KB ID 0001287

Problem

When promoting a server to be a domain controller, you might see the following error,

“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.

Or if you are on older domain controllers;

I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?

Solution

Quick Answer:

If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.

But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;

Could not log into the domain with the specified credentials. Supply a valid credential and try again.

Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.

The Long Answer:

It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;

AD domain domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.

AD Domain subdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).

AD Child Domain subdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.

Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.

If you open the delegation, you will see that the name server entry for your child domain has been created;

The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?

Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.

1. Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
2. Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
3. Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.

Related Articles, References, Credits, or External Links

NA