Tip:
Highlight text to annotate it
X
In this video from ITFreeTraining I will look at DNS delegation. DNS Delegation allows the
administrator to further divide up a DNS name for administrative and performance reasons.
First of all, what is DNS Delegation? If you consider a typical domain, in this case ITFreeTraining.local,
this is stored on a DNS server. Let’s imagine this domain name as a piece of pie. This piece
of pie represents only a small part of the overall DNS space.
The whole idea behind DNS is having the ability to break down the DNS namespace into smaller
parts. In this case, I will break down the DNS name space in two parts, east and west.
One of the ideas behind DNS is the ability for it to have different parts of the namespace
stored and managed on different servers. So in this example, the east and west name spaces
will be stored on separate DNS servers.
The problem occurs when a client queries the east or west domain. Since DNS is a hierarchical
database, the query will first go to the DNS server that is holding the domain name ITFreeTraining.local.
This DNS server does not hold the east or west zones so it needs to know which server
does hold these zones. This way, the DNS server can have the DNS query passed onto the right
DNS server.
This is essentially what DNS delegation is. The ability to divide up the DNS name space
in separate parts and store them on other DNS servers. It is possible also to store
them on the same server if required. So why would you want to use DNS delegation?
The first reason for delegation is to delegate administrative authority. As shown in the
example, different IT administrators in the east and west can have complete control over
the east and west part of the ITFreeTraining.local DNS name. This is done so no control over
any other of the ITFreeTraining.local domain is given.
The next reason that you would want to do this is for improved performance. By having
different parts of the DNS namespace on different DNS servers, this allows for the load on the
DNS servers to be divided up rather than having one DNS server handle all the queries. The
last reason is to expand the DNS namespace. As we see in the example, the DNS namespace
was able to be expanded to include 2 additional sub domains.
I will now change to my Windows 8.1 computer with Remote Administration Tools installed
to have a look at how to configure DNS delegation.
First of all, I will right click on the start menu and select the option to open a command
prompt. From the command prompt I will attempt to ping a host in the west.itfreetraining.local
domain. As you can see, the host cannot be found because the DNS delegation has not been
created as yet.
To create the west DNS delegation, I will first open server manager from the task bar
and once open, I will right click All Servers and select the option Add Servers.
On the add servers screen, I will press the “find now” button to search Active Directory
for the servers. In this case, I will select the Domain Controller NYDC1 as it holds the
ITFreeTraining.local namespace as an Active Directory Integrated Zone.
The second DNS server that will hold the other DNS zone is not currently part of any Active
Directory domain. To add this server, I will select the tab DNS and enter in the IP Address
of the server. Since this server cannot be resolvable using DNS at present, the only
way to contact it is using the IP Address of the server.
You will notice that once the IP Address has been entered in, server manager is able to
contact the server and obtain its computer name. I will now press o.k. and both servers
will be added to server manager.
You will notice that NYDC1 has been added and server manager will be able to obtain
information from it. As for the second server, WestDc1, no information could be obtained
from the server. Notice the message, Kerberos target resolution error. Since this server
is not in the domain, a Kerberos connection could not be made to the server and thus server
manager cannot create a secure connection to the server and thus obtain information
about the server.
If I right click on the server and were to select the “manage” option, this would
allow me to enter in a username and password to connect to the server, however since the
server is not in the domain, this will still not allow a Kerberos connection to be made.
If I select DNS from the left hand side, I can see that NYDC1 has been added as a DNS
server. If I right click it, I can select the option DNS Manager to make changes to
DNS.
In order to make changes to the other DNS server, I will right click DNS at the top
and select the option “Connect to DNS Server”. When prompted, I will enter in the IP Address
of the DNS server that will hold the west zone.
When I expand down to Forward Lookup Zones, notice that no zones have been created on
this DNS server. To create a new zone, right click on Forward Lookup Zone and select the
option “New Zone” to start the new zone wizard.
Once I am passed the welcome screen, on the next I will leave it on the default option
of primary zone and move on.
