AD SRV records not shown in delegated child domain

[Paul Landregan]

I have a domain tree, lets call it domain.com. With many child domains alpha
bravo etc.
Heres my problem. All but one of the child domains have srv records, _sites,
_etc etc. The latest addition to the tree was configured exactly the same
way but has no srv records. The only difference is its the first DC in a new
site but still part of the overall tree.

The child DNS is configured as follows.
NIC 1
TCP/IP address 172.20.1.13
Mask 255.255.255.0
Primary DNS 172.20.1.13
Secondary DNS Blank

NIC2
Address 172.20.13.254
Mask 255.255.255.0
Primary DNS 172.20.13.254
Secondary Blank

The DNS was configures using the wizard to create an AD integrated Zone
called alpha, also the reverse was configured too using the 172.20.13
address.
Listed in the DNS are only two records start of authority -
dc.alpha.domain.com, and Name server dc.alpha.domain.com
No hosts at all. No SRV records no nothing.
The root hints are correctly set to my root server located at 172.20.1.254
Dynamic Updates are set to Yes.

In the root DNS server there is a delegation record for alpha.domain.com
pointing to the address of the child dc 172.20.1.13

I have tried restarting the netlogon service to no avail.

Could this be related to being in a different site to the rest of the tree??

One thing I did try is changing the DNS address on the NICS to the root
server.
After about 5 mins a domain folder was created containing the SRV records
that should have been created at the child DNS. But when the address was
correctly set back to itself no SRV records were created at the child.

 

[Kevin D. Goodknecht [MVP]]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: I have a domain tree, lets call it domain.com. With many child
: domains alpha bravo etc.
: Heres my problem. All but one of the child domains have srv records,
: _sites, _etc etc. The latest addition to the tree was configured
: exactly the same way but has no srv records. The only difference is
: its the first DC in a new site but still part of the overall tree.
:
: The child DNS is configured as follows.
: NIC 1
: TCP/IP address 172.20.1.13
: Mask 255.255.255.0
: Primary DNS 172.20.1.13
: Secondary DNS Blank
:
: NIC2
: Address 172.20.13.254
: Mask 255.255.255.0
: Primary DNS 172.20.13.254
: Secondary Blank
:
: The DNS was configures using the wizard to create an AD integrated
: Zone called alpha, also the reverse was configured too using the
: 172.20.13 address.
: Listed in the DNS are only two records start of authority -
: dc.alpha.domain.com, and Name server dc.alpha.domain.com
: No hosts at all. No SRV records no nothing.
: The root hints are correctly set to my root server located at
: 172.20.1.254 Dynamic Updates are set to Yes.
:
: In the root DNS server there is a delegation record for
: alpha.domain.com pointing to the address of the child dc 172.20.1.13
:
: I have tried restarting the netlogon service to no avail.
:
: Could this be related to being in a different site to the rest of the
: tree??
:
: One thing I did try is changing the DNS address on the NICS to the
: root server.
: After about 5 mins a domain folder was created containing the SRV
: records that should have been created at the child DNS. But when the
: address was correctly set back to itself no SRV records were created
: at the child.

Check the zone on the child DC to see if "Allow dynamic updates" is set to
"Yes"

 

[Paul Landregan]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: I have a domain tree, lets call it domain.com. With many child
: domains alpha bravo etc.
: Heres my problem. All but one of the child domains have srv records,
: _sites, _etc etc. The latest addition to the tree was configured
: exactly the same way but has no srv records. The only difference is
: its the first DC in a new site but still part of the overall tree.
:
: The child DNS is configured as follows.
: NIC 1
: TCP/IP address 172.20.1.13
: Mask 255.255.255.0
: Primary DNS 172.20.1.13
: Secondary DNS Blank
:
: NIC2
: Address 172.20.13.254
: Mask 255.255.255.0
: Primary DNS 172.20.13.254
: Secondary Blank
:
: The DNS was configures using the wizard to create an AD integrated
: Zone called alpha, also the reverse was configured too using the
: 172.20.13 address.
: Listed in the DNS are only two records start of authority -
: dc.alpha.domain.com, and Name server dc.alpha.domain.com
: No hosts at all. No SRV records no nothing.
: The root hints are correctly set to my root server located at
: 172.20.1.254 Dynamic Updates are set to Yes.
:
: In the root DNS server there is a delegation record for
: alpha.domain.com pointing to the address of the child dc 172.20.1.13
:
: I have tried restarting the netlogon service to no avail.
:
: Could this be related to being in a different site to the rest of the
: tree??
:
: One thing I did try is changing the DNS address on the NICS to the
: root server.
: After about 5 mins a domain folder was created containing the SRV
: records that should have been created at the child DNS. But when the
: address was correctly set back to itself no SRV records were created
: at the child.

