Solved

Microsoft AD DNS multi-level subdomain not resolving

Posted on 2016-10-20
14
32 Views
Last Modified: 2016-10-26
Hey all.
Internal Windows 2008 R2 Forest/Domain
Server 2012 R2, DC and DNS.  AD integrated Zone

I'm trying to create a multiple level subdomain but records won't resolve.  I have Domain.com.  I need to create a record in sub2.sub1.domain.com.  Records in sub1 work fine but records in sub2 don't resolve.

I created the record at the top level by typing in the sub-levels.  I noticed there are no records at the sub1 or sub2 level except for the record I added.  New Host (A or AAAA) -> server.sub2.sub1.domain.com -> x.x.x.x

What does a sub-domain container need to pass the query another level down?
0
Comment
Question by:Dan Arseneau
  • 7
  • 7
14 Comments
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Assuming the sub1 and sub2 domains have their own DNS servers, a delegation record for sub2 on the sub1 servers should be sufficient. Alternatively, a stub zone will work as well.
1
 
LVL 9

Author Comment

by:Dan Arseneau
Comment Utility
Thanks DrDave242.  No additional DNS servers in those domains.  DNS servers are only  at the root domain.com level.  Not having them makes sense but I don't want to add additional machines just for this so I'm trying to figure out how to create the stub zone to satisfy a query of x.sub2.sub1.domain.com.  Looking into it...thx
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
A stub zone won't work in that situation, since it requires at least one master server to pull the SOA and NS records from. (Sorry, I was assuming each zone had at least one server.)

Since the DNS servers are all at the root level, you should be able to create the sub1 domain by right-clicking the root domain's zone and selecting New Domain. Then you can right-click sub1 and select New Domain to create sub2. Finally, you can create records inside sub2 as normal.

Let me know if this is what you've already done and it isn't working.
0
 
LVL 9

Author Comment

by:Dan Arseneau
Comment Utility
Yes, I couldn't see how to get the Stub Zone to work.  I have done what you suggested but the final record never resolves.  If I create a record server.sub1.domain.com, it resolves, if I create server.sub2.sub1.domain.com it does not.

So, I have tried create new Domain in domain.com called sub1, then in sub1, create a new domain called sub2.  Then add record.

I have added a record under domain.com called server.sub2.sub1(.domain.com) and it creates the sub-domains as above but again, doesn't resolve.

Both steps above return no errors but the record cannot be resolved.

It's some sort of DNS restriction but I just can't find out what it is.  Leaning towards delegation being the cause.  I'm in a production environment at the moment so building up a quick lab to test further.

EDIT:  FYI.  Production servers are in domain.com but devs want *.sub2.sub1.domain.com to be a CNAME to an outside destination.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
That's certainly odd. I just did some testing in my own lab, and it worked perfectly. I created sub1 within the root domain, then created sub2 within sub1, then created a host record within sub2. Both ping and nslookup resolved host.sub2.sub1.root.suffix to the correct address.
0
 
LVL 9

Author Comment

by:Dan Arseneau
Comment Utility
Ah, then it's something internal that's causing the issue.  That would explain why I couldn't find any answers on the Internet....it's local.  I guess, my question is still valid; why doesn't it work internally?  You just shifted my investigations to internal, thank you.  If I figure it out, you'll still get points for helping me out.

I just took possession of this domain about a month ago.  I'll keep the question open for a little longer so I can post any findings.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
What do you see if you launch nslookup, run the set d2 command to enter verbose debug mode, and query for server.sub2.sub1.domain.com?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Author Comment

by:Dan Arseneau
Comment Utility
For sub2.sub1.domain.com I get a passing grade.  For server.sub2.sub1.domain.com I get host non-existent...the host record is there.

EDIT: Thanks for sticking it out.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
For sub2.sub1.domain.com I get a passing grade.
Does that mean that sub2.sub1.domain.com resolves to an address? If so, what does that address represent?

Along those lines, aside from the sub2 domain, there's not another record named sub2 inside the sub1 domain, is there? It sounds like something is conflicting with the resolution of names in sub2, but I can't yet figure out what it is.
0
 
LVL 9

Author Comment

by:Dan Arseneau
Comment Utility
No, it wasn't resolving to an IP, just not returning "non-existent domain" when using NSLOOKUP.  Made me think of WINS....so I checked.  They're using WINS Forward Lookups for the DNS Zone.  I haven't seen WINS in years so didn't think of it at first.

I'm thinking I'll add search suffixes via GPO and turn it off.  I haven't changed anything yet but I'm pretty sure that's it.  I'm going to keep the ticket open until I make the change so I can post the result.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Yeah, I doubt WINS Forward Lookup is actually being used!
0
 
LVL 9

Accepted Solution

by:
Dan Arseneau earned 0 total points
Comment Utility
I figured it out.  It was GUI logic of sorts.  I went old school and used DNSCMD.

DNSCMD mydc /recordadd sub2.sub1.domain.com * CNAME mydestination

Open in new window


...and it worked.  Thanks for sticking it out.  Then end result in the GUI was

not working..
.
.
domain.com
 -sub1
  -sub2
   - * to destination
.
.

working...
.
.
domain.com
sub2.sub1.domain.com
 - * to destination
.
.
I hope I understand this next time I need the info.  Guarantee this is the only information of its kind on the Internet.  sheesh.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Yeah, that is weird. I even did exactly what you did: created the two levels of subdomains and a wildcard CNAME record in sub2, all in the GUI. It resolved perfectly.
0
 
LVL 9

Author Closing Comment

by:Dan Arseneau
Comment Utility
Although all good suggestions, none helped me figure this out.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now