No announcement yet.

Child domains and how they work with DNS

  • Filter
  • Time
  • Show
Clear All
new posts

  • Child domains and how they work with DNS

    Hi guys,

    I'm studying for my MCSE but i'm a little confused about child domains and how they integrate into dns.

    Firstly, i've been readin this article

    I've set up a test lab in VMware to replicate a live environment.

    So as the process states, I installed a root domain (test.lan) on a DC called DC01 and checked dns and all was as you would expect. I then installed the child domain (child.test.lan) and checked the root domain's dns. This after 15 minutes populated the child domains folder. So now I have a folder called 'child' as you would expect and this contains an 'A' record pointing to the domain controller of the new DC for the child domain. This is the automatically generated deligation for that child domain i assume?

    Next I installed DNS on the child domain DC and configured a new zone for child.test.lan. I enabled forwarding for all other domains to the parent DNS server. On DC02 (the child domain controller) I could then query DNS for computers in the top level domain sucessfully.

    What I could not do is query records in the child domain form the parent domain. When i do I get the error "dc01.test.lan can't find dc02.child.test.lan: Non-existent domain"

    Even though theres a deligation it still fails. Why is this and what is the best practice way of getting round it? From what I understand the root dns server contains information about authorative dns servers for the child domain but it wont go down the heirarchy and query that dns server.

    Any halp greatly apreciated!!

  • #2
    Re: Child domains and how they work with DNS

    The link you have given show a diferent way of doing things than what you have carried out. You have installed the root domain and checked DNS. I take it DNS is on DC01?

    You then delegate the child DNS zone on DC01 to the 'to be' the future DC02.

    Then on DC02, install DNS and then create the child zone.

    DCPromo DC02 to be a DC for the Child Domain.

    When delegating the zone on DC01, the wizard will automatically set everything, so queries for th child domain are forwarded to the child domain. I don't believe you need to worry about forwarders on the child zone for the parent. Try it without for test purposes.


    • #3
      Re: Child domains and how they work with DNS


      Yes i had 2 completly blank win 2k3 boxes and installed dns as part of the dcpromo on DC01.

      I actually ran dcpromo on the box to become the DC for the child domain before doing anything in DNS so the dcpromo process sorted out the deligation automatically so i can now see a folder called 'child' in the DNS snap in. However if i nslookup on DC1 to try and see DC2 in the child domain it says non-existant domain. This is what I'm confused about as i expected it to sort this out automatically and be able to resolve names in the child domain.

      Have i done this incorrectly by not manually setting the DNS deligation manually? I was under the impression the promoting of the child domain controller (using dcpromo) automatically configured the DNs structure and the deligations.

      Please correct me if i'm wrong. I want to be certain about this before going into any exam.

      Thanks for your help so far.


      • #4
        Re: Child domains and how they work with DNS

        Is there a host record for DC02 on DC01 in DNS? This is referred to as the Glue record and will be needed. It will be used by the NS record for locating the child DNS server and of course allowing the queries for the child domain to be forwarded.

        If you haven't made DNS AD integrated, you could look at the DNS zone files to check.

        They are in the Windows folder, system 32, dns. You should see a file in there called something like test.lan.dns.

        You should hopefully see an entry as follows or similar.

        NS DC02.child.test.lan
        and either,

        DC02.child A (ip address of DC02) or
        DC02.child.test.local A (ip address of DC02)


        • #5
          Re: Child domains and how they work with DNS

          Ok, i'm a little confused as to where you mean (the dns is AD intigrated) so looking at the mmc snapin i have the following:


          When i click the test.lan area the right hand payne shows:
          (same as parent folder) SOA dc01.test.lan
          (same as parent folder) NS dc01.test.lan
          (same as parent folder) A
          dc01 A

          Should the glue record be in here? I dont see an A record for the dc02 in any of the folders.


          • #6
            Re: Child domains and how they work with DNS

            If I was you, run the delegation wizard on the DNS of DC01. There should be a NS record for DC02.child.test.local and a host record for DC02 (the glue record)

            My comments were to do with a DNS setup as a Primary DNS server rather than AD integrated.

            It looks to me the delegation has not been made unless you can find the aforementioend records on DC01 somewhere.

            The NS record show the authoritative DNS server for the domain name. The glue record is the host record used to find the authoritative DNS server referenced by the NS record. It is a glue record as it is a host file that should be in the child domain but is needed as communcation on a network needs IP addresses. Without the glue record, the DC02 can not be contacted as its IP address is not known by the Parent domain. Test.lan on DC01.
            Last edited by Virtual; 17th February 2009, 17:32.


            • #7
              Re: Child domains and how they work with DNS

              I think i may have figured out whats happened by an error message that came up. What is being shown in the mmc snapin is the DNS domain for the child domain and not a delegation. However when I try and create a delegation it says the following:

              A DNS domain or delegation by this name already exists. To change an existing delegation, right click ecte ect. To change a dns domain into a delegation delete the domain and create the delegation.

