sub-childdomain windows2003 Ad forest

  • Thread starter Thread starter eric romero
  • Start date Start date
E

eric romero

Hi All

I have a Windows2003 AD several childomains one of the childomains
(b.c.com)admins plans to add a subchildomain(a.b.c.com)

My question does the DNS delegation, subnet, site-link must be done at the
root or at the childomain (b.c.com) ? any documents describing this process?

thx
 
In
eric romero said:
Hi All

I have a Windows2003 AD several childomains one of the childomains
(b.c.com)admins plans to add a subchildomain(a.b.c.com)

My question does the DNS delegation, subnet, site-link must be done
at the root or at the childomain (b.c.com) ? any documents describing
this process?

thx
Click to expand...

Hi Eric,

You would want to delegate it from the child to the next child, since at the
child is where the full zone is. From the root, if you already have a
delegation, you can't delegate from a delegated child zone anyway. But don't
forget to configure a forwarder from child2 to child1, which should have a
forwarder to the root.

How to delegate a child zone (doesn't talk about sub child zones, however):
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248

Since you have Windows 2003, you can also use stub zones (which is
recommended over delegation). Matter of fact, if you have a Win2k, and you
have a delegation to a child, during an upgrade it changes it to a stub
zone. The advantages is that if any of the nameservers change their IP or
names at the child zone, that change is transferred automatically to the
stub at the parent zone. You would still use a forwarder back to the
immediate parent. Keep in mind, you can use conditional forwarding as well
to go from child2 directly to the root domain DNS. I think it would be to
your advantage to use stubs in your scenario.

Understanding stub zones:
http://www.microsoft.com/resources/...dard/proddocs/en-us/sag_DNS_und_StubZones.asp
or easier:
http://tinyurl.com/3bhfv

811118 - Support WebCast Microsoft Windows Server 2003 DNS Stub Zones and
Conditional Forwarding:
http://support.microsoft.com/default.aspx?scid=kb;en-us;811118

Keep in mind, there was a hotfix out that addresses an issue that came up
about stubs to childs of a child zone. Read this about that:
834378 - Windows Server 2003 DNS name resolution may fail when stub zones
are configured:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834378

As for your previous thread about the missing ForestDnsZone and
DomainDnsZone, I had offered to take a look at it. Did you still want any
help with that?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Hi Ace,

thx for your reply and the AD-subnet and AD-site-link I think these two must
be created at the root right using ADsites&services? I think because the
childdomain does not have permission to right intothe ad schema

Do not worry about the forestdnszones issue I need to deal with it whenever
I have some extra time.

thx again
"Ace Fekay [MVP]"
 
In
eric romero said:
Hi Ace,

thx for your reply and the AD-subnet and AD-site-link I think these
two must be created at the root right using ADsites&services? I think
because the childdomain does not have permission to right intothe ad
schema

Do not worry about the forestdnszones issue I need to deal with it
whenever I have some extra time.

thx again
Click to expand...

For Delegation, that's done at the immediate parent above the child. As for
Subnets and Sites settings, creation, etc, an EA needs to do that (which by
default the root domain admin is part of). The person installing the child
domain needs to be a domain admin of the parent domain. To create a
delegation, one needs to be a DNS admin (or domain admin) of whichever
parent its being done at. But for the other stuff, EA.

As for the Schema, which we shouldn;t be really worried about unless you are
altering it, that's by the Schema Admin, but need to be EA to add yourself
to the group. As for a child, don't worry about the Schema.


Ok, let me know if and when about those zones.
 
Back
Top