Check the zone on the child DC to see if "Allow dynamic updates" is set to
"Yes"

Yes it is. Default is allow secure updates, All child domins are set to Yes.

 

[Ace Fekay [MVP]]

In

Yes it is. Default is allow secure updates, All child domins are set
to Yes.

Is DNS set to listen on all IPs? (under interface tab)...
Latest SP on this server?

Not sure if you have this set (which wouldn't make a difference here, but
just for clean infrastructure resolution), just want to insure you have a
forwarder to the Root DNS from the child DNS servers and not the ISP, but
set the Root DNS to forward to the ISP. I'm just mentioning this since you
are using delegations.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: :: In :: Paul Landregan <[email protected]> posted a question
:: Then Kevin replied below:
::: I have a domain tree, lets call it domain.com. With many child
::: domains alpha bravo etc.
::: Heres my problem. All but one of the child domains have srv records,
::: _sites, _etc etc. The latest addition to the tree was configured
::: exactly the same way but has no srv records. The only difference is
::: its the first DC in a new site but still part of the overall tree.
:::
::: The child DNS is configured as follows.
::: NIC 1
::: TCP/IP address 172.20.1.13
::: Mask 255.255.255.0
::: Primary DNS 172.20.1.13
::: Secondary DNS Blank
:::
::: NIC2
::: Address 172.20.13.254
::: Mask 255.255.255.0
::: Primary DNS 172.20.13.254
::: Secondary Blank
:::
::: The DNS was configures using the wizard to create an AD integrated
::: Zone called alpha, also the reverse was configured too using the
::: 172.20.13 address.
::: Listed in the DNS are only two records start of authority -
::: dc.alpha.domain.com, and Name server dc.alpha.domain.com
::: No hosts at all. No SRV records no nothing.
::: The root hints are correctly set to my root server located at
::: 172.20.1.254 Dynamic Updates are set to Yes.
:::
::: In the root DNS server there is a delegation record for
::: alpha.domain.com pointing to the address of the child dc 172.20.1.13
:::
::: I have tried restarting the netlogon service to no avail.
:::
::: Could this be related to being in a different site to the rest of
::: the tree??
:::
::: One thing I did try is changing the DNS address on the NICS to the
::: root server.
::: After about 5 mins a domain folder was created containing the SRV
::: records that should have been created at the child DNS. But when the
::: address was correctly set back to itself no SRV records were created
::: at the child.
::
:: Check the zone on the child DC to see if "Allow dynamic updates" is
:: set to "Yes"
::
::
:
: Yes it is. Default is allow secure updates, All child domins are set
: to Yes.
:
Hmm, this is a weird one, it will create the records in the parent zone on
the parent DC but not on its own DNS?
What events are in the log?
You can still leave it pointing to the parent DC and itself for DNS, that
won't hurt. At least it verifies that it can create the SRV records.
You may try to recreate the zone and verify the spelling, also check the
Security tab of the zone to make sure it has the proper rights in the zone.

