Search This Blog

Wednesday, November 17, 2010

Dcpromo and DNS installation message

Have you ever seen this?
"A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “FQDN”. Otherwise, no action is required."
This happens when:
- Dcpromo.exe has been configured to install the DNS server role, and enough delegations do not already exist between DNS servers in the immediate parent DNS zone and the subdomain where you are installing the new DC. And the DC is unable to create delegation to the DNS subdomain on a DNS server that is autoritative for the parent zone.
Do you need to care about it?
Not if you don't have users in other domains (Internet included) that have the need to resolve DNS queries in the local domain.
Why does it happen?
- It will try to create the delegation to ensure name resolution from other domains.
- You can also see this in the forest root when it is immediately subordinate to top-level domains.
- Dcpromo can auto-create this delegation, but only for MS DNS and will fail for non-MS DNS servers.
- If the domain (root) is subordinate to an existing intranet namespace that is owned by non-MS DNS servers such as BIND.
- I also heard that this can happen if the AD domain is registered on the Internet, but the ISP have not created necessary delegation yet.
How to avoid it?
- On your non-MS DNS servers, pre-create the delegation in the parent domain.
- If you have MS DNS servers in the parent domain, make sure you have the necessary permissions to create the delegation in the parent zone.