AwinishNaitik's Technical Blog

Lets continue the journey of learn & Share..

Configuring DNS in child domain

Posted by Awinish on April 9, 2011

I have seen people through various forums/blogs getting confused : how to configure DNS server in child domain for Parent’s domain name resolutions?  The confusion is, should it point to itself for DNS server address or parent DNS server for name resolution of parent & child domain both? In order to make the life easier & remove the confusion, i thought of coming up with the article on my blog.

Firstly, understand that DNS is the backbone of AD & most of the issues we face in our environment is because of the improper configuration of DNS server.  In few posts, i saw people using Public IP as the DNS address or ISP’s DNS address directly configured into their servers/domain systems NIC for preferred DNS server address, which is absolutely wrong & the reason is, when DNS lookup is performed against the local resource records in the domain, first it queries local host file in your system located in inside “etc” folder, if it can’t locate anything configured there, it looks for preferred DNS server IP in NIC. If NIC’s preferred DNS address is configured with public IP or ISP’s IP, it will forward the query directly to that public IP for local domain name resolution & the query will be performed, before it is says request timed-out. The reason is that, your local domain & its records exists in your local DNS server. How a DNS server hosted outside your domain can even come to know existent of any such private domain without any record in its DNS server? From security perspective, its a big passage for attacker to penetrate your infrastructure & attack your network for access.

Public DNS server’s IP has to be configured into Forwarder Tab of your local DNS server. If you have multiple DNS server running in your domain, configure all of the local DNS server forwarder to have this Public DNS IP address, but make sure you obtain this public DNS server address from your ISP & you are not using anything like 4.2.2.2 or 2.2.2.2/8.8.8.8, since these are not the authoritative DNS server for your domain through which query has to pass for name resolution. The query for external domain name resolution has to pass through your ISP’s DNS server. Using 4.2.2.2 or any other public IP directly in your DC/servers as a preferred DNS or alternate DNS server is going to pose a security threat for the environment.

Question: How do I set up DNS for a child domain?

Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.

Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment.

Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.

http://support.microsoft.com/kb/291382

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain

http://support.microsoft.com/kb/255248

Note: Ignore the version of OS, its applicable for all the windows OS as concept for DNS has not been changed.

 

Advertisements

6 Responses to “Configuring DNS in child domain”

  1. Rahul Rohela said

    Very nice article
    MS KB articles are always informative but they always miss some small steps. so i want to add that point

    1. before creating delegation record on parent domain, Set “primary DNS suffix” on server who is going to be child. Suffix should be according to its future name like abc.xyz.com. As delegation is static & point to name server & will become invalid after dc promotion. After restart you will face replication problems.

  2. Prem Rana said

    Good One… hope you recognize….

  3. Nupur Patel said

    Rahul.. one problem which we are facing like.. whenever i am accessing node using UNC path, I have to add domain name at end of the node name like.. \\abc001.xyz.com
    this is happening from only one machine.. we have multiple domains in network checked DC by dclist, we are getting same result from not working machine also. could you help

  4. Nupur Patel said

    Oops.. not sure how i marked to rahul only.. this is for actually awinish.. and the person who can help me..

  5. ali said

    I have Root domain with dns and child domain with dns. Now tell me when any user send query in child domain site then which dns will resolve this query by default? query will be resolved by parent dns or child dns?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s