Restricted DNS and Delegation problem

  • Thread starter Thread starter Tony
  • Start date Start date
T

Tony

Hi,

Win2K SP4 non AD running DNS.
I have the root domain . set up to restrict access to only the sites we want
the users to go to. I had been creating the different zones and configuring
A records for the sites I wanted them to go to. Recently, I found that I
should be delegating these as a sub domain under . so I created the
sub-domain 'com'. I then right-click this one and select New Delegation. I
type in the domain name of taxwise (for www.taxwise.com) and then add the NS
for it of utsdns2.universalsystems.com. The wizard resolves the IP for it, I
apply the changes and it creates it. I still can't get to the site though.
If I create a forward zone for it and then an A record of www, it gets there
no problem. Any ideas on what I'm missing? Maybe there's a config problem
with the DNS server itself? Thanks in advance

Tony
 
In
Tony said:
Hi,

Win2K SP4 non AD running DNS.
I have the root domain . set up to restrict access to only the sites
we want the users to go to. I had been creating the different zones
and configuring A records for the sites I wanted them to go to.
Recently, I found that I should be delegating these as a sub domain
under . so I created the sub-domain 'com'. I then right-click this
one and select New Delegation. I type in the domain name of taxwise
(for www.taxwise.com) and then add the NS for it of
utsdns2.universalsystems.com. The wizard resolves the IP for it, I
apply the changes and it creates it. I still can't get to the site
though. If I create a forward zone for it and then an A record of
www, it gets there no problem. Any ideas on what I'm missing? Maybe
there's a config problem with the DNS server itself? Thanks in
advance

Tony
Click to expand...

If the www record was created at the root DNS servers, and the child
domain's clients cannot access it, (if I understand the problem correctly),
then it sounds like you didn't set a forwarder from the child DNS servers
back to the root DNS server. This is a strong recommendation. From the root
DNS, set a forwarder to the ISP, but not from the child DNS.

More info...
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Tony <[email protected]> posted a question
Then Kevin replied below:
: Hi,
:
: Win2K SP4 non AD running DNS.
: I have the root domain . set up to restrict access to only the sites
: we want the users to go to. I had been creating the different zones
: and configuring A records for the sites I wanted them to go to.
: Recently, I found that I should be delegating these as a sub domain
: under . so I created the sub-domain 'com'. I then right-click this
: one and select New Delegation. I type in the domain name of taxwise
: (for www.taxwise.com) and then add the NS for it of
: utsdns2.universalsystems.com. The wizard resolves the IP for it, I
: apply the changes and it creates it. I still can't get to the site
: though. If I create a forward zone for it and then an A record of
: www, it gets there no problem. Any ideas on what I'm missing? Maybe
: there's a config problem with the DNS server itself? Thanks in
: advance
:
: Tony

Tony, did you add the zones and records I recommended in your other thread?

You can use forward lookup zones, but you would have to create complete
copies of the public zone. if you want complete access to the sites.
Using delegations will give you better results but you will have to delegate
it right or it won't work. You will also need to ceate Glue records for any
nameserver you are delegating to.
You can test you nameserver using nslookup or Dig or William Stacey's new
tool called Netdig available here www.mvptools.com.
 
