved

Best Way to Setup DNS server for subdomain in windows 2003 AD and restrict the access to DNS Records

Posted on 2006-07-04
7
740 Views
Last Modified: 2012-05-05
Hi

We are on process of adding sub domain in our existing domain (windows 2003 AD). When we try adding sub domain with DCPROMO it automatically creates sub domain in our Main DNS server and administrator from all sites can see whole DNS structure...

We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records. If possible we don't want to show the administrator of one domain the records of other domain.

We were wondering if any one could point us to right direction in setting up DNS server in our environment.

Thank you
0
Comment
Question by:agurung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 17036651
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17036988
The admins from the child domain cannot change anything in the other zones anyway.  They should only be able to administer their own zone.

You can make the child zone AD Integrated, then simply install DNS on the child domain and it should replicate down locally.  Then change the scope on the child domain DNS server (on that zone) so it replicated only to all DNS servers in the domain.  After this you should be able to delete the zone off the main server.  I feel there should be no reason to do that though since the other admins should not be able to touch anything that isn't in their own domain zone.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17039780
I would suggest you get the terminology right too.  There is no such thing as a subdomain; a domain, is a domain, is a domain.

You probably mean a zone.

Unless you're inside of a LAN, anyone on the Internet can see those zone records; that's how the Internet works.

You can block zone transfers, and some data, but if it's outside of your LAN everyone has to see the zone for it to work.

You also have lots of options, secure zone transfers, notifies, and other things to limit what people can do with DNS zones and records.  In the DNS Manager, under the zone you want to manage, the Properties dialogue will show most of the options for dynamic updates, security, and zone transfers.

Set them accordingly and they are configurable by IP Address, Name Servers, and/or users, specifically.

This solves this wish: "We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records."

As for not seeing the zones, if you mean as in their Active Directory DNS Manager, you have to ask if they should be in everyone's Active Directory across domains.  It sounds like that is what you have, based on a single name server being shared among all administrators.  Above, you can narrow down what they can change, but if they all have the same Active Directory Name Server DNS Server, you would have to specifically deny read permissions on a per user basis.  That can get very tricky.
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:agurung
ID: 17040127
Thanks Guys

problem we are facing is when ever we try installing DNS server on one of the test DC(for sub dmanin) it brings up exact copy of DNS entry as per our main DNS server and local admin has all permission on every level of DNS.

Any idea why this is happening?

Thank you
0
 

Author Comment

by:agurung
ID: 17040170
Hi GinEric

We are using internal DNS for our AD and we use our ISP's DNS for external names. What we have is as below

    internal.com (Main Domain)
    test.internal.com (Sub Domain)

When we did DCPromo as child domain of existing domain on one of our sties test sub domain or zone (test.internal.com) was created automatically on our DNS server by AD(windows 2003). As this is our branch office we do not want them to be able to changed DNS records in internal.com but they should be able to do that on test.internal.com

hope this is bit clearer

Thank you
0
 
LVL 19

Expert Comment

by:feptias
ID: 17040812
Hi agurung

I am getting confused by the comments in this thread because there is a lack of clarity about the differences between Windows domains, internal DNS domains and public DNS domains. If you are using DCPROMO to create a child domain in Windows then it automatically creates a 2-way trust relationship between child and parent domains. If you don't even trust the administrators in the branch office to be able to *read* the DNS records of the parent domain then I wonder if this is the right approach for you.

Are you saying that you don't want administrators in the branch to be able to make changes or additions to the DNS records in the parent zone or that you don't even want them to be able to read (have visibility of) those records?

It is common practice to select different names for internal Windows domains to those names that are used on the public Internet - e.g. mycompany.local and mycompany.com.  Perhaps if you made that separation between public and internal domain names then it would also help you to see more clearly what is the right structure for your Windows domains (without being influenced by naming conventions that you want to show to the outside world).
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 200 total points
ID: 17041740
The zone "internal.com" (per your example) should not propogate to the child domain DNS server.  The only zones you should see are _msdcs.internal.com and test.internal.com (on the child domain DNS server).

If you look at the properties of the "internal.com" zone on the parent server you should see the replication scope is set to replicate only with all DNS servers in the domain - which means it should NOT be available on the child domain's DNS server.

The _msdcs zone will because it's in the Application Partition and replicates to all DNS servers in the Forest.  This zone holds the SRV records for all DCs in the Forest.

I'm still wondering why you think the admins on the child domain can alter the parent domain zone.

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question