 

[Paul Landregan]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: :: In :: Paul Landregan <[email protected]> posted a question
:: Then Kevin replied below:
::: I have a domain tree, lets call it domain.com. With many child
::: domains alpha bravo etc.
::: Heres my problem. All but one of the child domains have srv records,
::: _sites, _etc etc. The latest addition to the tree was configured
::: exactly the same way but has no srv records. The only difference is
::: its the first DC in a new site but still part of the overall tree.
:::
::: The child DNS is configured as follows.
::: NIC 1
::: TCP/IP address 172.20.1.13
::: Mask 255.255.255.0
::: Primary DNS 172.20.1.13
::: Secondary DNS Blank
:::
::: NIC2
::: Address 172.20.13.254
::: Mask 255.255.255.0
::: Primary DNS 172.20.13.254
::: Secondary Blank
:::
::: The DNS was configures using the wizard to create an AD integrated
::: Zone called alpha, also the reverse was configured too using the
::: 172.20.13 address.
::: Listed in the DNS are only two records start of authority -
::: dc.alpha.domain.com, and Name server dc.alpha.domain.com
::: No hosts at all. No SRV records no nothing.
::: The root hints are correctly set to my root server located at
::: 172.20.1.254 Dynamic Updates are set to Yes.
:::
::: In the root DNS server there is a delegation record for
::: alpha.domain.com pointing to the address of the child dc 172.20.1.13
:::
::: I have tried restarting the netlogon service to no avail.
:::
::: Could this be related to being in a different site to the rest of
::: the tree??
:::
::: One thing I did try is changing the DNS address on the NICS to the
::: root server.
::: After about 5 mins a domain folder was created containing the SRV
::: records that should have been created at the child DNS. But when the
::: address was correctly set back to itself no SRV records were created
::: at the child.
::
:: Check the zone on the child DC to see if "Allow dynamic updates" is
:: set to "Yes"
::
::
:
: Yes it is. Default is allow secure updates, All child domins are set
: to Yes.
:
Hmm, this is a weird one, it will create the records in the parent zone on
the parent DC but not on its own DNS?
What events are in the log?
You can still leave it pointing to the parent DC and itself for DNS, that
won't hurt. At least it verifies that it can create the SRV records.
You may try to recreate the zone and verify the spelling, also check the
Security tab of the zone to make sure it has the proper rights in the zone.

Will double check the security. I have tried to manually re-create the zone
not using the Wizard, same problem, no SRV records.

 

[Paul Landregan]

"Ace Fekay [MVP]"

In

Is DNS set to listen on all IPs? (under interface tab)...
Latest SP on this server?

Yes it listens on both IP's. 172.20.1.13 and 172.20.13.254. RRAS is set up
correctly
it has SP4 installed on all servers and workstations.

Not sure if you have this set (which wouldn't make a difference here, but
just for clean infrastructure resolution), just want to insure you have a
forwarder to the Root DNS from the child DNS servers and not the ISP, but
set the Root DNS to forward to the ISP. I'm just mentioning this since you
are using delegations.

No rorwaders are set at all. The IP of my root DNS is in the root DNS
section. I have no Internet connectivity at all. Completly internal.
I am using delegations to of load the DNS resolutions from the parent DCs to
the individual DC. So each seperate domain looks after its own DNS. The
Delegations are there so people in domain a can resolve names in domain b.
I figured how it may work
client in domain b wants an address in domain a
Asks the DNS server in domain a for the address. He doesnt know, askes the
root
The root doesnt know but the domain b has a delegation to the DNS in domain
b therefore can tell DNS in domain a who to ask for the lookup.

 

[Kevin D. Goodknecht [MVP]]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:

You have totally misunderstood how recursion works, read on I'll give you a
picture and then explain how this works.

Whether you have internet access or not, does not matter. I am not sure if
this is why the SRV records are not getting created. Your idea of how the
Root hints work is totally incorrect. If the Parent DNS is not set up with a
root zone using it as a root hint is totally incorrect and will not work
unless the parent DNS has a root zone.
You can use it as the only root hint on the child DCs but you must properly
set up the Parent DNS.
That means the parent DNS must have a root zone, that is a "." (dot) then
all of your Zones and delegations MUST be set up in it. For you to correctly
use it as a root hints you need the parent set up this way:
..<--------The root zone, this is the zone that is looked for by the root
hint, then in that you need a sub domain named com. In the com sub domain
you need a subdomain named domain. This is where the Parent will create its
SRV records. Then in that subdomain you need Delegations named a, b, c, and
so on for each child domain pointing to the child DNS for each child domain.

