Learn how to a build a cloud-first strategyRegister Now


Deligating to Active Directory sub-domain from existing BIND/NAMED domain

Posted on 2014-08-17
Medium Priority
Last Modified: 2014-09-28
We currently have BIND running our top level domain (eg dom.com).  Previously we had our old AD forest sitting on the same TLD that was causing big issues with external namespace.  Now, I am building a new AD forest and want to put this at ad.dom.com

In our BIND domain I have added NS records pointing to our AD DNS servers(see below), but I still cannot get our DNS to resolve ad.dom.com or host.ad.dom.com.

From out BIND domain file: db.dom.com
ad   NS
ad   NS

Suggestions ?
Question by:RescueIT
LVL 27

Accepted Solution

DrDave242 earned 2000 total points
ID: 40268291
I'm not well-versed in BIND at all, but this appears to be a pretty good explanation of delegating a subdomain. The Domain Name-Server Zone Files section will be the most (possibly only) relevant one, since the subdomain's name servers aren't running BIND.

There's apparently more than one way to specify a delegation in BIND, but it looks like you'll need the following at a minimum in the parent zone file:

NS records for all of the subdomain's DNS servers. These records should refer to the FQDNs of those DNS servers, not their IP addresses.
Glue records for the subdomain's DNS servers. These will be host (A) records which map their FQDNs to IP addresses.

It should look something like this...I think:
ad.dom.com.       IN    NS    dc1.ad.dom.com.
ad.dom.com.       IN    NS    dc2.ad.dom.com.
dc1.ad.dom.com.   IN    A
dc2.ad.dom.com.   IN    A

Open in new window

Obviously you'll substitute the actual names and IP addresses of the subdomain's DNS servers.
LVL 71

Expert Comment

by:Chris Dent
ID: 40270629
DrDave242 is right :)

It just needs the delegation as shown in the text box, including glue if the name servers are within the domain you're delegating.

Other than highlighting that short-hand is entirely permissible (ad.domain.com. is just ad, and dc1.ad.dom.com. is dc1.ad) there's nothing I can add to that.

You can disregard the modifications to the conf file described in the link. Those are, only relevant if the new zone is also on a BIND box (as DrDave242 thought).



Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question