?
Solved

Microsoft AD DNS multi-level subdomain not resolving

Posted on 2016-10-20
14
Medium Priority
?
101 Views
Last Modified: 2016-10-26
Hey all.
Internal Windows 2008 R2 Forest/Domain
Server 2012 R2, DC and DNS.  AD integrated Zone

I'm trying to create a multiple level subdomain but records won't resolve.  I have Domain.com.  I need to create a record in sub2.sub1.domain.com.  Records in sub1 work fine but records in sub2 don't resolve.

I created the record at the top level by typing in the sub-levels.  I noticed there are no records at the sub1 or sub2 level except for the record I added.  New Host (A or AAAA) -> server.sub2.sub1.domain.com -> x.x.x.x

What does a sub-domain container need to pass the query another level down?
0
Comment
Question by:Dan Arseneau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 26

Expert Comment

by:DrDave242
ID: 41852398
Assuming the sub1 and sub2 domains have their own DNS servers, a delegation record for sub2 on the sub1 servers should be sufficient. Alternatively, a stub zone will work as well.
1
 
LVL 9

Author Comment

by:Dan Arseneau
ID: 41852493
Thanks DrDave242.  No additional DNS servers in those domains.  DNS servers are only  at the root domain.com level.  Not having them makes sense but I don't want to add additional machines just for this so I'm trying to figure out how to create the stub zone to satisfy a query of x.sub2.sub1.domain.com.  Looking into it...thx
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41852531
A stub zone won't work in that situation, since it requires at least one master server to pull the SOA and NS records from. (Sorry, I was assuming each zone had at least one server.)

Since the DNS servers are all at the root level, you should be able to create the sub1 domain by right-clicking the root domain's zone and selecting New Domain. Then you can right-click sub1 and select New Domain to create sub2. Finally, you can create records inside sub2 as normal.

Let me know if this is what you've already done and it isn't working.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:Dan Arseneau
ID: 41852611
Yes, I couldn't see how to get the Stub Zone to work.  I have done what you suggested but the final record never resolves.  If I create a record server.sub1.domain.com, it resolves, if I create server.sub2.sub1.domain.com it does not.

So, I have tried create new Domain in domain.com called sub1, then in sub1, create a new domain called sub2.  Then add record.

I have added a record under domain.com called server.sub2.sub1(.domain.com) and it creates the sub-domains as above but again, doesn't resolve.

Both steps above return no errors but the record cannot be resolved.

It's some sort of DNS restriction but I just can't find out what it is.  Leaning towards delegation being the cause.  I'm in a production environment at the moment so building up a quick lab to test further.

EDIT:  FYI.  Production servers are in domain.com but devs want *.sub2.sub1.domain.com to be a CNAME to an outside destination.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41852794
That's certainly odd. I just did some testing in my own lab, and it worked perfectly. I created sub1 within the root domain, then created sub2 within sub1, then created a host record within sub2. Both ping and nslookup resolved host.sub2.sub1.root.suffix to the correct address.
0
 
LVL 9

Author Comment

by:Dan Arseneau
ID: 41852833
Ah, then it's something internal that's causing the issue.  That would explain why I couldn't find any answers on the Internet....it's local.  I guess, my question is still valid; why doesn't it work internally?  You just shifted my investigations to internal, thank you.  If I figure it out, you'll still get points for helping me out.

I just took possession of this domain about a month ago.  I'll keep the question open for a little longer so I can post any findings.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41853046
What do you see if you launch nslookup, run the set d2 command to enter verbose debug mode, and query for server.sub2.sub1.domain.com?
0
 
LVL 9

Author Comment

by:Dan Arseneau
ID: 41853107
For sub2.sub1.domain.com I get a passing grade.  For server.sub2.sub1.domain.com I get host non-existent...the host record is there.

EDIT: Thanks for sticking it out.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41854041
For sub2.sub1.domain.com I get a passing grade.
Does that mean that sub2.sub1.domain.com resolves to an address? If so, what does that address represent?

Along those lines, aside from the sub2 domain, there's not another record named sub2 inside the sub1 domain, is there? It sounds like something is conflicting with the resolution of names in sub2, but I can't yet figure out what it is.
0
 
LVL 9

Author Comment

by:Dan Arseneau
ID: 41854164
No, it wasn't resolving to an IP, just not returning "non-existent domain" when using NSLOOKUP.  Made me think of WINS....so I checked.  They're using WINS Forward Lookups for the DNS Zone.  I haven't seen WINS in years so didn't think of it at first.

I'm thinking I'll add search suffixes via GPO and turn it off.  I haven't changed anything yet but I'm pretty sure that's it.  I'm going to keep the ticket open until I make the change so I can post the result.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41854260
Yeah, I doubt WINS Forward Lookup is actually being used!
0
 
LVL 9

Accepted Solution

by:
Dan Arseneau earned 0 total points
ID: 41854522
I figured it out.  It was GUI logic of sorts.  I went old school and used DNSCMD.

DNSCMD mydc /recordadd sub2.sub1.domain.com * CNAME mydestination

Open in new window


...and it worked.  Thanks for sticking it out.  Then end result in the GUI was

not working..
.
.
domain.com
 -sub1
  -sub2
   - * to destination
.
.

working...
.
.
domain.com
sub2.sub1.domain.com
 - * to destination
.
.
I hope I understand this next time I need the info.  Guarantee this is the only information of its kind on the Internet.  sheesh.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41854539
Yeah, that is weird. I even did exactly what you did: created the two levels of subdomains and a wildcard CNAME record in sub2, all in the GUI. It resolved perfectly.
0
 
LVL 9

Author Closing Comment

by:Dan Arseneau
ID: 41859982
Although all good suggestions, none helped me figure this out.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question