Say DNS b wants to resolve a name in domain a, like machine.a.domain.com.
First it makes a simple query to it self for "machine.a.domain.com. It does
not have the answer so it checks its forwarders, It has no forwarders so it
says use recursion starting at the Root ( the "." ) it does not have a root
zone so it says I need a hint where the Root (the ".") is. So it looks at
its hints, it says that DC.domain.com at IP 172.20.0.1 has the root zone, so
it asks dc.domain.com do you know the root it answers Yes. Then it asks do
you know com. it answers yes. Then it asks do you know domain.com., it
answers yes. Then it asks do you know a.domain.com. it answers go ask
dc.a.domain.com. at IP 172.20.0.2. So it goes to IP 172.20.0..2 and asks, do
you know machine.a.domain.com? It answers machine.a.domain.com is IP
172.20.0.3.

I hope this explains how recursion works I don't know if your parent is set
up this way but it should be. the Child DNS servers do not need delegations
for the other children, this would only mess up recursion and slow down
resolution. The parent needs the delegations so that it can find the
children.

 

[Paul Landregan]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:

You have totally misunderstood how recursion works, read on I'll give you a
picture and then explain how this works.

Whether you have internet access or not, does not matter. I am not sure if
this is why the SRV records are not getting created. Your idea of how the
Root hints work is totally incorrect. If the Parent DNS is not set up with a
root zone using it as a root hint is totally incorrect and will not work
unless the parent DNS has a root zone.
You can use it as the only root hint on the child DCs but you must properly
set up the Parent DNS.
That means the parent DNS must have a root zone, that is a "." (dot) then
all of your Zones and delegations MUST be set up in it. For you to correctly
use it as a root hints you need the parent set up this way:

My PDC Emulator in the top level domain does have a . zone.

.<--------The root zone, this is the zone that is looked for by the root
hint, then in that you need a sub domain named com. In the com sub domain
you need a subdomain named domain.

This is all set up.

This is where the Parent will create its

SRV records. Then in that subdomain you need Delegations named a, b, c, and
so on for each child domain pointing to the child DNS for each child domain.

Yes this is what we have.

Say DNS b wants to resolve a name in domain a, like machine.a.domain.com.
First it makes a simple query to it self for "machine.a.domain.com. It does
not have the answer so it checks its forwarders, It has no forwarders so it
says use recursion starting at the Root ( the "." ) it does not have a root
zone so it says I need a hint where the Root (the ".") is. So it looks at
its hints, it says that DC.domain.com at IP 172.20.0.1 has the root zone, so
it asks dc.domain.com do you know the root it answers Yes. Then it asks do
you know com. it answers yes. Then it asks do you know domain.com., it
answers yes. Then it asks do you know a.domain.com. it answers go ask
dc.a.domain.com. at IP 172.20.0.2. So it goes to IP 172.20.0..2 and asks, do
you know machine.a.domain.com? It answers machine.a.domain.com is IP
172.20.0.3.

Yes this is how I understood it less the forwarders was checked before root
hints.
If I dodnt explain too well I apologise.

I hope this explains how recursion works I don't know if your parent is set
up this way but it should be. the Child DNS servers do not need delegations
for the other children, this would only mess up recursion and slow down
resolution. The parent needs the delegations so that it can find the
children.

In the top level domain I have 2 DCs. One has a dot zone and is the PDC
Emulator (ie 1st one created)
Listed in this DNS zone are all the hosts living in the top level
domain.com, a few workstations and the 2 DCs.
Also listed in this zone are all the delegations to all 12 domains in the
next level down.
Each of these contains theirs own hosts allong with the SRV records that AD
requires.
They all have a root hint to the top level server containing the . zone.
Populated automatically not entered by me.
None have forwarders set as of yet. But may do at a later stage when I kill
the . zone so we can set up a forwader on the old root server to the ISPs
DNS server. But thats further down the road. I have some security issues to
address first. Like puesuading the powers at be the internet really isnt all
that bad providing you take the necessary precautions.


