Windows Server 2003 : Creating Zone Delegations - Delegating Zones

Delegating Zones

To delegate a zone means to assign authority over portions of your DNS namespace to subdomains within this namespace. A zone delegation occurs when the responsibility for the resource records of a subdomain is passed from the owner of the parent domain to the owner of the subdomain. For example, in Figure 1, the management of the microsoft.com domain is delegated across two zones: microsoft.com and mydomain.microsoft.com. In the example, the administrator of the mydomain.microsoft.com zone controls the resource records for that subdomain.

Figure 1. Zone delegation example

When To Delegate Zones

You should consider delegating a zone within your network whenever any of the following conditions are present:

• You need to delegate management of a DNS domain to a branch or department within your organization.

• You need to distribute the load of maintaining one large DNS database among multiple name servers to improve name resolution performance and fault tolerance.

• You need hosts and host names to be structured according to branch or departmental affiliation within your organization.

When choosing how to structure zones, you should use a plan that reflects the structure of your organization.

How Delegations Work

For a delegation to be implemented, the parent zone must contain both an A resource record and an NS resource record pointing to the authoritative server of the newly delegated domain. These records are necessary both to transfer authority to the new name servers and to provide referrals to clients performing iterative queries. In this section, you walk through an example of delegating a subdomain to a new zone.

Note

A and NS resource records are automatically created by the DNS console when you create a new delegation.

In Figure 2, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is given a name based on a derivative subdomain included in the new zone (ns1.us.example.microsoft.com). To make this server known to others outside the newly delegated zone, two resource records are needed in the microsoft.com zone to complete delegation to the new zone. These records are automatically created when you run the New Delegation Wizard in the DNS console.

Figure 2. Resource records for delegation

These records include the following:

• An NS record (also known as a delegation record) to create the actual delegation. This record is used to advertise to querying clients that the computer named ns1.us.example.microsoft.com is an authoritative server for the delegated subdomain.

• An A resource record (also known as a glue record) to resolve the name of the server specified in the NS record to its IP address. Glue records are necessary when the name server that is authoritative for the delegated zone is also a member of the delegated domain. The process of resolving the host name in this record to the delegated DNS server in the NS record is sometimes referred to as glue chasing.

Note

After you have created a delegation through the DNS console, a glue record appears automatically in the zone data. However, this record is hidden from view in the DNS console.

Suppose an external DNS server (acting as a client) wants to resolve the FQDN box.example.microsoft.com. When this computer queries a name server that is authoritative for the microsoft.com domain, this name server responds with the glue record, informing the querying client that a name server that is authoritative for the example.microsoft.com domain is ns1.us.example.microsoft.com, with an IP address of 192.168.1.5. The querying computer then performs another iterative query to the name server ns1.us.example.microsoft.com. This latter name server finally responds to the querying computer with the IP address of the host box.example.microsoft.com, for which the name server is authoritative.

Note

Delegations take precedence over forwarding. If, in the preceding example, the server that is authoritative for the microsoft.com domain were configured to forward to all queries that it could not answer, the server would still answer a query for the name box.example.microsoft.com by contacting ns1.us.example.microsoft.com, not by contacting the forwarder specified on the Forwarders tab.

Creating a Zone Delegation

To create a zone delegation, first create the primary zone for the domain to be delegated on the server that will be hosting the delegated zone. Then run the New Delegation Wizard on the server hosting the parent zone by right-clicking the parent zone node in the DNS console and selecting New Delegation.

To complete the New Delegation Wizard, you need to specify the name of the delegated subdomain and the name of at least one name server that will be authoritative for the new zone. After you run the wizard, a node appears in the DNS console tree representing the newly delegated subdomain, and this node contains the delegation (NS) resource record of the authoritative server you have just specified. The glue record appears in the zone data but not in the DNS console.

Practice: Creating a Zone Delegation

In this practice, you create a new zone on Server02 that becomes a delegated subdomain of the contoso.com domain. You then create a delegation on Server01 that is linked to this new zone on Server02. Finally, you verify the new configuration.

Exercise 1: Creating a Zone To Be Delegated

1.	Log on to Server02.
2.	Open the DNS console.
3.	In the DNS console tree, expand Server02, right-click the Forward Lookup Zones node, and select New Zone. The New Zone Wizard launches.
4.	Click Next. The Zone Type page appears.
5.	Click Next to accept the default selection, Primary Zone. The Zone Name page appears.
6.	In the Name text box, type sub.contoso.com and click Next. The Zone File page appears.
7.	Click Next to accept the default selection, Create A New File With This File Name. The Dynamic Update page appears.
8.	Click Next to accept the default selection, Do Not Allow Dynamic Updates. The Completing The New Zone Wizard page appears.
9.	Click Finish.

Exercise 2: Adding Host (A) Resource Records to the Zone

1.	Log on to Server02.
2.	Open the DNS console.
3.	Expand Server02, Forward Lookup Zones, and select the sub.contoso.com node.
4.	Right-click the sub.contoso.com node, and select New Host (A). The New Host dialog box appears.
5.	In the Name text box, type Server01.
6.	In the IP Address text box, type 192.168.0.1 (the IP address currently assigned to Server01) and then click Add Host. A message box indicates that the host record was successfully created.
7.	Click OK. The New Host dialog box remains open, with the Name text box and IP Address text box now empty.
8.	In the Name text box, type Server02.
9.	In the IP Address text box, type 192.168.0.2 (or the IP address currently assigned to Server02).
10.	Click Add Host. A message box indicates that the host record was successfully created.
11.	Click OK, and then click Done.

Exercise 3: Creating a Delegation

1.	Log on to Server02.
2.	Open the DNS console, and add Server01 to the console so that you can administer both Server01 and Server02.
3.	Expand the Server01 node, expand Forward Lookup Zones, and select the contoso.com node.
4.	Right-click the contoso.com node, and select New Delegation The New Delegation Wizard launches.
5.	Click Next. The Delegated Domain Name page appears.
6.	In the Delegated Domain text box, type sub, and then click Next. The Name Servers page appears.
7.	Click Add. The New Resource Record dialog box appears.
8.	In the Server Fully Qualified Domain Name (FQDN) text box, type Server02.sub.contoso.com.
9.	In the IP Address text box, type 192.168.0.2 (or the IP address currently assigned to Server02).
10.	Click Add, and then click OK.
11.	On the Name Servers page of the New Delegation Wizard, click Next. The Completing The New Delegation Wizard page appears.
12.	Click Finish. In the DNS console tree, you will now see the sub delegation node under the contoso.com zone.

Exercise 4: Testing the Configuration

1.	Log on to Server01, which uses the local DNS server for name resolution.
2.	Open a command prompt and type ping Server01.sub.contoso.com. Then press ENTER. An output indicates that the host Server01.sub.contoso.com is responding from the IP address 192.168.0.1. If the ping is unsuccessful, at the command prompt type ipconfig /flushdns, wait 2 minutes, and then press ENTER.
3.	After the Ping output has completed, at the command prompt type ping Server02.sub.contoso.com, and then press ENTER.

An output indicates that Server02.sub.contoso.com is responding from the IP address 192.168.0.2. If the ping is unsuccessful, at the command prompt type ipconfig /flushdns, wait 2 minutes, and then press ENTER.

The new computer names are being resolved to IP addresses even though the local computer, Server01, conducts name resolution through the local DNS server, which contains no host records for the sub.contoso.com domain. The local DNS server is correctly forwarding queries for hosts within the sub.contoso.com subdomain to the name server authoritative for that domain, which is Server02.