Solved

Need to install DNS child domain on Windows 2008 server aready a DC and installed w/DNS

Posted on 2010-09-03
17
713 Views
Last Modified: 2012-05-10
I have a Windows 2003 server with AD and DNS installed- in the plains.local domain. I created a child domain, vci.plains.local with Windows Server 2008, configured it as a DC and installed DNS.
I would like to create a DNS delegation for this child doman, but cannot seem to make it happen following Microsoft protocol.  Is this because it is already a DC?
Can this be done given the present configuration of the 2008 server?
0
Comment
Question by:jsvarga88
  • 8
  • 6
  • 3
17 Comments
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33598965
Did you install the DC/DNS Server 2008 as a child in the existing domain? If so then you've got a DNS AD integrated zone and the delegation should have already happened automatically for you.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33599717
I would have to confirm with Nutty if you have already installed the DC then you should have the delegation already created for you. You manually create a delegation before you create the child domain if you want to do manually.
0
 

Author Comment

by:jsvarga88
ID: 33599738
I did, but it did not replicate. Is it possible to just start over again?
I installed AD in the 2008 server as a child domain and DNS was installed at the time of the dcpromo.
I cannot figure out what is wrong.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33599746
When you go into your DNS Forward lookup zones what zones do you have?
0
 

Author Comment

by:jsvarga88
ID: 33600195
See the JPG's please.

The Plains-DC1 2003 server shows bot the Plains.local and the VCI-Plains.local aA records.

The VCI-Terminal2 2008 server shows only the VCI.Plains.Local A records, not the Plains.local A records.

Thanks.
Svr2008-Term-serv2-DNS.JPG
Svr-2003-Plains-DC1-DNS.JPG
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33600233
What? I am confused now.
0
 

Author Comment

by:jsvarga88
ID: 33600283
Because it looks like it should work?
0
 
LVL 6

Accepted Solution

by:
Nuttycomputer earned 500 total points
ID: 33600323
Unless you have plains.local specifically replicate DNS information to all Domain Controllers in the forest than not having the A Records stored in the child domain vci.plains.local is normal behavior.

However my bigger concern is it doesn't appear to have installed DNS Correctly. It's looking like the Child domain was not added as a child domain but rather a New Domain tree as part of a forest.

If it was installed correctly then on the plains.local dns/dc server vci.plains.local zone should be under the plains.local dns tree and not beside it. It would also not contain any A Records but would instead have a delegations to the vci.plains.local domain tree.

I will attempt to set this up in my lab and provide jpegs of what you should be seeing.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33600583
You can see the following diagrams show the two active directory integrated domain zones. Server2 is responsible for vci.plains.local and Server1 is responsible for plains.local.

Unless I explicitly request that plains.local is replicated to all DNS Servers in the forest it will not show up on Server2.
plains-local.JPG
vci-plains.JPG
0
 

Author Comment

by:jsvarga88
ID: 33600841
I see that, but now I cannot authenticate the otherthree servers to the DC as well.
"There are no logon servers available"

The DC is the only ser able to log on to the domain.
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33601021
Yeah I'm not sure I performed that correctly either. I'm having to review the documentation I have because I'm used to just configuring everything assuming only one domain model (the ideal model)

This may be worth a look while I play with this: http://support.microsoft.com/kb/255248
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33601030
There is also a lot of information under related content on the right.
0
 

Author Comment

by:jsvarga88
ID: 33601227
Yes, I saw that page.  I hope there are no changes in Server 2008  too differentfrm Server 2000.
I need tosolvethis puzzle tonight (soon)
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33601321
May I inquire why using multiple domains? A single domain would greatly simplify administration
0
 

Author Comment

by:jsvarga88
ID: 33601475
need to separate user bases, do not want them in primary domain
0
 

Author Comment

by:jsvarga88
ID: 33604797

More data on the DNS and Active direcotry replication problem.

Here is the config of one of the firewalls in the network - Since RPC has been flagged as a problem, an all virus protection andMicrosoft firewalls have been removed orturned off, could RPC be bloked by a firewall policy or port?
PortQry show ports being fltered.



PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 10full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security50
enable password
passwd
hostname Firewall-PIX
domain-name anydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list westbrooke permit ip 192.168.56.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list gainesville permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list bala permit ip 192.168.56.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip 192.168.51.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list chattanooga permit ip 192.168.56.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list CVPN permit ip 192.168.51.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list CVPN permit ip 192.168.56.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list gainesville2 permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list ACL_OUT permit ip any any
access-list ACL_OUT permit icmp any any echo-reply
access-list ACL_OUT permit icmp any any time-exceeded
access-list ACL_OUT permit icmp any any unreachable
access-list ACL_IN permit tcp host 6x.2xx.1xx.30 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.31 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.32 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.33 host 192.168.56.151 eq www
access-list ACL_IN2 permit icmp any any
pager lines 24
logging on
logging trap informational
logging history informational
logging facility 23
logging host outside 1xx.2xx.200.3
logging host outside 1xx.2xx.200.8
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 1xx.1xx.2xx.250 255.255.255.248
ip address inside 192.168.56.1 255.255.255.0
ip address intf2 172.16.3.1 255.255.255.252
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
ip local pool VPN 10.0.0.1-10.0.0.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1xx.1xx.2xx.251
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.56.103 1xx.1xx.232.252 255.255.255.255
alias (inside) 192.168.56.104 1xx.1xx.232.253 255.255.255.255
alias (inside) 192.168.56.115 146.145.232.254 255.255.255.255
static (inside,outside) 1xx.1xx.2xx.252 192.168.56.103 netmask 255.255.255.255 0 0
static (inside,outside) 1xx.1xx.2xx.253 192.168.56.104 netmask 255.255.255.255 0 0
static (inside,outside) 1xx.1xx.2xx.254 192.168.56.115 netmask 255.255.255.255 0 0
static (inside,intf2) 192.168.56.0 192.168.56.0 netmask 255.255.255.0 0 0
access-group ACL_IN in interface outside
access-group ACL_OUT in interface inside
access-group ACL_IN2 in interface intf2
conduit permit icmp any any
conduit permit tcp host 1xx.1xx.2xx.252 eq www any
conduit permit tcp host 1xx.1xx.2xx.253 eq www any
conduit permit tcp host 1xx.1xx.2xx.252 eq ftp-data any
conduit permit tcp host 1xx.1xx.2xx.252 eq ftp any
conduit permit tcp host 1xx.1xx.2xx.253 eq ftp-data any
conduit permit tcp host 1xx.1xx.2xx.253 eq ftp any
conduit permit tcp host 1xx.1xx.2x.254 eq 5001 any
route outside 0.0.0.0 0.0.0.0 146.145.232.249 1
route intf2 172.16.1.0 255.255.255.0 172.16.3.2 1
route intf2 172.16.2.0 255.255.255.0 172.16.3.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 1xx.1xx.6x.0 255.255.255.0 outside
http 1xx.1xx.3x.0 255.255.255.0 outside
http 192.1xx.1.0 255.255.255.0 inside
snmp-server host outside 1xx.2xx.200.3
snmp-server host outside 1xx.2xx4.200.8
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto dynamic-map 20 11 set transform-set NORMAL
crypto map s2s 10 ipsec-isakmp
crypto map s2s 10 match address centralcity
crypto map s2s 10 set peer 7x.1xx.x.xx
crypto map s2s 10 set transform-set NORMAL
crypto map s2s 20 ipsec-isakmp
crypto map s2s 20 match address miami
crypto map s2s 20 set peer xx.1xx.1xx.xx
crypto map s2s 20 set transform-set NORMAL
crypto map s2s 30 ipsec-isakmp
crypto map s2s 30 match address atlanta
crypto map s2s 30 set peer xx.x1.xx6.x
crypto map s2s 30 set transform-set NORMAL
crypto map s2s 40 ipsec-isakmp
crypto map s2s 40 match address clevland
crypto map s2s 40 set peer 1xx.1xx.0.1xx
crypto map s2s 40 set transform-set STRONG
crypto map s2s 50 ipsec-isakmp
crypto map s2s 50 match address phoenix
crypto map s2s 50 set peer x1.1xx.2xx.xxx
crypto map s2s 50 set transform-set NORMAL
crypto map s2s 200 ipsec-isakmp dynamic 20
crypto map s2s interface outside
isakmp enable outside
isakmp key ******** address xx.1xx.x7.x8 netmask 255.255.255.255
isakmp key ******** address 1x.1x.0.1xx netmask 255.255.255.255
isakmp key ******** address xx.1x.255.xx2 netmask 255.255.255.255
isakmp key ******** address xx.1xx.255.xxx netmask 255.255.255.255
isakmp key ******** address xx.1x.1x.xx netmask 255.255.255.255
isakmp key ******** address 7x.xx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup JonJones address-pool VPN
vpngroup JonJones split-tunnel CVPN
vpngroup JonJones idle-time 86400
vpngroup JonJones password ********
vpngroup LisaBrown address-pool VPN
vpngroup LisaBrown split-tunnel CVPN
vpngroup LisaBrown idle-time 86400
vpngroup LisaBrown password ********
vpngroup DanWhite address-pool VPN
vpngroup DanWhite split-tunnel CVPN
vpngroup DanWhite idle-time 86400
vpngroup DanWhite password ********
vpngroup BillieJean idle-time 1800
vpngroup MikeGreen address-pool VPN
vpngroup MikeGreen split-tunnel CVPN
vpngroup MikeGreen idle-time 86400
vpngroup MikeGreen password ********
vpngroup JohnSmith address-pool VPN
vpngroup JohnSmith split-tunnel CVPN
vpngroup JohnSmith idle-time 86400
vpngroup JohnSmith password ********
telnet xxx.xxx.xxx.0 255.255.255.0 outside
telnet xxx.xxx.xx.110 255.255.255.0 outside
telnet xxx.xxx.x.0 255.255.255.0 inside
telnet 1xx.xx8.xx.0 255.255.255.0 inside
telnet timeout 30
ssh 1xx.1xx.3x.0 255.255.255.0 outside
ssh 1xx.1xx.x4.0 255.255.255.0 outside
ssh 1xx.xx5.6x.0 255.255.255.0 outside
ssh 1xx.1xx.5x.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum
: end
 


0
 

Author Closing Comment

by:jsvarga88
ID: 33628288
Bandwidth provider had not made the changes to their PIX as they said they had.  Router eth 2 (normally DMZ) hd been configured to pass traffic back to child domain on 2nd network segment. Once changes were made, AD and DNS replicated fine.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now