It's rare to find an organization running its own DNS that is small enough to not take advantage of subdomains
and delegation
. By delegation, I mean letting one group, whether logical or physical,
administer a section of an organization's network. Let's take a look at
an example.
Perhaps my company has two
offices: one in Boston and the other in Charlotte, North Carolina.
Although I have an overarching domain name, mycompany.com, I might want to delineate these two locations within my network—I can call all machines in Boston with the north.mycompany.com domain suffix and all machines in Charlotte with the south.mycompany.com
domain suffix. Because the respective IT groups at each location have a
better sense of which machines are going in and out of the network at
their own offices than a central group of administrators at the
headquarters site, the decision was made to let each office's group
administer DNS within each subdomain. To make this happen, there are
three steps to follow: first, the overarching domain's DNS zone needs to
be told there will be a subdomain that will be administered elsewhere.
Second, the overarching (in technical terms, the "root" but not the
ultimate TLD-root) nameserver needs the address of the subdomain's
nameserver for its records. And finally, the subdomain's nameserver
needs to be installed and configured.
1. Delegating a Domain
Inside the DNS Management snap-in, right-click the zone that is the parent of the subdomain you want to create (e.g., mycompany.com),
and select New Delegation from the pop-up menu. The New Delegation
Wizard appears; click past the introductory screen to the Delegated
Domain Name Screen. Here, simply enter the subdomain you want to create
and delegate in the top box. The bottom box will expand to show the full
domain name of what you entered. Click Next to move on. On the next
screen, enter the name of the subdomain you'd like to delegate, and
click Next.
The Name Servers screen appears, as shown in Figure 1.
On this page, insert the
fully qualified domain name and IP address of the nameservers, which
will be responsible for the new domain. Just click Add to enter these on
the New Resource Record screen which will appear. When you're finished,
click OK, and then click Next. Click Finish to complete the wizard. The
newly delegated domain will appear in the DNS Management snap-in, but
it will be grayed out to indicate its delegated status.
How does this process
modify the actual zone files within the DNS service? For one, it adds
new NS records to the parent domain to indicate the server responsible
for a particular subdomain. For example, if I were delegating
the fully qualified subdomain north.mycompany.com with a nameserver at dns1.north.mycompany.com, the resulting record would look like this:
north NS dns1.north.mycompany.com
Next, the delegation wizard
adds an A record to the parent zone so that it can find the new
nameserver via its IP address, like this:
dns1.north A 192.168.1.105
This A record is known as a glue record
because that A record is the only way DNS and requesting clients would
know the IP address of the delegated nameserver—after all, the primary
zone no longer holds information on and controls that zone. The A record
eliminates that problem and provides a direct way to get in touch with
that delegated nameserver.
|
Lame delegation is the
condition when an NS record points to an incorrect machine. This can be
caused when a zone is delegated to a server that has not been properly
configured as an authoritative nameserver for that zone, or an
authoritative nameserver for a zone has an NS record that points to
another machine that is not authoritative for the zone.
When lame
delegation occurs, these nameservers direct queries to servers that will
not respond authoritatively, if at all. This causes unnecessary network
traffic and extra work for servers. According to the Domain Health
Survey, 25% of all zones have lame delegations. |
2. Creating the Subdomain
Logically,
creating the subdomain you've just delegated is very simple. From the
delegated server, inside the DNS Management snap-in, you can right-click
the Forward Lookup Zones folder and choose New Zone.