Kevin,

As you know, I'm working but here's my last response the other thread...
~~~~~~~~~~~~~~~~~~~~~~~~~~~
One last one, if I could. You mentioned that I might have a problem if
somone uses a CNAME. I'm having a problem adding the domain of lovelace.com
for HR purposes as well as microsoft.com. Almost all other sites I've added
using the Delegation method work perfectly except for lovelace.com and
microsoft.com. Any ideas where to start looking? Thanks again!

Tony
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any help would be most appreciated.
Tony
 
In Tony <[email protected]> posted a question
Then Kevin replied below:
: Kevin,
:
: As you know, I'm working but here's my last response the other
: thread... ~~~~~~~~~~~~~~~~~~~~~~~~~~~
: One last one, if I could. You mentioned that I might have a problem if
: somone uses a CNAME. I'm having a problem adding the domain of
: lovelace.com for HR purposes as well as microsoft.com. Almost all
: other sites I've added using the Delegation method work perfectly
: except for lovelace.com and microsoft.com. Any ideas where to start
: looking? Thanks again!
:
: Tony

As I said, this isn't going to be easy but it puts you in full control of
DNS because most of these sites cannot be connected to by IP. It is all kind
of trial and error you will need to use Dig or nslookup and point to an
external DNS server to get the information you need to set this up. I hope
you get paid by the hour. :-) Some may be easier to create records for
others use delegations. Below are the names you gave me.

Both of these are using CNAMES you will have to add the domain delegations
for the CNAME domains.
lovelace.com
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2

Name: lovelace.com
Address: 216.143.9.206
You have already delegated lovelace.com to the correct DNS, right? Leave it
as is and follow below.
www.lovelace.com
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2

Non-authoritative answer:
Name: webserver.ehc.com
Address: 216.143.9.206
Aliases: www.lovelace.com
In the "com" subdomain, create this subdomain "ehc", in that delegate
'webserver' to
ns3.ehc.com internet address = 216.143.9.203
ns4.ehc.com internet address = 216.143.9.212
Or create this "A" record 'webserver' IP 216.143.9.206
****************************************************************************
***
Microsoft is probably going to be the hardest to delegate because they use
so many CNAMES. Below are what you need for www.microsoft.com and Windows
Update,
www.microsoft.com
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2

Non-authoritative answer:
Name: www2.microsoft.akadns.net<---delegate this name
Addresses: 207.46.144.188, 207.46.144.222, 207.46.245.92, 207.46.250.222
207.46.134.157, 207.46.249.252, 207.46.250.252, 207.46.249.221
Aliases: www.microsoft.com, www.microsoft.akadns.net
For this one in your "net" sub domain, create this subdomain "akadns", then
delegate this name "microsoft" to these nameservers:
zc.akadns.net internet address = 63.241.199.50
za.akadns.net internet address = 63.241.199.50
asia3.akam.net internet address = 193.108.154.9
use2.akam.net internet address = 63.209.170.136
a-242.akadns.net internet address = 193.108.91.242
use1.akam.net internet address = 63.209.170.136
****************************************************************************
*****
The next two are for Windows Update
windowsupdate.microsoft.com
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2

Non-authoritative answer:
Name: windowsupdate.microsoft.nsatc.net<---see below
Addresses: 207.46.134.92, 207.46.249.56
Aliases: windowsupdate.microsoft.com
download.microsoft.com
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2
This one is for Windows Update, create a subdomain "net", in that a
subdomain "nsatc", in that "microsoft", in that two "A" records named
"windowsupdate" with these IPs: 207.46.134.92, 207.46.249.56
****************************************************************************
*
This may not be a complete list it will be touch and go.

Non-authoritative answer:
Name: a767.ms.akamai.net<----delegate this name(ms.akamai.net)
Addresses: 64.215.170.55, 64.215.170.41
Aliases: download.microsoft.com, dl-geodir.microsoft.akadns.net
loadsplit-dom-dl.microsoft.akadns.net,
download.microsoft.com.d4p.net

create "akamai.net" name the delegation "ms" to these nameservers:
ms.akamai.net
Click to expand...
Server: kjweb.lsaol.com
Address: 192.168.0.2

Non-authoritative answer:
ms.akamai.net nameserver = n0ms.akamai.net
ms.akamai.net nameserver = n1ms.akamai.net
ms.akamai.net nameserver = n6ms.akamai.net
ms.akamai.net nameserver = n2ms.akamai.net
ms.akamai.net nameserver = n3ms.akamai.net
ms.akamai.net nameserver = n7ms.akamai.net
ms.akamai.net nameserver = n4ms.akamai.net
ms.akamai.net nameserver = n5ms.akamai.net
ms.akamai.net nameserver = n8ms.akamai.net

n0ms.akamai.net internet address = 65.65.70.203
n1ms.akamai.net internet address = 65.65.70.205
n6ms.akamai.net internet address = 205.161.6.108
n2ms.akamai.net internet address = 65.65.70.222
n3ms.akamai.net internet address = 65.65.70.227
n7ms.akamai.net internet address = 208.6.232.47
n4ms.akamai.net internet address = 65.65.70.229
n5ms.akamai.net internet address = 65.65.70.203
n8ms.akamai.net internet address = 65.65.70.205

Are you getting the idea on how to do this if there are CNAMES in use?
 
Back
Top