Child domain and DNS

Discussion:

(too old to reply)

Strunk

2008-11-07 10:05:00 UTC

Hi,

I have setup a child domain according to
http://support.microsoft.com/kb/255248
in Windows 2003. But after the dcpromo is run and AD is setup and working in
the Child i can't replicate anymore.
I can't evnen do a nslookup on the root domain. nslookup works from the
Child domain.
Does anyone have a hint to what could be wrong ?

--
/Strunk

James Yeomans BSc, MCSE

2008-11-07 13:47:02 UTC

Permalink

Hi there, what exactly is it that wont replicate and between which servers?
ALso are there any errors in the event logs?
James.
--
James Yeomans, BSc, MCSE
Ask me directly at: http://www.justaskjames.co.uk

Post by Strunk
Hi,
I have setup a child domain according to
http://support.microsoft.com/kb/255248
in Windows 2003. But after the dcpromo is run and AD is setup and working in
the Child i can't replicate anymore.
I can't evnen do a nslookup on the root domain. nslookup works from the
Child domain.
Does anyone have a hint to what could be wrong ?
--
/Strunk

Ace Fekay [Microsoft Certified Trainer]

2008-11-08 16:29:40 UTC

Permalink

Post by Strunk
Hi,
I have setup a child domain according to
http://support.microsoft.com/kb/255248
in Windows 2003. But after the dcpromo is run and AD is setup and
working in the Child i can't replicate anymore.
I can't evnen do a nslookup on the root domain. nslookup works from
the Child domain.
Does anyone have a hint to what could be wrong ?

Can you provide an ipconfig /all from a DC in the parent, and the DC in the
child, please?
Have you confirmed after the delegation that the child's zone under the
parent is grayed and only shows information about the child DNS server names
and IP addresses?
Have you also confirmed that the child DNS server is now only hosting the
child zone?

Also, when you delegate a namespace to some other DNS server and in this
case, the child domain, keep in mind, the child DC/DNS is now authorative
for that child zone. Therefore, the child DC must only use itself or another
partner DC in the child zone as it's DNS server. The parent DCs will only
use DC/DNS servers in the parent zone in a delegation design.

Maybe it might be something simple as forgetting to set up a forwarder from
your child DNS server to the parent DNS server(s)? Of course from the parent
DNS server, you would configure a forwarder to your ISP to allow outside
resolution.

Btw - If you are using any ISP, your router's IP, or any other external DNS
in the DC's IP properties, please remove them. THis will cause numerous
issues.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

Strunk

2008-11-10 08:49:01 UTC

Permalink

ipconfig for the DC in the parent:
Windows IP Configuration

Host Name . . . . . . . . . . . . : gcsrv01

Primary Dns Suffix . . . . . . . : linakorg.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : linakorg.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

Physical Address. . . . . . . . . : 00-50-56-8B-0B-94

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.16.30.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.16.0.250

DNS Servers . . . . . . . . . . . : 127.0.0.1

Ipconfig for the child DC:

Windows IP Configuration

Host Name . . . . . . . . . . . . : nldcsrv1

Primary Dns Suffix . . . . . . . : nl.linakorg.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : nl.linakorg.local

linakorg.local

Ethernet adapter LAN:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP Network Team #1

Physical Address. . . . . . . . . : 00-22-64-9F-4B-74

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.0.1.200

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.1.250

DNS Servers . . . . . . . . . . . : 10.0.1.200

Acording to the KB i have setup a forwarder on the Child.

The Child is only hosting the Child DNS. The delegation is grayed out on the
parent and only showing the child DNS server name and ip.
--
/Strunk

Post by Ace Fekay [Microsoft Certified Trainer]

Post by Strunk
Hi,
I have setup a child domain according to
http://support.microsoft.com/kb/255248
in Windows 2003. But after the dcpromo is run and AD is setup and
working in the Child i can't replicate anymore.
I can't evnen do a nslookup on the root domain. nslookup works from
the Child domain.
Does anyone have a hint to what could be wrong ?

Can you provide an ipconfig /all from a DC in the parent, and the DC in the
child, please?
Have you confirmed after the delegation that the child's zone under the
parent is grayed and only shows information about the child DNS server names
and IP addresses?
Have you also confirmed that the child DNS server is now only hosting the
child zone?
Also, when you delegate a namespace to some other DNS server and in this
case, the child domain, keep in mind, the child DC/DNS is now authorative
for that child zone. Therefore, the child DC must only use itself or another
partner DC in the child zone as it's DNS server. The parent DCs will only
use DC/DNS servers in the parent zone in a delegation design.
Maybe it might be something simple as forgetting to set up a forwarder from
your child DNS server to the parent DNS server(s)? Of course from the parent
DNS server, you would configure a forwarder to your ISP to allow outside
resolution.
Btw - If you are using any ISP, your router's IP, or any other external DNS
in the DC's IP properties, please remove them. THis will cause numerous
issues.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

Ace Fekay [Microsoft Certified Trainer]