Also I have now discovered my error of my oroginal post, it was indeed a
typo of sorts. In the child domain I had called the zone "child" instead of
"child.domain.com"

Once I recreated the zone with the FQDN it instantly had all the SRV
records. Boy did I look a plonker this morning. But Hey it is Friday 13th
after all.


Thanks to all who have helped.

 

[Kevin D. Goodknecht [MVP]]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: :: In :: Paul Landregan <[email protected]> posted a question
:: Then Kevin replied below:
::
:: You have totally misunderstood how recursion works, read on I'll
:: give you a picture and then explain how this works.
::
:: Whether you have internet access or not, does not matter. I am not
:: sure if this is why the SRV records are not getting created. Your
:: idea of how the Root hints work is totally incorrect. If the Parent
:: DNS is not set up with a root zone using it as a root hint is
:: totally incorrect and will not work unless the parent DNS has a root
:: zone.
:: You can use it as the only root hint on the child DCs but you must
:: properly set up the Parent DNS.
:: That means the parent DNS must have a root zone, that is a "." (dot)
:: then all of your Zones and delegations MUST be set up in it. For you
:: to correctly use it as a root hints you need the parent set up this
:: way:
:
: My PDC Emulator in the top level domain does have a . zone.
:
:: .<--------The root zone, this is the zone that is looked for by the
:: root hint, then in that you need a sub domain named com. In the com
:: sub domain you need a subdomain named domain.
:
: This is all set up.
:
: This is where the Parent will create its
:: SRV records. Then in that subdomain you need Delegations named a, b,
:: c, and so on for each child domain pointing to the child DNS for
:: each child domain.
::
:
: Yes this is what we have.
:
:: Say DNS b wants to resolve a name in domain a, like
:: machine.a.domain.com. First it makes a simple query to it self for
:: "machine.a.domain.com. It does not have the answer so it checks its
:: forwarders, It has no forwarders so it says use recursion starting
:: at the Root ( the "." ) it does not have a root zone so it says I
:: need a hint where the Root (the ".") is. So it looks at its hints,
:: it says that DC.domain.com at IP 172.20.0.1 has the root zone, so it
:: asks dc.domain.com do you know the root it answers Yes. Then it asks
:: do you know com. it answers yes. Then it asks do you know
:: domain.com., it answers yes. Then it asks do you know a.domain.com.
:: it answers go ask dc.a.domain.com. at IP 172.20.0.2. So it goes to
:: IP 172.20.0..2 and asks, do you know machine.a.domain.com? It
:: answers machine.a.domain.com is IP 172.20.0.3.
:
: Yes this is how I understood it less the forwarders was checked
: before root hints.
: If I dodnt explain too well I apologise.
::
:: I hope this explains how recursion works I don't know if your parent
:: is set up this way but it should be. the Child DNS servers do not
:: need delegations for the other children, this would only mess up
:: recursion and slow down resolution. The parent needs the delegations
:: so that it can find the children.
:
: In the top level domain I have 2 DCs. One has a dot zone and is the
: PDC Emulator (ie 1st one created)
: Listed in this DNS zone are all the hosts living in the top level
: domain.com, a few workstations and the 2 DCs.
: Also listed in this zone are all the delegations to all 12 domains in
: the next level down.
: Each of these contains theirs own hosts allong with the SRV records
: that AD requires.
: They all have a root hint to the top level server containing the .
: zone. Populated automatically not entered by me.
: None have forwarders set as of yet. But may do at a later stage when
: I kill the . zone so we can set up a forwader on the old root server
: to the ISPs DNS server. But thats further down the road. I have some
: security issues to address first. Like puesuading the powers at be
: the internet really isnt all that bad providing you take the
: necessary precautions.
:
:
: Also I have now discovered my error of my oroginal post, it was
: indeed a typo of sorts. In the child domain I had called the zone
: "child" instead of "child.domain.com"
:
: Once I recreated the zone with the FQDN it instantly had all the SRV
: records. Boy did I look a plonker this morning. But Hey it is Friday
: 13th after all.
:
:

Well good deal, I'm glad you got it worked out.

