?
Solved

DNS Zones

Posted on 2009-02-23
8
Medium Priority
?
418 Views
Last Modified: 2012-05-06
1-Can someone give me an example where zone delgation is used? I don't know when should it be used?
2-when you Install DNS through DCprom wizard, in DNS console you will see _msdcs.domainname.com , it shows just above the forward lookup zone. what is this for?

Thanks
0
Comment
Question by:jskfan
  • 4
  • 4
8 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 23719596

1.

Delegation is used throughout the internet when responsibility for a namespace is placed somewhere other than the current server.

For instance, in DNS we have a structure something like this:

                         Root Servers (.)                        Root DNS servers - A to M.root-servers.net
                         /          |            \
                      .com    .net        .org                    Top Level Domain (TLD) servers - e.g. A to M.gtld-servers.net (for .com)
                       /            |               \
 somewhere.com   domain.net   charity.org      Individual servers - e.g. ns1.somewhere.com (for somewhere.com)

At each stage (from root to TLD, and so on) we have Delegations from one server to the other. In each case because we're giving someone else responsibility for the zone.

Without Delegation the Root Servers would have to answer every request for every domain rather than just providing directions (as in: "I don't know, but you can ask...").

In AD terms we might use Delegation in two scenarios:

a. Delegating responsibility for a child domain (from a root domain) to the Domain Controllers in the Child Domain
b. Where a sub-domain in a zone needs to be more highly available than the parent zone (as is often the case with the _msdcs sub-domain). That is, where it needs to replicate to more Domain Controllers.

For Child domain delegation I mean a structure like this:

                         Forest AD Domain                    Forest Root DNS servers
                             domain.net
                          /                      \
       child1.domain.net      child2.domain.net    Delegation to DNS servers (DCs) within each child domain

The structure doesn't need to extend as far as the public structure above, but the principal is identical.

2.

This is configured in such a way that you can change the replication scope of _mdsc (as a sub domain) without having to change the scope for all of domain.net.

If the AD Forest were almost empty I would remove the Delegation that makes _msdcs into a separate folder and simply change the scope of domain.net to "All DNS Servers in the Forest".

Chris
0
 

Author Comment

by:jskfan
ID: 23724778
if  I create a child domain then go an delegate the zone,  this way request for the child domain will be answered by the delgated zone. ?
what would this help for?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23731571

You have to give it context, because it's a tool that can be used, unless it has context it is impossible to say what it would help for.

Why did you create the child domain in the first place?

Chris
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:jskfan
ID: 23732623
our company in memphis acquired another company in Phoenix, so they used phoenix as a child domain.
Company.com
sub.company.com

They have admins in both Memphis and phoenix.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23732653

Okay, so do you want to manage their DNS for them on your servers at company.com? Or would you rather they look after it themselves at sub.company.com?

If you want them to look after it, use Delegation for that sub-domain.

Chris
0
 

Author Comment

by:jskfan
ID: 23732785
<<<If you want them to look after it, use Delegation for that sub-domain.>>>

-in this case when the join a computer to a domain it will show in the zone sub.company.com
Correct?
-sub.company.com will still show in our DNS console under forward look up zone as a folder icon OR would it show as a separate forward lookup zone with the name of sub.company.com?
-Delegation means we can't manage their zone for the parent zone? if we want to join a computer and make it show up in their zone (sub zone) we still be able?
0
 

Author Comment

by:jskfan
ID: 23732798
I meant when a zone is delegated what can do and what can't do the admin from the parent zone
 what can do and what can't do the admin from the sub zone?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 23732911

> in this case when the join a computer to a domain it will show in the zone sub.company.com

Yes, but that doesn't impact whether we delegate or not. Despite ADs reliance on DNS; DNS and AD are two entirely separate components, there's no point in trying to mix them up like this.

> -sub.company.com will still show in our DNS console under forward look up zone as a folder icon
> OR would it show as a separate forward lookup zone with the name of sub.company.com?

It would show as a greyed out folder under company.com. The Forward Lookup Zone itself would be added (manually) to the severs you delegate it to.

The greyed out folder would only contain the Name Server records for the DNS servers you delegated it to (the DCs in the child domain).

This goes back to the true structure diagram in my first post, your server knows the way to the child domain, but doesn't actually no more about it than that.

> -Delegation means we can't manage their zone for the parent zone?
> if we want to join a computer and make it show up in their zone (sub zone) we still be able?

You have the potential to belong to Enterprise Admins. You can do what you please. However, typically domain join operations will be performed by admins within that child domain.

> I meant when a zone is delegated what can do and what can't do the admin from the parent zone

Enterprise Admin, you can do anything you like to the (child) domain because you will still be able to access it in DNS on the DCs in the Child Domain. You just won't see it on the DCs for company.com.

But that's the point of delegation, you're passing off responsibility for it to someone else. Issues with it are their problem, they are responsible for maintaining the zone (keeping it neat and tidy, keeping it functional, etc). Delegation like this is pretty typical of forest deployments unless the organisation has made a decision to centralise DNS administration (which I would say is rare).

Chris
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question