Grey delegation in dns

Hi experts,

I just add a new child domain to my parente domain.

But I have some dns issues.

In parent domain my child domain delegation appears grey in dns zone. (see greydns.jpg)

If I delete the child domain delegation and delegate again, I get this erros (see name-server-record01 and name-server-record02)

The parent domain and child domain are connected trought a vpn.

I use windows server 2008 R2 in both servers

Best regards

greydns.jpg
name-server-record01.jpg
name-server-record02.jpg
LVL 9
abolinhasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bruno PACIIT ConsultantCommented:
Hi,

Well... If the DNS delegation appears grayed it's just because IT IS A DELEGATION ! Delegated DNS sub zones always appears grayed to distinguish them with non delegated sub zone...
As an example in your configuration "DomainDNSZones" is a sub zone non delegated of your "florasul.lan" DNS zone, and "evora01" is a delegated DNS sub zone.
This IS NOT a issue !

About the fact you cannot recreate the delegated DNS zone after you deleted it, it is probably because your entered a short name where it is asked you to enter a FQDN name for the DNS server that is authoritative for the delegated zone....

See your second screen snapshot, you entered the IP addresses of the DNS server that hosts the delegated zone but you entered the name "chld01" instead of "chld01.evora01.florasul.lan"...

In your third snapshot you have entered the good name but you tried to use the resolve button to let the IP addresses automatically filled but at this time you cannot use this button because there is not yet DNS resolution for this subdomain... So, give the FQDN name of the delegated DNS server like you did in the third screen and click on "<click here to add an IP address>" to enter the matching IP address of the delegated DNS server instead of using "Reolve" button...



Have a good day...

0
Mike ThomasConsultantCommented:
It is supposed to be grey, as above just add the known ip's for the servers.

You can otherwise manage settings for the delegatied zone from the child domains DNS servers.
0
abolinhasAuthor Commented:
so, it's all okay with dns, right?

is there any command to test dns comunications between parent and child?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Bruno PACIIT ConsultantCommented:
Hi,

Yes of course...

Just configure a computer to interrogate ONLY parent DNS and make a PING of a child DNS name (before that empty you DNS cache on the computer with the command IPCONFIG /FLUSHDNS)... If you have an IP returned (I mean if the name resolves to an IP address, even if you have no response to the PING) then taht means that the DNS request is transmitted by the parent to the child DNS servers.

You can do the reverse test by configuring your computer to interrogate only child DNS and make a ping of a parent DNS name to test the DNS forwarders behavior.

Have a nice day.
0
abolinhasAuthor Commented:
From parent to child
C:\Users\Administrator>IPCONFIG /FLUSHDNS

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Administrator>ping chld01

Pinging chld01 [169.254.66.135] with 32 bytes of data:
Reply from 169.254.169.148: Destination host unreachable.

Ping statistics for 169.254.66.135:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Control-C
^C
C:\Users\Administrator>ping CHLD01

Pinging CHLD01 [192.168.2.101] with 32 bytes of data:
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=23ms TTL=126

Ping statistics for 192.168.2.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 24ms, Average = 23ms
C:\Users\Administrator>ping chld01.evora01.florasul.lan

Pinging chld01.evora01.florasul.lan [192.168.2.101] with 32 bytes of data:
Reply from 192.168.2.101: bytes=32 time=23ms TTL=126
Reply from 192.168.2.101: bytes=32 time=25ms TTL=126
Reply from 192.168.2.101: bytes=32 time=23ms TTL=126
Reply from 192.168.2.101: bytes=32 time=23ms TTL=126

Ping statistics for 192.168.2.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 25ms, Average = 23ms

From child to parent
C:\Users\Administrator>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Administrator>ping dc01

Pinging dc01.florasul.lan [192.168.1.101] with 32 bytes of data:
Reply from 192.168.1.101: bytes=32 time=27ms TTL=126
Reply from 192.168.1.101: bytes=32 time=24ms TTL=126
Reply from 192.168.1.101: bytes=32 time=24ms TTL=126
Reply from 192.168.1.101: bytes=32 time=24ms TTL=126

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 27ms, Average = 24ms

C:\Users\Administrator>ping dc01.florasul.lan

Pinging dc01.florasul.lan [192.168.1.101] with 32 bytes of data:
Reply from 192.168.1.101: bytes=32 time=25ms TTL=126
Reply from 192.168.1.101: bytes=32 time=24ms TTL=126
Reply from 192.168.1.101: bytes=32 time=23ms TTL=126
Reply from 192.168.1.101: bytes=32 time=25ms TTL=126

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 25ms, Average = 24ms


0
abolinhasAuthor Commented:
Ok, situation point.

If I ping dc01 from child, he resolve to dc01.florasul.lan (parent), sounds good

If I ping chld01 from parente I get this
C:\Users\Administrator>ping chld01

Pinging chld01 [169.254.66.135] with 32 bytes of data:
Reply from 169.254.169.148: Destination host unreachable.

