How do I set up DNS delegation properly?

We're having a problem because our internal domain is (regrettably) the same as the external domain.  So we have a *subdomain*.*domain*.com that we're trying to access, but because there isn't a record for it internally, we can't access it.

How can I resolve this?  I thought perhaps DNS delegation would solve the problem, but in attempting to set it up I haven't gotten any further ahead.
Who is Participating?
jon47Connect With a Mentor Commented:
I don't have server 2003 to hand, but it looks like you need to create what it calls a "delegation".  The domain you're delegating will be flim (the fully qualified name should come out as and the server you're delegating to will be

There's a video of someone creating a delegation here: 

It's a while since I played with server 2003, it may be possible to use the "other new records" menu item to create the NS records by hand.  If so, that might work better.
I believe you need to configure DNS forwarders. That way, when your DNS server can't resolve an outside url, for forwards the request to the forwarders you specified, usually your ISP's DNS.
SunRypeAuthor Commented:
Like a conditional forwarder you mean?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

you only need to delegate the subdomain if the dns server for the subdomain is different to the dns server for the domain.  since you're talking about about delegation, I'll assume that this really is the case.

You need to add NS (and possibly some A) records to your DNS server.  

This example is lifted from

For example, let's assume
- your top level domain is
- your internal domain is
- your internal DNS server is at IP

for this example you'd need to add to's DNS server:

fabricorp IN NS IN A

and setup SEA-FAB-DC01 so that it's the DNS server (and probably domain controller too, since I'm guessing you're on windows 'cos this query was tagged active directory) for
I am not sure I understand the problem.  Are the computers in the having problems accessing or the other way around.  

Even if the domain names are the same (internal and external), the local DNS server that the clients are using should be integrated with AD and have the private IP addresses available to these clients.  If not, then the DNS server may need to be changed on DHCP or the client machines.  Also, the DNS server that is responding publicly should have the public IPs available and working.  Is there a particular service or application that is failing or does all communication cease?

SunRypeAuthor Commented:
I am in Windows.  I only have the one DNS server though... The website is hosted externally and the DNS servers I want to use are the ISP's...
SunRypeAuthor Commented:
Okay, our PCs here cannot access, because is our internal domain, and also the domain of our external website.  We have a "www" CNAME record internally so that we can access, but we also need to access and I'm not sure how to set that up.
Sound like you need to add the NS and A records to your ISP's DNS configuration in your domain.  If they let you, some don't. to keep with my example...

So should be served by your ISP.

your internal servers should call themselves

This should just work, provided that you don't try and make *any* internal server serve DNS for  If you do, then you'll end up losing access to your external sites.  However if you want you can run different and inconsistent DNS servers for internally and externally.  You'll just have to add A records for the external systems to your internal DNS (by hand) and then it should work.
so is there an entire domain, or is it just a host?
SunRypeAuthor Commented: is a subdomain of, which is hosted externally.  It also happens to (by someone else's poor choice) be our internal domain as well.  We have lots of stuff internally that is using *something*, so we can't have all that DNS externally hosted.

Basically I want, internally, for everything to query our internal DNS server, except I guess for  Or at least for our internal DNS server to say "I dunno where is, go ask *ISP's DNS server*" which isn't currently happening.  Nslookup on just times out currently.
Ah.  Then you need to setup the NS records on your *internal* server to delegate to your external server.

For the sake of argument, let's assume that your ISP hosts your DNS at a couple of servers, called,  (you need to find out what the DNS servers are called - more the better)

thenon your internal DNS server, add IN NS IN NS

you won't need the A records because etc should resolve through DNS at
you *will* still need to add any records for *host*, and maintain these by hand.

SunRypeAuthor Commented:
Sorry, what type of records are those?
actually, let's make it a little easier - assuming that hosts your subdomain too, you would add these two records to your internal DNS: IN NS IN NS

I made a mistake earlier - don't miss out the dot on the end of the isp server name!

I derived this using dig, which digs into DNS servers and is part of the BIND distribution ( - it runs on windows too.  It's invaluable for working out what's broken (and what works) in DNS.

; <<>> DiG 9.7.0-P1 <<>> NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65526
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;                   IN      NS

;; ANSWER SECTION:            890     IN      NS            890     IN      NS
> what type of records are those?

they're NS records... but, erm, that's not very helpful ;-)  if you can tell me what version of windows you're using, I can probably point you a little closer to where you put this.
SunRypeAuthor Commented:
It's Server 2003.
Chris DentPowerShell DeveloperCommented:

You were right with New Delegation, it's not hidden under other records :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.