Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Resolving DNS Child Domain Delegation Issue

Summary:

A company has an AD forest with a parent domain with four child domains. One of the child domain DNS zones was properly delegated and the other three were not resulting in a DNS configuration error. The zones have been configured as Active Directory-Integrated and are configured to replicate to the entire forest. Running the dcdiag tool reports the errors in DNS zone delegation. Even though the zone delegations have been configured incorrectly the service and host records have been registered in the child domain zone and have replicated across the enterprise. The goal is to fix the delegation using a backup and restore method.

Assumptions:

· There are two domain controllers, one for the parent domain and one for the child domain with DNS installed
· There is at least one parent and one child domain
· The zones are AD integrated
· There are already records registered in the child domain including service records for AD but the child domain delegation is not configured properly. In other words, if you right-click on the child domain in the parent domain, you are not offered "Properties…" in the menu or if you left-click on the subdomain under the parent domain all of the AD and host records are listed.
· You have installed the Windows 2003 Support Tools from the installation CD as well as the AdminPak tools from the i386 directory on the install CD
· You’ve run "dcdiag /test:dns /e /v /f:dnstest.log" and it reports that there are child domain delegation problems

Resolution:

Note: It is recommended that you test this in a lab environment first to get familiar with the steps and the outcome

To repair the DNS child domain delegation given the assumptions listed above:
1. Install the Windows 2003 Support Tools from the installation CD on whatever machine you will be running the repair from. The repair does not need to be run from a domain controller although it is recommended.
2. Determine which DNS server in the domains have the most up-to-date records and export a copy of the parent and child domains using the following command. Important: Make backup copies of all DNS exports and put one copy in a safe place because the import process deletes the original import file.
Command: dnscmd "servername" /ZoneExport "FQDN of the zone goes here" /file "filename.txt"
Example, dnscmd branchsrv1 /ZoneExport branch.contoso.com /file branch-contoso.txt
Note: The file will be saved in the %windir%system32dns directory
3. Delete child domain zone from parent server
Example,
If your parent domain name is contoso.com with a child domain called branch.contoso.com, remove any references to branch.contoso.com from both the parent server and child server.
4. On the domain controller in the parent domain, create a new delegation manually by right-clicking on the parent domain zone and selecting "New Delegation…". Enter the child domain name, click Next, then enter the FQDN and IP address of the child domain controller(s) and click Next and then click Finish. Review any error messages that pop up and resolve them before continuing. One common error is that the zone already exists which means you will have to review the zones on the server you are performing this operation on and remove the conflicting zone(s).
5. On the domain controller in the child domain, we will use the export file created above to restore the child domain. Copy the import file to the %windir%system32dns directory. Create the child domain zone using another dnscmd command. The following command creates a Primary zone on the child domain controller:
Example,
dnscmd branchsrv1 /ZoneAdd branch.contoso.com /Primary /file branch-contoso.txt /load
You should receive a confirmation message that the zone has been successfully created.
6. Verify the new zone has been created in the DNS management tool and that the records have been restored.
7. Now you need to convert the Primary zone to an AD-integrated zone and re-configure the zone for dynamic updates and and appropriate replication scope
8. In the DNS manager right-click the child domain DNS server and select "Properties". Configure a forwarder to point back to the parent DNS server(s) in the root domain (i.e. contoso.com)
9. Verify the DNS changes have been replicated
10. Run the dcdiag command to verify the zones are configured properly
Dcdiag /test:dns /e /v /f:dnstest.log –This tests the DNS configuration (except external resolution) for entire enterprise and will report any issues with child domain delegations. Review the log file after it completes. Repeat steps listed above to resolve accordingly.

Additional information:

To properly set up a delegated child domain in AD please refer to the following article:

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
http://support.microsoft.com/kb/255248/

Leave a Reply