Adding domains to a zone

rjbarlow

Hello,

I would know how is used or I can use adding domains to an existing zone and if this practice can be a replacement instead adding new zones for subdomains and getting them updated through zone transfers or AD replications.

Make an example:

- I manage a domain named "fantasy.net" and I deploy a first DC ("DC1.fantasy.net) for this domain. This DC is also a DNS server with a zone for "fantasy.net".

- Next, I add a new domain to the forest, named "us.fantasy.net" and even this domain has its DC/DNS server ("DC1.us.fantasy.net").

I notice this second action, adds a domain "us" in the zone "fantasy" on the first DC/DNS server "DC1.fantasy.net".

But this new domain "us" in the zone "fantasy.net", does not have any RR contained in the original zone "us.fantasy.net", just a "A" RR for the domain: "SAME AS PARENT FOLDER..." followed by an IP address.

ThankYou.

royal

When you created a child, you would have had to be a delegation in the fantasy.net zone so when the DC in the us.fantasy.net was being promoted, it would see itself as the delegated DNS server and would prompt you to install DNS. Because you didn't have a delegation set, the fantasy.net DNS server created a folder for the us zone and thinks it's authoritative.

One of the things you can do is dcpromo and uninstall and then make sure the delegation is set and dcpromo again.

Another thing you may be able to do is play around and right now just create the delegation, then set a stub zone or forwarder on your us domain to point to the parent, and set the dns to itself on the us DC, and try registering its' dns and restarting netlogon so all the SRV records are properly registered, etc....

rjbarlow

Royal, thanks much;
in fact, when I tried to log on the domain:
"us.fantasy.net"
by a computer that have an account in the "fantasy.net" domain ("comp1.fantasy.net"), I got an error: "The domain US is not available";
altough the domain "us" created automatically within the "fantasy.net" zone had a correct SRV record pointing to the Domain Controller on the "us.fantasy.net" domain (and other SRV RRs).

Now that I have set a delegation, that computer logs on quietly on us.fantasy.net".

But now I have one other problem:
even if the computer "comp1.fantasy.net" has succeeded to log on "us.fantasy.net", gets an error browsing the "us" domain. He continues to browse without problem the "fantasy.net" domain instead. How I can fix that?
No connection problems.

rjbarlow

Maybe an image can help focusing on the problem:



Thinking on it, I am quite sure however is not a DNS issue, but some thing related to trusts (that I have not yet studied).

"Comp1.fantasy.net" logs on the "us.fantasy.net" domain succesfully, but can't browse it.

TechJunky

Can you ping the ip address for the us.fantasy.net, if so.. can you ping us.fantasy.net?

royal

Wouldn't be a trust. Each domain within a forest trusts each other even if there's no direct trust due to the nature of transitive trusts from tree to tree and from child to parent relationships. If you're trying to browse resources in other domains, you still have to assign permissions to the user in the other domain.

rjbarlow

TechJunky wrote:

Can you ping the ip address for the us.fantasy.net, if so.. can you ping us.fantasy.net?

No connection problem.

royal wrote:

Wouldn't be a trust. Each domain within a forest trusts each other even if there's no direct trust due to the nature of transitive trusts from tree to tree and from child to parent relationships. If you're trying to browse resources in other domains, you still have to assign permissions to the user in the other domain.

Royal, what actually works like You say is the following scenario:



Note that this time I put a switch between all the computers, so all them are in the same subnet.

If I put a router in the middle like in the first image, I am not able to browse domains different from that in which the computer has an account (one domain = one subnet).

I think could be a problem that browsing the net is made through NetBIOS, so I am not able to cross the router, then my attempts are rejected.

Anyone correct me please if I am saying foolishness, I am not sure.

royal

You are correct in the assumption that the router will block NetBIOS broadcasts. Here's a good chance for you to learn WINS if you haven't already.

wedge1988

Im not 100% sure (im looking over 291 materials for exam) on this, but i think you should try running "netdiag /fix" - no quotes, which will show you any errors and fix them. Actually, on cbt nuggets videos, 70-291 (DNS Part 2), james conrad shows you this in action. he runs this cmd utility and it populates the faulty dns zone with rr's!

hope this helps!

royal

wedge1988 wrote:

Im not 100% sure (im looking over 291 materials for exam) on this, but i think you should try running "netdiag /fix" - no quotes, which will show you any errors and fix them. Actually, on CBT Nuggets videos, 70-291 (DNS Part 2), james conrad shows you this in action. he runs this cmd utility and it populates the faulty dns zone with rr's!

hope this helps!

And do you know what the netdiag /fix specifically does behind the scenes to fix the missing srv records (something Conrad doesn't tell you)? I'll give you a couple guesses and if you don't get it, I'll tell you.

royal

Meh, nobody answered. Well the netdiag /fix restarts the netlogon service. Restarting the netlogon service manually fixes missing SRV records.

sprkymrk

royal wrote:

Meh, nobody answered. Well the netdiag /fix restarts the netlogon service. Restarting the netlogon service manually fixes missing SRV records.

We have actually had to do this before. The DC's weren't letting any new computers join the domain. We noticed in the logs that our local site DC's had no SRV records. And of course due to ACLs on routers and firewalls it was impossible to actually connect to a different site's DC (all DC's communicate through an IPSec tunnel, but not clients). So we restart the netlogon service on the DC's and bingo - instant SRV records. Problem fixed.