Configuring DNS for Active Directory - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

editing NS records. If Windows fails to resolve the name server's FQDN, you can edit the record

and add an IP address manually.

Zone Delegation

Zone delegation is transferring authority for a subdomain to a new zone, which can be on the same

server or another server. Typically, you use zone delegation when a business unit in an organization

is large enough to warrant its own subdomain and has the personnel to manage its own DNS server

for the subdomain. Even if the business unit won't be managing the subdomain, delegating the han-

dling of the subdomain to other servers might make sense for performance reasons.

When a subdomain has been delegated to a zone on another server, the DNS server hosting

the parent zone maintains only an NS record pointing to the DNS server hosting the delegated

zone. When the parent DNS server receives a query for the subdomain, it refers the query to the

DNS server hosting the subdomain.

If changes are made to the name servers hosting the delegated zone, the

NS records on the server hosting the parent domain must be updated

manually.

You might have noticed a zone called _msdcs.w2k8adXX.com on your DNS server. Every

Windows domain zone has an _msdcs subdomain, which holds all the SRV records for Microsoft-

hosted services, such as the global catalog, LDAP, and Kerberos. In the forest root domain, this

subdomain is delegated to a new zone on the same server, not on a different server. For example,

in DNS Manager in Figure 9-14, the _msdcs.w2k8ad99.com zone is located under Forward

Lookup Zones, and an _msdcs icon under this subdomain signifies that it has been delegated.

9

Figure 9-14

Viewing a delegated zone in DNS Manager

The reason _msdcs is created as a subdomain is so that Windows clients and other clients

specifically looking for a Microsoft service can query DNS for the service in the _msdcs subdo-

main. Remember: It's possible for non-Microsoft OSs to be operating in the same domain, and

they might offer some of the same services, such as Kerberos and LDAP. The reason _msdcs is

delegated to a separate zone in the forest root domain is to change the zone's replication scope

from domain-wide to forest-wide. Because the forest root contains specialized functions, such as

global catalog servers, replication of this domain's SRV records to the entire forest is critical.

Search WWH ::

Custom Search

Home