Ping statistics for 169.254.66.135:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

If I ping CHLD01 from parente I get this
C:\Users\Administrator>ping CHLD01

Pinging CHLD01 [192.168.2.101] with 32 bytes of data:
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=24ms TTL=126
Reply from 192.168.2.101: bytes=32 time=23ms TTL=126

But not resolve to CHLD01.evora01.florasul.lan, it is a problem?


0
Bruno PACIIT ConsultantCommented:
Hi,

OK... so we must precise something about DNS... When you use short names (like chld01) with no DNS suffix you don't really make a DNS resolution...
When you type "PING dc01" the request that the DNS server receives is "is there a host record named dc01 in the root DNS zone (the "dot" zone . that is the root zone of the whole DNS names hierarchy). Of course, as your DNS servers don't host this famous DNS root "." zone (this zone only exists on Internet) the DNS server answers that it can not resolve the name.
If your computer is member of an AD domain (let's say "florasul.lan"), by default it then concatenate the primary DNS suffix of the domain to the name and resend a new request for resolution. In your case it will then ask for "dc01.florasul.lan" to the DNS server. This time the DNS server hosts the DNS zone "florasul.lan" and there is a host record for "dc01" in that zone, so the computer finally receives a good answer and show it to you with the FQDN name "Pinging dc01.florasul.lan [....]".
The first failure is hidden to you because the computer automatically retry the DNS request adding the DNS domain name and show you the final result...

The fact that the computer retry DNS resolution merging the DNS domain name is a Microsoft implementation of the DNS client on Windows, it is not a RFC DNS behavior...

So, if you want to test DNS forwarders and delegations you should always used FQDN names to avoid polluting results with DNS client behavior...


Now, about the failure when you try to ping child01 asking to the parent DNS server... Well, if your computer is not a member of the child domain "evora01.florasul.lan" but is a member of the parent domain "florasul.lan", what happens when your type "PING child01" is that the computer first ask the DNS for the "chld01" host record of the "." DNS zone... again, as the DNS servers do not host this zone the first reply is a failure say something like "dns domain unknown". Then the DNS client service of the computer automatically concatenate the current domain DNS name and ask for the "chld01" host record of the "florasul.lan" DNS zone (because we suppose in this example that the computer is a member of "florasul.lan"). The DNS server hosts the DNS zone "florasul.lan" but the record "chld01" doesn't not exists in this zone ! So the DNS server replies that the DNS name doesn't exist, and as the DNS server is the owner of the "florasul.lan" zone this response is called authoritative, meaning that the DNS server say something like "I am the florasul.lan owner and I ensure you that chld01 doesn't exist in my zone, and by the way, as I am the zone owner, there's no need to interrogate any other DNS server because I'm sure it doesn't exist !"....


If you wan't that any computer of any domain (parent or child) be able to find any host name in your organization by using short names you should then use what is called the "DNS search order" (or DNS search suffixes... as I'm french I'm not sure of how it is written on english Windows versions...).
You'll find it in the TCP/IP properties of the netcard on the computer. There's an "Advanced" button and a "DNS" tab where you'll see an option named "use the following suffixes". You then have to fill the list of the DNS suffixes you want to be added successively to the short name.
Be aware that if you choose the "use the followinf suffixes" option the DNS client service of the computer will ONLY use the DNS suffixes list you give and will no more merge the domain DNS name... That means that the suffix list must always start with the DNS name of the domain the computer belongs to, and then as a second choice the DNS name of the other domain...

To be more clear: the computers of the parent domain should have the following suffix list order "florasul.lan" then "evora01.florasul.lan"... the computers of the child domain should have the following oder for DNS suffix list "evora01.florasul.lan" and then "florasul.lan".

Doing like that, when you'll ping a short name from a computer, it will always at first ask the DNS server for this name in the "." DNS zone (you can not avoid that except using FQDN names) then it will retry for the same name in the DNS zone of its own domain, and finally it will ask for this name in the other DNS domain.

By the way, if the DNS name has been resolved by DNS servers, the PING command show you the DNS zone where the name as been finally found displaying "Pinging chld01.evora01.florasul.lan [xxxxx]"... That means that the IP address has been obtained from a DNS server.
If the PING command shows something like "Pinging CHLD01 [xxxxx]" with no DNS FQDN suffix that means that the IP address has been obtained by another way, for example from a WINS server, or by using network broadcasting.
Yes.... If the DNS client service fails to obtain an IP from a DNS server it automatically (by default) uses old resolution way like WINS servers interrogation and finally network broadcasts.

That's why you always should use FQDN names when you want to validate a DNS resolution architecture.



I hope I've been clear enough to help you go ahead in your tests.


Have a nice d.... oups... night ;)




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
abolinhasAuthor Commented:
thanks for the help and clarifications, thanks to you I learned more about the functioning of dns
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.