2008-11-12 03:24:54 UTC

Permalink

Post by Strunk
Windows IP Configuration
Host Name . . . . . . . . . . . . : gcsrv01
Primary Dns Suffix . . . . . . . : linakorg.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : linakorg.local
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-8B-0B-94
DHCP Enabled. . . . . . . . . . : No
IP Address. . . . . . . . . . ... . : 172.16.30.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.0.250
DNS Servers . . . . . . . . . . . : 127.0.0.1
Windows IP Configuration
Host Name . . . . . . . . . . . . : nldcsrv1
Primary Dns Suffix . . . . . . . : nl.linakorg.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . : No
WINS Proxy Enabled. . . . . : No
DNS Suffix Search List. . . . : nl.linakorg.local
linakorg.local
Description . . . . . . . . . .. . : HP Network Team #1
Physical Address. . . . . . .. : 00-22-64-9F-4B-74
DHCP Enabled. . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.200
Subnet Mask . . . . . . . . .. . : 255.255.255.0
Default Gateway . . . . . . . . : 10.0.1.250
DNS Servers . . . . . . . . .. . : 10.0.1.200
Acording to the KB i have setup a forwarder on the Child.
The Child is only hosting the Child DNS. The delegation is grayed out
on the parent and only showing the child DNS server name and ip.

What replication scope is the linakorg.local zone set to on the parent
domain? It should be to Domain wide (the middle button), which puts it in
the DomainDnsZones application partition for the parent domain. If set to
Forest wide (the top button), it will cause a major issue. This is because
of the delegation design. You don't want the zone forest wide in a
parent-child delegation.

Same with the nl.linakorg.local zone on the child. It should be set the same
in it's own domain's DomainDnsZones app partition.

I suggest to change the DNS IP on the parent DC to the actual IP,
172.16.30.1.

Create a reverse zones on the parent for 172.16.0.0, and set the replication
scope to DomainWide (the middle button). DO NOT create a delegation for this
zone.

Create a reverse zone on the parent for 10.0.1.0, and set the replication
scope to DomainWide (the middle button). Create a delegation for this zone
to the child.

Configure a forwarder on the parent to your ISP's DNS.

Make sure the zones all allow updates.

Now since you have more than one domain, and they are in different
locations, which I am assuming because of the different subnets, you MUST
have a minimum two DCs in each domain. The reason is twofold, one because of
redundancy, the other is because on one of the DCs in each domain (since
they are in separate subnets/locations), you will make one of the DCs a GC,
and move the Infrastructure Master role from the GC to the non-GC. This is
functional basics of domain design and FSMO role placement and the way this
specific role works, or rather doesn;t work it is a GC.

Also with the multiple locations, I suggest to create AD sites that
coorespond to each subnet and make sure

Now for DNS registration. On the child DC, delete the
system32\config\netlogon.dns and netlogon.bak files. Then run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

Make sure the DC's A record, the LdapIpAddress record, which is the "same as
parent" record that should show the child DC's IP, and the SRV data is
showing up in the nl.linakorg.local zone. Check the Sites configuration to
make sure the respective DCs in the child domain show up correctly. Check in
the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that
you made GCs show up.

Let me know if you have any event log errors afterwards.

I hope that helps.

Ace

Strunk

2008-11-12 11:42:03 UTC

Permalink

Hi,

Thanks Ace.
The replication scope was the issue here.
Your description helped me VERY much.
--
/Strunk

Post by Ace Fekay [Microsoft Certified Trainer]

What replication scope is the linakorg.local zone set to on the parent
domain? It should be to Domain wide (the middle button), which puts it in
the DomainDnsZones application partition for the parent domain. If set to
Forest wide (the top button), it will cause a major issue. This is because
of the delegation design. You don't want the zone forest wide in a
parent-child delegation.
Same with the nl.linakorg.local zone on the child. It should be set the same
in it's own domain's DomainDnsZones app partition.
I suggest to change the DNS IP on the parent DC to the actual IP,
172.16.30.1.
Create a reverse zones on the parent for 172.16.0.0, and set the replication
scope to DomainWide (the middle button). DO NOT create a delegation for this
zone.
Create a reverse zone on the parent for 10.0.1.0, and set the replication
scope to DomainWide (the middle button). Create a delegation for this zone
to the child.
Configure a forwarder on the parent to your ISP's DNS.
Make sure the zones all allow updates.
Now since you have more than one domain, and they are in different
locations, which I am assuming because of the different subnets, you MUST
have a minimum two DCs in each domain. The reason is twofold, one because of
redundancy, the other is because on one of the DCs in each domain (since
they are in separate subnets/locations), you will make one of the DCs a GC,
and move the Infrastructure Master role from the GC to the non-GC. This is
functional basics of domain design and FSMO role placement and the way this
specific role works, or rather doesn;t work it is a GC.
Also with the multiple locations, I suggest to create AD sites that
coorespond to each subnet and make sure
Now for DNS registration. On the child DC, delete the
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Make sure the DC's A record, the LdapIpAddress record, which is the "same as
parent" record that should show the child DC's IP, and the SRV data is
showing up in the nl.linakorg.local zone. Check the Sites configuration to
make sure the respective DCs in the child domain show up correctly. Check in
the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that
you made GCs show up.
Let me know if you have any event log errors afterwards.
I hope that helps.
Ace

Ace Fekay [Microsoft Certified Trainer]

2008-11-13 04:49:52 UTC

Permalink

Post by Strunk
Hi,
Thanks Ace.
The replication scope was the issue here.
Your description helped me VERY much.

Excellent to hear you got it working now!

I had a feeling it was a replication scope issue, but wasn't 100% sure. I
figured laying out the guidelines will help!

Post back if you have other concerns.

Cheers!

Ace