Best Way to Setup DNS server for subdomain in windows 2003 AD and restrict the access to DNS Records

Hi

We are on process of adding sub domain in our existing domain (windows 2003 AD). When we try adding sub domain with DCPROMO it automatically creates sub domain in our Main DNS server and administrator from all sites can see whole DNS structure...

We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records. If possible we don't want to show the administrator of one domain the records of other domain.

We were wondering if any one could point us to right direction in setting up DNS server in our environment.

Thank you
agurungAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Netman66Connect With a Mentor Commented:
The zone "internal.com" (per your example) should not propogate to the child domain DNS server.  The only zones you should see are _msdcs.internal.com and test.internal.com (on the child domain DNS server).

If you look at the properties of the "internal.com" zone on the parent server you should see the replication scope is set to replicate only with all DNS servers in the domain - which means it should NOT be available on the child domain's DNS server.

The _msdcs zone will because it's in the Application Partition and replicates to all DNS servers in the Forest.  This zone holds the SRV records for all DCs in the Forest.

I'm still wondering why you think the admins on the child domain can alter the parent domain zone.

0
 
feptiasCommented:
0
 
Netman66Commented:
The admins from the child domain cannot change anything in the other zones anyway.  They should only be able to administer their own zone.

You can make the child zone AD Integrated, then simply install DNS on the child domain and it should replicate down locally.  Then change the scope on the child domain DNS server (on that zone) so it replicated only to all DNS servers in the domain.  After this you should be able to delete the zone off the main server.  I feel there should be no reason to do that though since the other admins should not be able to touch anything that isn't in their own domain zone.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
GinEricCommented:
I would suggest you get the terminology right too.  There is no such thing as a subdomain; a domain, is a domain, is a domain.

You probably mean a zone.

Unless you're inside of a LAN, anyone on the Internet can see those zone records; that's how the Internet works.

You can block zone transfers, and some data, but if it's outside of your LAN everyone has to see the zone for it to work.

You also have lots of options, secure zone transfers, notifies, and other things to limit what people can do with DNS zones and records.  In the DNS Manager, under the zone you want to manage, the Properties dialogue will show most of the options for dynamic updates, security, and zone transfers.

Set them accordingly and they are configurable by IP Address, Name Servers, and/or users, specifically.

This solves this wish: "We wanted to have DNS server in each sites so that administrator on each sites can maintain the records of their own but we do not want them to be able to do anything with other site of DNS records."

As for not seeing the zones, if you mean as in their Active Directory DNS Manager, you have to ask if they should be in everyone's Active Directory across domains.  It sounds like that is what you have, based on a single name server being shared among all administrators.  Above, you can narrow down what they can change, but if they all have the same Active Directory Name Server DNS Server, you would have to specifically deny read permissions on a per user basis.  That can get very tricky.
0
 
agurungAuthor Commented:
Thanks Guys

problem we are facing is when ever we try installing DNS server on one of the test DC(for sub dmanin) it brings up exact copy of DNS entry as per our main DNS server and local admin has all permission on every level of DNS.

Any idea why this is happening?

Thank you
0
 
agurungAuthor Commented:
Hi GinEric

We are using internal DNS for our AD and we use our ISP's DNS for external names. What we have is as below

    internal.com (Main Domain)
    test.internal.com (Sub Domain)

When we did DCPromo as child domain of existing domain on one of our sties test sub domain or zone (test.internal.com) was created automatically on our DNS server by AD(windows 2003). As this is our branch office we do not want them to be able to changed DNS records in internal.com but they should be able to do that on test.internal.com

hope this is bit clearer

Thank you
0
 
feptiasCommented:
Hi agurung

I am getting confused by the comments in this thread because there is a lack of clarity about the differences between Windows domains, internal DNS domains and public DNS domains. If you are using DCPROMO to create a child domain in Windows then it automatically creates a 2-way trust relationship between child and parent domains. If you don't even trust the administrators in the branch office to be able to *read* the DNS records of the parent domain then I wonder if this is the right approach for you.

Are you saying that you don't want administrators in the branch to be able to make changes or additions to the DNS records in the parent zone or that you don't even want them to be able to read (have visibility of) those records?

It is common practice to select different names for internal Windows domains to those names that are used on the public Internet - e.g. mycompany.local and mycompany.com.  Perhaps if you made that separation between public and internal domain names then it would also help you to see more clearly what is the right structure for your Windows domains (without being influenced by naming conventions that you want to show to the outside world).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.