DNS delegation

A quick question about delegation for anyone, do you have to delegate a zone when it's first created i.e when creating a child domain, or can you do it later on, i.e an existing zone which is already authorative with one dns server that I might want to move to another dns server ?

Thanks

Find more posts tagged with

Comments

royal

Let's say you are creating a child domain (Child.domain.com) in an Active Directory environment. That second domain (child domain) that gets dcpromo'd won't prompt to install dns. Why? Well, in order to join an existing forest and create a child domain, you must point the dns ip to a domain controller that hosts domain.com. Now because the domain.com domain controller hosts the second-level domain domain.com, and child.domain.com is a contiguous namespace, when you dcpromo that child.domain.com domain controller, it won't prompt you to install dns. It will actually create a folder under the domain.com namespace on the domain.com domain controller due to that similar namespace. What you can do, is create a delegation on that domain.com domain controller that says child.domain.com will be delegated the child.domain.com namespace to the ip address of which you are going to dcpromo for the child.domain.com active directory domain. Now when you dcpromo, it'll see it's delegated for its' own namespace, and will now prompt you to install dns.

So the short answer to your question. If it's just a plain old domain, doesn't really matter too much. You can create it before or after you create the child domain. If you are talking about an Active Directory domain, I would definitely do the delegation prior to doing a dcpromo for the reasons stated above.

tel_s1234

Thanks the quick reply royal, I know that you can delegate at the creation of the child domain, but say for arguments sake, say I let the parent domain dns manage the zone, then find two months down the line that I want to delegate the zone to the child domain, would I be able to do that without causing problems ? In an AD environment ?

royal

To be quite honest, I'm not too sure. I'm trying to think of ways this can be done. See the problem is, if you used it for 2 months, then it's got data in it. Because of this, you can't just create the delegation because there is already a container in there with a bunch of data. Also, you can't right-click on the folder that's created on the parent dns server and just say, replace this with a delegation and send this folder on the delegated server to manage. I wonder if there's any tools that can do this sort of dns migration.

tel_s1234

Ok, thanks anyway.

sprkymrk

I'm thinking you would delete the zone from the Master, then set up the delegation.

royal

I'm assuming you mean the folder within the zone and not the zone itself due to the fact you wouldn't be moving an entire zone, but just removing that one folder that the current child domain is using to store data? Also, if it's there for 2 months, deleting it will delete all the data there is in that folder. That's where I'm trying to figure out a workaround. How can you keep all that data, and have it migrated to the new domain controller without having to delete the folder. I'm thinking there is a tool that will copy that folder with all the data, create the delegation, set the DC to now use itself as the DNS server, and have the tool migrate/merge all the copied data into the zone.

Do you know of a way to do this Mark? It has me scratching my head.

sprkymrk

Okay - let's have fun with this. How about create a secondary zone on a server in the child domain. Perform a zone transfer (reload from master). Then change the zone type on the master to secondary, change it on the secondary to primary, then remove the secondary from the original master, and finally run the zone delegation wizard to point to the new master on the child domain from the parent server.... (take deep breath).

I am asking myself, would that work???

sprkymrk

Also, back to the subject of deleting a zone;

Deleting a domain or subnet deletes all DNS records in a zone file but doesn't actually delete the zone file on a standard primary or standard secondary server. The actual zone file remains in the %SystemRoot%/System32/Dns directory even after you delete the zone from the DNS MMC. It may be possible to use that file to rebuild the zone on another server. I don't know for sure.

royal

Problem I am seeing with this. If you install DNS on the child domain so you can eventually have it be authoritative for its own domain, if you were to create a secondary, it'd have to be the same domain name as the parent dns server. This means when you do the zone transfer, it'd pull all the data from the parent (will definitely not work well with politics as the new child will also contain unnecessary data from parent). We're still back at the point of taking that folder from the zone that has the parent's namespace and having to create a new primary zone just for the child domain's namespace and somehow getting that folder within the parent's zone over to the new child doman's zone.

*scratches head some more*

sprkymrk wrote:

Also, back to the subject of deleting a zone;

Deleting a domain or subnet deletes all DNS records in a zone file but doesn't actually delete the zone file on a standard primary or standard secondary server. The actual zone file remains in the %SystemRoot%/System32/Dns directory even after you delete the zone from the DNS MMC. It may be possible to use that file to rebuild the zone on another server. I don't know for sure.

Good observation. I'm quite curious about this. I might have to play on my lab a bit tomorrow. As for now, I'm about to go see the movie Knocked Up in 5 minutes.

tel_s1234

I found this whilst looking for more info on the subject.

https://blogs.pointbridge.com/Blogs/enger_erik/Lists/Posts/Post.aspx?ID=2

royal

That seems like it would do the trick. Thanks for the link.