              Now i'm confused as to what the difference between a domain and delegation is.

              Can anyone explain this?

              I also assume that creating a child domain with the dns being hosted by that child domain is not simply a case of running the dcpromo wizard as i first expected and that i would have to prep the new servers DNS and dns delegation before running DCPROMO?


              • #8
                Re: Child domains and how they work with DNS

                Hope the following helps.

                You have your 1st Domain in the Forest called test.lan.

                The DNS server authoritative for that domain is installed on DC01.test.lan. Any host records or computers etc in test.lan domain will be added to DC01.

                There will be a NS record for DC01 that shows that it is authoritative. There will be a host record for DC01 that has it's IP address. There will also be resource records for AD etc. so hosts can find the relevant DCs in the domain.

                You have installed subdomain (child domain) in the forest called child.test.lan. The fact that you have successfully installed the domain means that DNS for the child.test.lan domain must already exist or has been instaleld during DCPROMO. If DNS is on DC02 then that is the authoritative domain for child.test.lan.

                However, if the test.lan domain does not have a NS record for child.test.lan, it will only forward the traffic through the usual way thinking it is an internet domain name, so will go out to the internet, depending on DNS config.

                A delegation needs to be done on the Parent zone. The zone that sits above the domain being delegated in the hierarchy.

                DNS hierarchy starts at a '.'. This is the DNS servers referenced on the Root Hints. That has delegation records for .com, .net etc etc and knows that if a request is for .net or .com, it knows the DNS to send it to. The person who has purchased, for example, will have registered a delegation record (or ISP would have done it for them or other authority) for the external IP adress of their firewall. So if a request is for, a www host record exists with the external IP of the person who own the name and so on.

                So in your case, the delegation for child.test.lan must be made on DC01. That should contain a NS record for
                DC02.child.test.lan and a host record for DC02 (Glue record). Any traffic destined for child.test.lan will then be delegated to DC02 and lookups can then be made by referring them to the authoritative zone for child.test.lan.
                Last edited by Virtual; 17th February 2009, 18:54.


                • #9
                  Re: Child domains and how they work with DNS

                  Thanks for that. I'm pretty good on DNS as a while but this is the first time I've encountered what actually goes on within DNS when a subdomain is installed.

                  When I tried to add the delegation it complains there is already a domain or delegation for the child.test.lan which I assume is coming from the folder I can see in the MMC snap-in.

                  I've attached two screenshots, one of the records in the root of test.lan and one of the records in the 'child' folder. Its the child folder that was automatically created when I dcpromo'd the DC for the child domain.

                  So if I understand you correctly, I should have an NS record in the test.lan folder (added by right clicking the test.lan folder, properties, name servers tab and adding the name server for child.test.lan in there) and in the child folder I should have an 'A' record for DC02?
                  Attached Files


                  • #10
                    Re: Child domains and how they work with DNS

                    Just to add, I have just tried the method I talked about and tried to nslookup to a manually created record in the child.test.lan domain but it said it coudnt find it. I'm baffled!


                    • #11
                      Re: Child domains and how they work with DNS

                      Just need to check something but in the child folder you seem to have an IP address different to DC01. What is that IP address?


                      • #12
                        Re: Child domains and how they work with DNS

                        Yes, I noticed that as well so deleted the dc01 record in there and changed it to dc02

                        Ip addresses are as follows:

                        DC01 -
                        DC02 -


                        • #13
                          Re: Child domains and how they work with DNS

                          Looking at it further, it looks as if the child domain is on DC01 and not DC02. Is DNS on DC02?

                          As it is a pratice environment, backup system state if you wish on DC01 and DC02 using ntbackup.

                          Then remove the Child domain in DNS, if it allows you to do so. Make sure DNS is installed on DC02 and then setup the delegation on DC01.

                          If it doesn't allow you to, demote DC02 by using DCPROMO on it to remove it from th domain.

                          Setup the delegation to DC02 on DC01, Install DNS on DC02 and then DCPromo the box. In fact, the first link you gave will be what you follow in the second scenario and will probably be the best scenario to use. You appear to not have followed the steps shown on that link.

                          Good luck.
                          Last edited by Virtual; 18th February 2009, 11:14.


                          • #14
                            Re: Child domains and how they work with DNS

                            Many thanks for your help. I must admit I didnt install dns on the child domain when i did the DC promo so assume that it was using the DNS on DC01 as its dns server to host the child domains DNS.

                            Looking at our live environment I'm thinking this is whats happening here as well. Thats why I've don this to try and figure out whats actually hapeening as noone knows whats going on with it. Luckily our top level domain is only used as a namespace holder but now we want to put other things in there like a root certificate server.

                            I'll post back with my results in the next few minutes!


                            • #15
                              Re: Child domains and how they work with DNS

                              Thanks, please do.

                              If DC02 was pointing at DC01 as it's DNS then it would have used DC01 more than likely.