Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Explanation of the structure of Parent / Child Active Directory DNS domains

Posted on 2009-02-16
12
Medium Priority
?
1,217 Views
Last Modified: 2012-05-06
Hello Experts!

I'm a little confused about the way in which parent / child dns zones work in active directory.

I have set up a test lab to compare results alongside a functioning domain.

So my top level AD domain is called test.lan. I have a DC called DC01 hosting the DNS and active directory. I've then created a subdomain called 'subdomain.test.lan' with one DC called DC02.

If I then look in the dns snapin for the domain test.lan i see the normal things like a records ect and then see a folder called subdomain. I assume this is where i woudl find info relating to the subdomain. This folder only contains minimal information. nothing about the DC's for the subdomain or anything. On our live domain our subdomain folder does contain information for the subdomain DC's.

The reason i'm confused is that i cant browse or nslookup to anything in the other subdomain.

Can anyone tell me about the subdomains folder in the dns root and why i cant perform lookups to clients in the subdomain form the root domain?
0
Comment
Question by:Aeropars
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 5

Expert Comment

by:balmasri
ID: 23648988
Try to write the FQDN
OR
in the nslookup > set server <ip address of the DNS in the child-Domain>
OR
Add the DNS suffex of the subdomain to DNS client settings of your computer in the forest domain
0
 

Author Comment

by:Aeropars
ID: 23649054
Hello,

I'm after more of an explanation as to why this is occurring. I'm looking at a client perspective so for example a joe bloggs user coudl come a long and be logged intot he top level domain and want to locate a share on a computer in the subdomain. At the moment I cannot see the computer and client computers will have the DNS servers of the root domain.

So questions i would like answering specifically are:

What information should i see in the 'subdomain' folder in the top level dns zone (test.lan)
Should i be able to lookup clients from the subdomain by simply using the FQDN?
If not, what configuration should be done to ensure lookups from parent domain to child domain can occur?
0
 

Author Comment

by:Aeropars
ID: 23649134
Just to add to my above post. When i nslookup a client computer in the subdomain from the top level domain i get the message "dc01.test.lan can't find dc02.subdomain.test.lan: Non-existent domain"
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 23650095
Add a condtional forwarder on dc01 for subdomain.test.lan and point the forwarder to the DNS server in the sudomain and try the nslookup test again.
0
 

Author Comment

by:Aeropars
ID: 23650646
That would work for 2003 upwards by not for windows 2000.

I'm not describing a problem as such but am trying to learn why this happens. Its obviously by design so i am trying to find out why it happens this way.
0
 

Author Comment

by:Aeropars
ID: 23650959
Let me explain a little more about what i'm trying to understand.

When the first DC is promoted in a new forest it will become a DNS server automatically. If i then want an AD subdomain i promote another server to be the DC for this subdomain. When this is installed as a subdomain the process should add a delegation from the root domain to the subdomain. This should then automatically allow recursive queries to be performed between both servers.

for example, a client joined to the subdomain should be able to have their dns set to only the domain contollers for the subdomain yet the server should know about the server above it in the heirachy and perform a recurrsive query to find a client in the root domain.

This is what i'm confuest about as all the MCSE boks say how this works but then i've done this in a test lap and i cant find clients in the subdomain using an FQDN and vise versa. This is identicle in our live environment as well.

can anyone explain this?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23652260
Where are you seeing that it should add a delegation for the root domain?
We did the conditional forwarding to our parent like I described.  (not available in 2000 but we are at 2003)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 23653915
Make sure that you have enabled dynamic registration on the DNS zone properties.
Has the subdomain been created as subdomain or delegation? Post a screenshot of the DNS-MMC expanded and sub-domain selected.
What's the DNS server settings on the DCs?
During promotion of DC for child domain, only use parent server as DNS server for the child to make sure it registers correct in DNS zone on parent server.
0
 
LVL 5

Expert Comment

by:balmasri
ID: 23657382
according to the message :
"dc01.test.lan can't find dc02.subdomain.test.lan: Non-existent domain
add PTR record of the the DCs in the reverse lookup zone.
0
 

Author Comment

by:Aeropars
ID: 23657684
mkline71: By creatig an AD child domain a DNS sunbdomain (including deligation) should also be created. Tis is how the dcpromo wizard works.

balmasri: Its performing a forward lookup query so wont be using PTR records. PTR records are optional and are not needed for a domain to function, only to get a name form an IP address.

henjoh09: I'm just reuilding my VMware lab environment so i'll post back with the screenshots. Like I say, this is also in a laive environemnt (in a domain with 5000+ users) and the same thing happens.

Attached is the dns consol form the live environment. You can see the folder 'CEM' which is the name of the child domain. Inside this you can see there is hardly and a records. I can only query the names that are listed here yet if i want to query a server in the cem child domain that doesnt have an a record here it fails which suggests the deligarion is not correct as it should recurrsivly query the cem child domains servers for the information. If i look at a dns consol in the child domain i have all the records I would expect such as dynamically registered a records from clint machines. We only use DNS for active directory in this domain.
dns.JPG
0
 

Accepted Solution

by:
Aeropars earned 0 total points
ID: 23658321
Ok, so i've rebuilt my test lab and have also found the folloking MS article on how to configure child domains:

http://support.microsoft.com/kb/255248

So as the process states, I installed the root domain (test.lan) and checked dns and all was as you woudl expect. I then installed the child domain (child.test.lan) and checked the root domain's dns. This after 15 minutes populated the child domains folder. So now I have a folder called 'child' as you would expect and this dondains a n a record pointing to the domain controller of the new DC for the child domain. This is the automatically generated deligation for that child domain.

Next I installed DNS on the child domain DC and configured a new zone for child.test.lan. I enabled forwarding for all other domains to the parent DNS server. Dome DC02 i coudl then query DNs for computers in the top level domain.

what I could not then do is query records in the child domain form the parent domain. When i do I get the error "dc01.test.lan can't find dc02.child.test.lan: Non-existent domain"

Even though theres a deligation it still fails. why is this and what is the best practice way of getting round it?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 23662142
The screenshot from live environment is when having child as subdomain in parent zone. I was interested of screenshot from the lab environment with the problem.
If using delegation and creating separate zone for the child, the "subfolder" in the parent DNS zone will only contain a NS record pointing out where the zone is hosted.
The problem is that you've created a new zone on child DC without creating a delegation on parent DC to let it know where the child.test.lan is hosted.

To keep it simple, create the child as "New Domain" in the parent DNS zone instead of delegation and also skip (unnecessary) extra DNS zone. The creation of the subdomain "folder" will be created automatically in parent zone when not having dynamic registration is allowed. Configure the zone to be stored in AD to have it replicated between all DCs.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question