Windows – A Delegation For This DNS Server Cannot Be Created

KB ID 0001287


When promoting a server to be a domain controller, you might see the following error,

“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.

Cannot Create DNS Delegation 2012

Or if you are on older domain controllers;

Cannot Create DNS Delegation 2008

I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?


Quick Answer:

If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.

But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;

Could not log into the domain with the specified credentials. Supply a valid credential and try again.

child domain could not login

Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.

The Long Answer:

It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;

AD domain looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.

AD Domain looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).

New Domain New Forest

AD Child Domain This will look to the DNS servers responsible for (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.

Creating a New Child Domain

Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.

2012 Domain Delegation

If you open the delegation, you will see that the name server entry for your child domain has been created;

DNS Delegation NS Record

The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?

Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.

  1. Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
  2. Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. etc.
  3. Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.


Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Thanks for your easy-to-understand explanation. What I don’t think you covered was why it always fails to create the delegation. Why put in something into the install process that fails every time?

    Post a Reply
    • It doesn’t fail if you are creating a sub domain, in a domain you own.


      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *