Around a week ago i redid my lab network and added 2 new domain controllers. I used one of my website domains as the lab domain to mimic how a corporation could be setup.
So the domain for my network was “voltdrift” and the website domain is externally hosted with the domain of “www.voltdrift.com“
The Problem: DNS will not resolve subdomains.
Ones I was done I noticed I could not get to the website. The DNS on the domain controller would not resolve it. I thought I knew how to fix this and all I needed was a new delegation for the “www” subdomain. I could have sworn that’s how I did it on Windows Server 2012 but for some reason, it would not work in Windows Server 2019.
DNS Conditional Forward
So after a few hours of messing with it off and doing some reading, it seemed like a “Conditional Forward” was what I needed. But there was a problem. When I tried to add one I got this error.
“A problem occurred while trying to add the conditional forwarder. A zone configuration problem occurred.”
It seems that because my local domain is “voltdrift” the domain controller / DNS did not want to add any conditional forward rules dealing with that domain.
The Work Around
The way to get around this error is to trick the DNS server into thinking it is not in control of that domain/subdomain. Or at least that’s how I understand it. We do this by adding a new delegation to the DNS server for that subdomain.
Then we point that delegation to our Domain Controller / DNS server. I know it seems kind of silly. I have 2 so in my case, I pointed it to both of them.
Now we can setup a new conditional forward without the error.
Make sure you check that box if you want the conditional forwards to replicate to all your other DNS servers.
Now the conditional forward works
Now you’re DNS should be able to resolve your website under the subdomain www.
I still feel like this was easier in the past but this is how I got it working on a Windows Server 2019 DNS. So I thought it would be a good idea to document the process. I hope it has helped you!
If you know of a better way please let me know in the comments below! I’d love to hear about it.
Another scenario about DNS:
On your domain controller ,your DNS is the authoritative server of this zone: voltdrift.com
On your DNS server, you forward all none authoritative DNS resolution request to 8.8.8.8
But you also want to create a conditional forwarder on your DNS server. and the forwarder is 1.1.1.1 — All DNS resolution request for google.com and its subdomain xxx.google.com will use 1.1.1.1 to do the job.
When I try that on my my server, in Conditional Forward wizard , the DNS domain is google.com ,the forwarder is 1.1.1.1, when I resolve google.com , it will use 1.1.1.1 ,but when I resolve http://www.google.com , it will use 8.8.8.8.
Why it doesn’t use 1.1.1.1 to resolve all subdomain of google.com. What I should do if I want to implement that.
Any idea ?
As far as DNS is concerned http://www.google.com and google.com are 2 different sites. So when you put in http://www.google.com the DNS sees no rules for that so it’s falling back on your global forward to 8.8.8.8.
If you want a rule for all domains you might be able to make a rule with a wildcard. Maybe something like *.google.com. But I’m not sure if Windows DNS supports wildcards. I’m a few days travel away from my network lab so I can’t test it.
It could also be easier to flip your rules depending on your end goal. Set your DNS to always use 1.1.1.1 and then use 8.8.8.8 for the domains you want it on.
I hope this helps you find your answer. Good luck my friend!
Thank you for sharing this; it’s the same issue I encountered with my Internal DNS, and it’s all resolved now. Much appreciated!
I’m glad it helped! Thanks for the comment.
If you need to make another DNS server handle a subdomain inside a domain you’re authoritative for (or your DCs – I honestly would never use a top-level namespace in an AD domain), then simply creating the delegation of the subdomain name to the external DNS provider is what you do.
It’s not “tricking” DNS in any way, it’s the proper method of spinning off subordinate namespaces. So you shouldn’t need a conditional forwarder at all. I do delegations all the time in my environment to a non-Windows nameserver. I wonder if there was some firewalling issue with “line of sight” from your DCs to the external provider – the delegation needs TCP/UDP 53 inbound from the external DNS to the parent zone nameserver.
(Although having DCs on the public internet again gives me the willies, thus having something like “mydomain.example.com” for the AD domain, and “example.com” as your parent namespace hosted externally, to make it easy to delegate any subzone. Since “mydomain” would be completely private, no need to delegate that explicitly to your DCs.)
I agree with you. Since this post I have scraped that lab and moved mostly away from Windows. But if I ever redid it I would use something like a “local.example.com” instead of “example.com”. Thanks or the updated info!