We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Explanation of the structure of Parent / Child Active Directory DNS domains

Aeropars asked
Medium Priority
Last Modified: 2012-05-06
Hello Experts!

I'm a little confused about the way in which parent / child dns zones work in active directory.

I have set up a test lab to compare results alongside a functioning domain.

So my top level AD domain is called test.lan. I have a DC called DC01 hosting the DNS and active directory. I've then created a subdomain called 'subdomain.test.lan' with one DC called DC02.

If I then look in the dns snapin for the domain test.lan i see the normal things like a records ect and then see a folder called subdomain. I assume this is where i woudl find info relating to the subdomain. This folder only contains minimal information. nothing about the DC's for the subdomain or anything. On our live domain our subdomain folder does contain information for the subdomain DC's.

The reason i'm confused is that i cant browse or nslookup to anything in the other subdomain.

Can anyone tell me about the subdomains folder in the dns root and why i cant perform lookups to clients in the subdomain form the root domain?
Watch Question

Bassam AlmasriIT Infrastructure Specialist

Try to write the FQDN
in the nslookup > set server <ip address of the DNS in the child-Domain>
Add the DNS suffex of the subdomain to DNS client settings of your computer in the forest domain



I'm after more of an explanation as to why this is occurring. I'm looking at a client perspective so for example a joe bloggs user coudl come a long and be logged intot he top level domain and want to locate a share on a computer in the subdomain. At the moment I cannot see the computer and client computers will have the DNS servers of the root domain.

So questions i would like answering specifically are:

What information should i see in the 'subdomain' folder in the top level dns zone (test.lan)
Should i be able to lookup clients from the subdomain by simply using the FQDN?
If not, what configuration should be done to ensure lookups from parent domain to child domain can occur?


Just to add to my above post. When i nslookup a client computer in the subdomain from the top level domain i get the message "dc01.test.lan can't find dc02.subdomain.test.lan: Non-existent domain"
Top Expert 2013

Add a condtional forwarder on dc01 for subdomain.test.lan and point the forwarder to the DNS server in the sudomain and try the nslookup test again.


That would work for 2003 upwards by not for windows 2000.

I'm not describing a problem as such but am trying to learn why this happens. Its obviously by design so i am trying to find out why it happens this way.


Let me explain a little more about what i'm trying to understand.

When the first DC is promoted in a new forest it will become a DNS server automatically. If i then want an AD subdomain i promote another server to be the DC for this subdomain. When this is installed as a subdomain the process should add a delegation from the root domain to the subdomain. This should then automatically allow recursive queries to be performed between both servers.

for example, a client joined to the subdomain should be able to have their dns set to only the domain contollers for the subdomain yet the server should know about the server above it in the heirachy and perform a recurrsive query to find a client in the root domain.

This is what i'm confuest about as all the MCSE boks say how this works but then i've done this in a test lap and i cant find clients in the subdomain using an FQDN and vise versa. This is identicle in our live environment as well.

can anyone explain this?
Top Expert 2013

Where are you seeing that it should add a delegation for the root domain?
We did the conditional forwarding to our parent like I described.  (not available in 2000 but we are at 2003)
Henrik JohanssonSystems engineer
Top Expert 2008

Make sure that you have enabled dynamic registration on the DNS zone properties.
Has the subdomain been created as subdomain or delegation? Post a screenshot of the DNS-MMC expanded and sub-domain selected.
What's the DNS server settings on the DCs?
During promotion of DC for child domain, only use parent server as DNS server for the child to make sure it registers correct in DNS zone on parent server.
Bassam AlmasriIT Infrastructure Specialist

according to the message :
"dc01.test.lan can't find dc02.subdomain.test.lan: Non-existent domain
add PTR record of the the DCs in the reverse lookup zone.


mkline71: By creatig an AD child domain a DNS sunbdomain (including deligation) should also be created. Tis is how the dcpromo wizard works.

balmasri: Its performing a forward lookup query so wont be using PTR records. PTR records are optional and are not needed for a domain to function, only to get a name form an IP address.

henjoh09: I'm just reuilding my VMware lab environment so i'll post back with the screenshots. Like I say, this is also in a laive environemnt (in a domain with 5000+ users) and the same thing happens.

Attached is the dns consol form the live environment. You can see the folder 'CEM' which is the name of the child domain. Inside this you can see there is hardly and a records. I can only query the names that are listed here yet if i want to query a server in the cem child domain that doesnt have an a record here it fails which suggests the deligarion is not correct as it should recurrsivly query the cem child domains servers for the information. If i look at a dns consol in the child domain i have all the records I would expect such as dynamically registered a records from clint machines. We only use DNS for active directory in this domain.
Ok, so i've rebuilt my test lab and have also found the folloking MS article on how to configure child domains:


So as the process states, I installed the root domain (test.lan) and checked dns and all was as you woudl expect. I then installed the child domain (child.test.lan) and checked the root domain's dns. This after 15 minutes populated the child domains folder. So now I have a folder called 'child' as you would expect and this dondains a n a record pointing to the domain controller of the new DC for the child domain. This is the automatically generated deligation for that child domain.

Next I installed DNS on the child domain DC and configured a new zone for child.test.lan. I enabled forwarding for all other domains to the parent DNS server. Dome DC02 i coudl then query DNs for computers in the top level domain.

what I could not then do is query records in the child domain form the parent domain. When i do I get the error "dc01.test.lan can't find dc02.child.test.lan: Non-existent domain"

Even though theres a deligation it still fails. why is this and what is the best practice way of getting round it?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Henrik JohanssonSystems engineer
Top Expert 2008

The screenshot from live environment is when having child as subdomain in parent zone. I was interested of screenshot from the lab environment with the problem.
If using delegation and creating separate zone for the child, the "subfolder" in the parent DNS zone will only contain a NS record pointing out where the zone is hosted.
The problem is that you've created a new zone on child DC without creating a delegation on parent DC to let it know where the child.test.lan is hosted.

To keep it simple, create the child as "New Domain" in the parent DNS zone instead of delegation and also skip (unnecessary) extra DNS zone. The creation of the subdomain "folder" will be created automatically in parent zone when not having dynamic registration is allowed. Configure the zone to be stored in AD to have it replicated between all DCs.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.