the server with this ip is not authoritative for the required zone

2012-05-25

Question

_{Friday, May 25, 2012 7:34 AM}

Hi all, I am trying to add a conditional forwarder on one of my DNS servers in a child domain.

The forest root is called MegaCorp.com and the child is called uk.MegaCorp.com.

The DNS server in the forest root has the IP address of 10.10.50.2. When i try and add the DNS server of the forest root as the name server in the conditional forwarder on the DNS server in the child domain i get the following error

the server with this ip is not authoritative for the required zone

I have created reverse lookup zones on both domains.

What am i missing? I am sure this will be very simple but i cannot work it out.

Thanks

All replies (14)

_{Friday, May 25, 2012 9:39 PM ✅Answered}

really sorry i have not been clear at all. I will explain it from the beginning.

- i have two forests one called Megacorp.com and one called Tailspin.com

- each forest consists of a child domain, which are uk.megacorp.com and uk.tailspin.com

- i can ping from the parent domains to the child domains and from the child domains to the parent somains. I did not need to configure any additional zones or forwarders for this to work which caused my initial confusion. But after a bit of digging i found that the DNS zones were replicated forest wide which explains why i can ping from parent to child and child to parent

- then earlier today i wanted to create a forest trust between the two forests but i was getting an error saying the trust cannot be created. I was then told this is becuase there is no zone on either forest root domain for the other respective forest root with whom im trying to establish the trust with. I then discovered that by adding the other forest root domain DC as a forwarder in DNS i was then able to create the forest trust.

- now all seems to be working as i want it to, for example accessing files and folders making use of the transitivity (up through one domain tree and down through the other domain tree)

- BUT im still not happy with my understanding of DNS. I expected to see more in regards to the forest in the trust relationship etc.

its all working so i shouldnt complain :)

thank you all very much for taking the time to help me out!!!

_{Friday, May 25, 2012 8:46 AM}

Hi,

In this scenario you need to use zone delegation, since it is a parent-child scenario

DNS forwarding is required for external DNS zones.

Please check the following link for configuring the delegation

For Windows 2003 AD: http://technet.microsoft.com/en-us/library/cc739719(v=ws.10).aspx
For Windows 2008 AD: http://technet.microsoft.com/en-us/library/cc771640.aspx

Thanks and Regards, Mukesh. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

_{Friday, May 25, 2012 10:42 AM}

so stub zones and conditional forwarders are not needed in situations like mine?

Im sure the microsoft books and training videos use my scenario for stub zones and conditional forwarders.

Or would they be used in a multiple forest situation as opposed to multiple domain?

_{Friday, May 25, 2012 11:32 AM}

Hi,

May the below link will help you

http://social.technet.microsoft.com/Forums/fi/winserverDS/thread/4db4c311-7206-400c-8c12-85ad4bd3e166

_{Friday, May 25, 2012 12:35 PM}

A conditional forwarder will only work if there is a match to a domain name. When you specify domain name against that DNS server IP for you parent domain, make sure you're typing itcorrectly. It should be FQDN Ex. xyz.com and not only .com. If you want all queries to be forwarded to that DNS server then use forwarders option under server node properties.

Note that DNS configuration across parent and child domains is recommended to be setup this way
Parent to Child - Delegation - http://support.microsoft.com/kb/255248
Child to Parent - Conditional Forwarders - http://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx

Stub zone can also work in the case but is not the best option because it's mostly used where the entire zones transfer is not feasible. Stub zone will act as proxy pointing to the actual authoritative DNS server for that zone.

Sachin Gadhave
MCP, MCSA, MCTS

_{Friday, May 25, 2012 2:32 PM}

i tried to add a stub zone on the parent domain to point to the child zone but i still get the following error when adding a name server

the server with this ip is not authoritative for the required zone

how do i make the server authoritative??

_{Friday, May 25, 2012 3:25 PM}

i think i may have found part of the issue here.

I have created two forests in my lab but i have used the following domain names

- MegaCorp.com

- TailSPin.com

I have a feeling i should have used .local am i correct? I do not own the above two domain names! When i ping the FQDN of the DC on megacorp.com i get a response from a public IP address!

Any more info would be much appreciated!

Thanks

_{Friday, May 25, 2012 3:49 PM}

Yes both these domains exist on the internet. Even if this is the case your internal domain should be resolved first, have you specified external DNS server IP for your LAB servers. How is your LAB setup, Please provide details. If as all possible rebuild the LAB with new unique names, then everything should work as expected.

Sachin Gadhave
MCP, MCSA, MCTS

_{Friday, May 25, 2012 3:58 PM}

oh no!! :( iv spent hours setting all the VMs up! Oh well i suppose the whole point of the exercise is to learn :)

i have now made some changes so the names are resolved internally first which is working fine now, the public address is no longer being resolved BUT i still cannot get a stub, secondary zone to work i get the same error saying the server is not authoritative!! i have no idea how to resolve this!

I think i am going to have to rebuild all my domains! i will make a start now by demoting them all then starting from scratch!

_{Friday, May 25, 2012 6:37 PM}

It's not authoritive because you are trying to delegate the zone to ANOTHER DNS server, specifically the one in the child domain and not the forest Root DNS server. The address you put in for the delegation (or stub) has to have the zone already hosted, which makes it authoritive. If you're trying to use the same DNS server, the forest root DNS server, for a delegation, that's a little more trickier. What you'll have to do is precreate the child domain as a zone, such as "uk.MegaCorp.com," then it will be authoritive for the zone. But in reality, in a multidomain design and desiring to use a parent-child delegation, you would install DNS on the child domain DC, create the zone, make sure the DC uses itself for the zone, make sure all SRV and other data register, then setup the delegation choosing that DC/DNS as the IP, then set a forwarder (conditional or general) back to the forest root DNS.

Here are the specifics:

DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, May 25, 2012 7:54 PM}

name resolution between the root and child domain is fine, the issue is creating a stub between the two forests megacorp and tailspin

thanks

_{Friday, May 25, 2012 8:39 PM}

If resolution is fine, then how do you have it currently setup? Are all zones replicated forest wide?

The point about the delegation as I said, is the IP you are pointing to for the delegation must be hosting the zone, otherwise it's not "authoritive."

[...] the public address is no longer being resolved [...]

Can you elaborate on what you mean by the public address is not resolvable, and whether that's from the internal network or from the internet?

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, May 29, 2012 4:37 AM}

I'm not sure how to respond. If you have a forest with the zone replicated forest wide, it means that zone;'s data is available and will be used by any DC in the forest that has DNS installed. That, and the a search suffix, will resolve data forest wide. The search suffix is for example, tailspintoys.com and uk.tailspin.com toys, which should be on all machines forest wide. Same if there are multiple child domains in one forest, which you would need all three AD domains' suffixes on all machines in the forest.

And each DNS that hosts the zone registers an NS record as a nameserver of the zone.

So, when trying to create a conditional forwarder and getting an error, " the server with this ip is not authoritative for the required zone, apparently means there is no NS record that it can find with that server's IP address you specified. If you check the zone, is there an NS record with that IP address?

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, May 29, 2012 11:16 AM}

hi, yes there was an NS record with the server in the confitional forwarder which was the reason i was getting confused but i went back to it the day after and tried again and it worked perfectly! I have created a conditional forwarder and a stub zone and they both work fine. I only created both as a practice. I understand the two are used very differently.

Thanks

Share via

the server with this ip is not authoritative for the required zone

Question

All replies (14)

Additional resources