Verify a Zone Delegation

  • Article

Applies To: Windows Server 2008

You can use this procedure to verify that a zone has been properly delegated.

You do not need administrative credentials to perform this procedure. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify a zone delegation

  1. Open a command prompt. To open a command prompt, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. Type the following command, and then press ENTER:

    nslookup <RootServerIpAddress>

  3. Type the following command, and then press ENTER:

    nslookup

  4. At the next prompt, type the following command, and then press ENTER:

    set norecurse

  5. At the next prompt, type the following command, and then press ENTER:

    set q=NS

  6. Type the fully qualified domain name (FQDN) for the domain name that you are testing.

    When you type the name, use the trailing period (.). If zone delegations are set correctly, a list of name server (NS) resource records for delegated servers is returned in the response.

  7. If the NS query response contains no names or IP addresses for delegated servers, type q=ns, and then query again using the FQDN for the parent zone of the domain name that you are testing.

    For example, if the name that you used in the previous step was sales.wingtiptoys.com, query for wingtiptoys.com.

  8. If the response contains name server (NS) resource records, but no host (A or AAAA) resource records, this may be the result of using the UDP protocol. Type set vc and then run the command again. If no host (A or AAAA) records are listed, type set recurse, and then query individually for any of the host (A or AAAA) resource records of the servers that are listed in the name server (NS) resource records.

    If, for each name server (NS) resource record that you encounter in a zone, you do not find at least one valid IP address in a host (A or AAAA) resource record, you have a broken delegation.

  9. Either fix the broken delegation or retry the delegation test that is described in the previous step and use a different IP address.

    If more than one host (A or AAAA) resource record or IP address is found, use each to repeat the delegation test in the previous step. To fix a delegation, add or update a host (A or AAAA) resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.

    Value Description

    nslookup

    The name of the name server lookup utility.

    <RootServerIpAddress>

    The IP address of a valid root server for your network.

    set norecursion

    Instructs the root server to not perform recursion on your query.

    set q=NS

    Sends the query for name server (NS) resource records to the root server.