On the next screen I will enter in the name of the zone, in this case the zone name will
be west.ITFreeTraining.local.
On the next screen I will be asked which file to store the zone in, I will accept the default
and move on.
The next screen will ask if I will be using dynamic updates which I will leave on the
default option of “do not allow dynamic updates” and move on.
This completes the wizard, once I press finish the zone will be created.
Now that the zone has been created, I will open the new zone file and right click on
the white space and select the option New Host. I am creating this DNS record to demonstrate
that the DNS delegation is working.
For the host record, I will enter in the host name and the IP Address for that host name.
Once the host record has been created, notice that if I go back to the command prompt and
attempt to ping the address, once again the computer cannot resolve it. To understand
why consider the following.
So far, on the DNS server a zone has been created for west.ITFreeTraining.local. When
the client sends a query for this DNS zone, the resolving process will contact the DNS
server holding the ITFreeTraining.local zone. If the client was configured to contact the
other DNS server directly, it would be able to resolve DNS queries by contacting that
DNS server. However, this is not practical on large networks as it would mean configuring
a large number of DNS servers on the client.
In order for the client to resolve DNS queries, a delegation needs to be configured in order
to direct the DNS queries to the other DNS server. To see how to do this, I will change
back to my Windows computer.
To create the delegation, I will go back to DNS Manager and then expand through the NYDC1
DNS server until I get to the zone ITFreeTraining.local.
Notice that in the ITFreeTraining.local Forward Lookup Zones is East. East is a child Domain
that I have already configured. After Windows Server 2008, when you create a child domain,
the promotion process will automatically configure DNS for this as a new domain. Previously an
administrator had to perform this step themselves.
If I right click the zone, notice the option New Domain. Since the West Domain will at
some stage be added as a child domain, I could use this option. However this will still store
the DNS records on this server which is not what I want in this case. So in this case,
I will choose the next option “New Delegation” to start the new delegation wizard.
Once I am past the welcome screen, on the screen I need to enter in the name of the
delegated domain, in this case west.
On the next screen, I need to enter in the address of a DNS server that is an authoritative
for that zone, or in other words, holds a copy of the zone data that is considered up
to date and accurate.
Once I press add, on this screen I need to enter in the name of the DNS server, in my
case, WestDC1.west.ITFreeTraining.local. Notice that when I press the resolve button, I get
an error message stating the IP Address for this server cannot be found. This is because
currently there is no way to resolve requests for the west DNS domain.
To get around this, I will enter in the IP Address of the DNS server. If you want to
use the name, what you will need to do is create another host record in the ITFreeTraining.local
zone for the DNS Server. This is referred to as a glue record. Glue records allow the
DNS server to resolve hostnames that it cannot resolve using other methods. In this case
I will just use the IP Address of the other DNS server to get around this problem.
Once I go back to the previous screen and press next, this completes the wizard and
once I press finish the new delegation will be created.
Notice that when the delegation is created, in the zone file it appears as grey. This
indicates that it is a delegation and thus not stored on this DNS server.
Now that the delegation has been created, notice that if I go back to the command prompt
and I attempt to ping the address of WestDC1, this time the hostname is resolved. Notice
however the request times out. This is normal because the firewall on this server is not
configured to respond to ping commands.
There is one last thing that I will do to show the delegate zone is working. I will
go back to DNS manager and this time go in the DNS server on WestDC1. This time I will
create an alias record or a CName record.
For the CNname I will use the name WWW and browse to the server WestDC1. Once the CName
record has been created, I will go back to the command prompt and attempt to ping www.west.ITFreeTraining.local.
The ping command will resolve the request for the WWW and ping the server WestDC1. Once
again I will not get a response back as the firewall is blocking it, however you get the
idea that the delegation has worked.
Well that covers it for how to configure DNS delegation. I hope that you have enjoyed this
video and found it informative. For more free videos for the DNS course and other courses
please see our web page or YouTube Channel. Thanks for watching and see you next time.