I was afraid you had the rot zone configured wrong but it sounds like you
have it all worked out. I know it was a lot of work configuring the Root
zone like this, it would be kind of a waste to let all this good work go by
deleting the zone. One thing about it you could use the zone to delegate
some sites like windowsupdate so the computers can be updated. We had a
poster in here a few weeks back doing just that, you think he didn't have a
chore in front of him with all the CNAMES Microsoft uses.

 

[Ace Fekay [MVP]]

In

My PDC Emulator in the top level domain does have a . zone.


This is all set up.

This is where the Parent will create its

Yes this is what we have.


Yes this is how I understood it less the forwarders was checked
before root hints.
If I dodnt explain too well I apologise.

In the top level domain I have 2 DCs. One has a dot zone and is the
PDC Emulator (ie 1st one created)
Listed in this DNS zone are all the hosts living in the top level
domain.com, a few workstations and the 2 DCs.
Also listed in this zone are all the delegations to all 12 domains in
the next level down.
Each of these contains theirs own hosts allong with the SRV records
that AD requires.
They all have a root hint to the top level server containing the .
zone. Populated automatically not entered by me.
None have forwarders set as of yet. But may do at a later stage when
I kill the . zone so we can set up a forwader on the old root server
to the ISPs DNS server. But thats further down the road. I have some
security issues to address first. Like puesuading the powers at be
the internet really isnt all that bad providing you take the
necessary precautions.


Also I have now discovered my error of my oroginal post, it was
indeed a typo of sorts. In the child domain I had called the zone
"child" instead of "child.domain.com"

Once I recreated the zone with the FQDN it instantly had all the SRV
records. Boy did I look a plonker this morning. But Hey it is Friday
13th after all.


Thanks to all who have helped.

Yes, spelling DOES count!


As far as forwarders from the child to the Root, that is highly recommended
in a delegation scenario such as yours. This allows a client in a child, say
a.domain.com to be able to find resources in another child, say
b.domain.com, such as what Kevin explained. The query will go to the parent,
then the parent will refer it to the DNS server in child B and retrieve the
answer. That's actually suggested in that article I provided, but in
actuality, many admins 'recommend' or actually absolutely 'require' it for
efficiency, especially a large infrastructure, including with AD
replication.

;-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Paul Landregan]

