Avatar of mconeley
Flag for Germany asked on

DNS setup for child domain - delegation not working!!

I have setup a DC (DC2) in a remote site connected over a WAN.
The DC was setup as a child domain (child.bn.com) in its own subnet.
The forest contains a DC (DC1) and has fully AD integrated DNS zones.

The problem is that I think I setup the child domain DNS in the wrong order. Current situation is this:

- In the child domain on DC2 when I promoted it to domain controller, I hadnt delegated any zone on the parent domain for it at that point. Therefore the child domain now has its own AD integrated zone (child.bn.com) - this only appears on DC2.
- I then created a conditional forward on DC2 so lookups to bn.com get forwarded to the parent DNS server (DC1).
- In the parent domain on DC1, I have had to import the child domain (child.bn.com) as a secondary zone. This was the only way I could get lookups working from the parent domain to the child.
- Deleting this secondary zone & creating a delegation within our parent zone (bn.com) for the child zone doesnt work - it creates the zone but with no records. And this is the correct way to do it I believe?!?

So now I can lookup computer names from the child domain -> parent domain fine. This way its working normally.
But from the parent domain -> child domain I have to use the FQDN when doing lookups.

This is not good in my environment as users from both sites are sharing resources. I could cheat and created a conditional forward from the parent -> child, but I dont think this is a good idea.

What steps should I take to fix this? Should I completely remove the AD Integrated DNS on the child domain, remove the secondary zones from the parent, re-create a delegation for the child on the parent & then re-install DNS on the child? (I would rather not do this).
Or is there an easier way? i.e. i can see on the child zone that its possible to change the replication to "To all DNS servers in the AD Forest BN.com". Would this fix the problem?


Windows Networking

Avatar of undefined
Last Comment

8/22/2022 - Mon

Yep your last point is an option, as long as there is a trust there this should work fine.  Would let DNS work the way its supposed to.
Another option would be to add a stub zone in the parent for the child and see if that works.  Basically the same principle as delegating, but its not best practice.  This is because stubs aren't transferred in zone transfers to secondaries.  However they are like delegations, but they update themselves so in that way they are better.


The correct implementation is to configure a zone delegation on the root domain to the child domain dns.
You dont need to create a forward from the parent domain to the child domain, the resolution of names from the child domain are done by following the delegation.
From machines members of the parent domain to resolve names in the child domain you have to ue the FQDN. An alternative to use the FQDN is to configure in all the machine the DNS suffix search list with your both domains "parent.com" and "child.parent.com", this makes the machines query both zones looking for a host name.


Yes - I have a trust between child & parent domain. What do you mean "would let DNS work the way its supposed to"? - is it normal on the child domain dns to configure the AD zone so that it replicates to "all DNS servers in the forest" (as you are suggesting?). By default its set to replicate only to DNS servers in the same child domain. If its simply a case of ticking this box, and then this zone will suddenly appear on my parent domain DNS as an Integrated zone - allowing me to remove the secondary zone - then it could be an option.

This is a live environment though unfortunately, so I cant mess too much (hence all the questions).

PR: i know the correct implementation is to firstly create a delegation for the child domain, but unfortunately i missed this step, and now creating a delegation for the child domain dns doesnt seem to work (because this zone is already AD integrated on the child domain i guess).

If the parent domain had delegation setup correctly, would it fix this problem with having to use FQDNs for child domain computers? Adding 2 domain search suffixes for every computer seems a little complicated although is possible through GPs i guess.

Basically I need the easiest way to put this right. Some more detail would be appreciated.

Thanks so far.


I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

What I meant by DNS working as it is supposed to is to let it replicate to the other dns servers in the domain, allowing it build its own structure.  DNS' function is to resolve so let it resolve.  Like I said in my last thread, you could use a stub zone which will basically put the authoritative records of the child zone onto the parent zone, so when attempting resolution it will see the child zone records and resolve queries for the child zone to it.  MS says delegations are best practice but its not written in stone - you just need the parent to know about the child, stubs are safe and secure and they update themselves for any child zone changes


Thanks for the help guys.

I hope its OK - would liked to have split the points but i dont think thats possible. Therefore i gave them to rodriguesp for his 1st answer.



PS: got the delegation working now, and you are right. Normal behaviour seems that FQDN is needed from the parent -> child, but from the child -> parent you we can just use netbios names. I can live with this and if not I can set the DNS suffixes of the parent domain computers.