Verify a zone delegation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Administrative credentials

You do not need administrative credentials to perform this task. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify a zone delegation

  1. At a command prompt, type the following command, and then press ENTER:

nslookup RootServerIpAddress

  1. Type the following command, and then press ENTER:


  2. At the next prompt, type the following command, and then press ENTER:

    set norecurse

  3. At the next prompt, type the following command, and then press ENTER:

    set q=NS

  4. Type the fully qualified domain name (FQDN) for the failed name.

    Use the trailing period (.) when you type the name. If zone delegations are set correctly, a list of name server (NS) resource records for delegated servers is returned in the response.

  5. If the NS query response contains no names or Internet Protocol (IP) addresses for delegated servers, type q=ns, and then query again using the FQDN for the parent zone of the failed name.

    For example, if the failed name that you used in the previous step was, query for

  6. If the response contains NS resource records, but no host address (A) resource records, type set recurse, and then query individually for any of the A resource records of the servers that are listed in the NS resource records.

    If, for each NS resource record that you encounter in a zone, you do not find at least one valid IP address in an A resource record, you have a broken delegation.

  7. Either fix the broken delegation or retry the delegation test that is described in the previous step and use a different IP address.

    If more than one A resource record or IP address is found, use it to repeat the delegation test described in the previous step. To fix a delegation, add or update an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.

    Value Description


    The IP address of a valid root server for your network.

    set norecursion

    Instructs the root server to not perform recursion on your query.

    set q=NS

    Sends the query for NS resource records to the root server.