In Paul Landregan <[email protected]> posted a question
Then Kevin replied below:
: :: In :: Paul Landregan <[email protected]> posted a question
:: Then Kevin replied below:
::
:: You have totally misunderstood how recursion works, read on I'll
:: give you a picture and then explain how this works.
::
:: Whether you have internet access or not, does not matter. I am not
:: sure if this is why the SRV records are not getting created. Your
:: idea of how the Root hints work is totally incorrect. If the Parent
:: DNS is not set up with a root zone using it as a root hint is
:: totally incorrect and will not work unless the parent DNS has a root
:: zone.
:: You can use it as the only root hint on the child DCs but you must
:: properly set up the Parent DNS.
:: That means the parent DNS must have a root zone, that is a "." (dot)
:: then all of your Zones and delegations MUST be set up in it. For you
:: to correctly use it as a root hints you need the parent set up this
:: way:
:
: My PDC Emulator in the top level domain does have a . zone.
:
:: .<--------The root zone, this is the zone that is looked for by the
:: root hint, then in that you need a sub domain named com. In the com
:: sub domain you need a subdomain named domain.
:
: This is all set up.
:
: This is where the Parent will create its
:: SRV records. Then in that subdomain you need Delegations named a, b,
:: c, and so on for each child domain pointing to the child DNS for
:: each child domain.
::
:
: Yes this is what we have.
:
:: Say DNS b wants to resolve a name in domain a, like
:: machine.a.domain.com. First it makes a simple query to it self for
:: "machine.a.domain.com. It does not have the answer so it checks its
:: forwarders, It has no forwarders so it says use recursion starting
:: at the Root ( the "." ) it does not have a root zone so it says I
:: need a hint where the Root (the ".") is. So it looks at its hints,
:: it says that DC.domain.com at IP 172.20.0.1 has the root zone, so it
:: asks dc.domain.com do you know the root it answers Yes. Then it asks
:: do you know com. it answers yes. Then it asks do you know
:: domain.com., it answers yes. Then it asks do you know a.domain.com.
:: it answers go ask dc.a.domain.com. at IP 172.20.0.2. So it goes to
:: IP 172.20.0..2 and asks, do you know machine.a.domain.com? It
:: answers machine.a.domain.com is IP 172.20.0.3.
:
: Yes this is how I understood it less the forwarders was checked
: before root hints.
: If I dodnt explain too well I apologise.
::
:: I hope this explains how recursion works I don't know if your parent
:: is set up this way but it should be. the Child DNS servers do not
:: need delegations for the other children, this would only mess up
:: recursion and slow down resolution. The parent needs the delegations
:: so that it can find the children.
:
: In the top level domain I have 2 DCs. One has a dot zone and is the
: PDC Emulator (ie 1st one created)
: Listed in this DNS zone are all the hosts living in the top level
: domain.com, a few workstations and the 2 DCs.
: Also listed in this zone are all the delegations to all 12 domains in
: the next level down.
: Each of these contains theirs own hosts allong with the SRV records
: that AD requires.
: They all have a root hint to the top level server containing the .
: zone. Populated automatically not entered by me.
: None have forwarders set as of yet. But may do at a later stage when
: I kill the . zone so we can set up a forwader on the old root server
: to the ISPs DNS server. But thats further down the road. I have some
: security issues to address first. Like puesuading the powers at be
: the internet really isnt all that bad providing you take the
: necessary precautions.
:
:
: Also I have now discovered my error of my oroginal post, it was
: indeed a typo of sorts. In the child domain I had called the zone
: "child" instead of "child.domain.com"
:
: Once I recreated the zone with the FQDN it instantly had all the SRV
: records. Boy did I look a plonker this morning. But Hey it is Friday
: 13th after all.
:
:

Well good deal, I'm glad you got it worked out.

I was afraid you had the rot zone configured wrong but it sounds like you
have it all worked out. I know it was a lot of work configuring the Root
zone like this, it would be kind of a waste to let all this good work go by
deleting the zone. One thing about it you could use the zone to delegate
some sites like windowsupdate so the computers can be updated. We had a
poster in here a few weeks back doing just that, you think he didn't have a
chore in front of him with all the CNAMES Microsoft uses.

Thanks for all your help and support.

When we connect our private networks to the internet maybe I will require
further help. But I will first read up on DNS to get the correct way to do
things.

 

[Paul Landregan]

"Ace Fekay [MVP]"

In

Yes, spelling DOES count!


As far as forwarders from the child to the Root, that is highly recommended
in a delegation scenario such as yours. This allows a client in a child, say
a.domain.com to be able to find resources in another child, say
b.domain.com, such as what Kevin explained. The query will go to the parent,
then the parent will refer it to the DNS server in child B and retrieve the
answer. That's actually suggested in that article I provided, but in
actuality, many admins 'recommend' or actually absolutely 'require' it for
efficiency, especially a large infrastructure, including with AD
replication.

;-)

I will implement this next week. I will include the IPs of my two parent DNS
servers as forwaders on each of the child domains, not too difficult as I
have full visiblity from my laptop in the office, and can use my console mmc
tools to configure the DNS servers. Then one day when we want to connect to
the net we have twh choices.
1. Use a proxy server.
2. Remove the . zone from the 1st DC and set its forwarders to the DNS of
the ISP allowing full DNS resolution. Do we have to register our DNS with
the ISP or not to be able to utilise the ISP DNS as a forwader.

Is this the best solution? Or is there a better way.

 

[Ace Fekay [MVP]]

In Paul Landregan <[email protected]> posted their thoughts, then I
offered mine

I will implement this next week. I will include the IPs of my two
parent DNS servers as forwaders on each of the child domains, not too
difficult as I have full visiblity from my laptop in the office, and
can use my console mmc tools to configure the DNS servers. Then one
day when we want to connect to the net we have twh choices.
1. Use a proxy server.
2. Remove the . zone from the 1st DC and set its forwarders to the
DNS of the ISP allowing full DNS resolution. Do we have to register
our DNS with the ISP or not to be able to utilise the ISP DNS as a
forwader.

Is this the best solution? Or is there a better way.

That's the best recommendation. Leave the Root zone (the ".") and use a
Proxy or forward from the Root DNS *only* to the ISP. Just remember not to
forward from the child DNS servers, since they will get their responses from
the Root DNS.

No, not necessary to register anything with anyone, since this is all a
private network. Just set their IP addresses in as a forwarder. Sometimes,
some ISP turn off the RA (recursion available) bit. If the case, those DNS
servers won't respond to a forwarded request (a "proxied" query). If you're
not sure, your Event log will more than likely state that it doesn't support
forwarding. If you stumble across this issue, use this address: 4.2.2.2.

Cheers!
;-)



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Paul Landregan]

"Ace Fekay [MVP]"

In Paul Landregan <[email protected]> posted their thoughts, then I
offered mine




That's the best recommendation. Leave the Root zone (the ".") and use a
Proxy or forward from the Root DNS *only* to the ISP. Just remember not to
forward from the child DNS servers, since they will get their responses from
the Root DNS.

If I leave the "." zone the forwaders option is not avalable. To forward
from the top level DNS I need to delete the root zone.

 

[Ace Fekay [MVP]]

In

If I leave the "." zone the forwaders option is not avalable. To
forward from the top level DNS I need to delete the root zone.

That's correct. You would do that in a Proxy scenario. If no proxy, then you
would need to delete it.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Paul Landregan]

"Ace Fekay [MVP]"

In

That's correct. You would do that in a Proxy scenario. If no proxy, then you
would need to delete it.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

So which is better for a network of around 20 domains and 800 users. Proxy
or delete the root and have forwarders to the net.

 

[Ace Fekay [MVP]]

In

So which is better for a network of around 20 domains and 800 users.
Proxy or delete the root and have forwarders to the net.

This question now dwells on security design scenarios...

It highly depends on your security requirements or paranoia level. If you
decide to use Proxy or ISA, which is the more secure resolution to control
access to the Internet, then of course you would keep or create the Root
zone (the dot zone).

If your security requirements or budget do not require the use of a Proxy or
ISA server, then you would need to remove that zone and forward from the
Root domain DNS to the ISP.

WIth your scenario, probably implementing proxy or ISA is the better SECURE
solution. If you have mutliple sites, you'll probably recommended a ISA
downstream at each location, with them all upstreaming to the Root ISA that
is connected outbound.

If you want more info on ISA, see www.microsoft.com/isa.

Hope that helps.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Paul Landregan]

"Ace Fekay [MVP]"

In

This question now dwells on security design scenarios...

It highly depends on your security requirements or paranoia level. If you
decide to use Proxy or ISA, which is the more secure resolution to control
access to the Internet, then of course you would keep or create the Root
zone (the dot zone).

If your security requirements or budget do not require the use of a Proxy or
ISA server, then you would need to remove that zone and forward from the
Root domain DNS to the ISP.

WIth your scenario, probably implementing proxy or ISA is the better SECURE
solution. If you have mutliple sites, you'll probably recommended a ISA
downstream at each location, with them all upstreaming to the Root ISA that
is connected outbound.

If you want more info on ISA, see www.microsoft.com/isa.

Hope that helps.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Thanks you made my mind up for me. Proxy It is.

 

[Ace Fekay [MVP]]

In

Thanks you made my mind up for me. Proxy It is.

Glad I was able to help and sell you on ISA...

Did you know I used to sell new cars for 3 years in the past....

;-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory