A delegation for this DNS server cannot be created because the authoritative parent cannot be found

The warning message you are encountering, "A delegation for this DNS server cannot be created because the authoritative parent cannot be found," typically indicates that the DNS delegation records are not properly set up in the parent DNS zone. This can happen if the parent zone does not exist or if the DNS server is not configured correctly to recognize the parent zone.

While it is often safe to ignore this warning during the promotion of a domain controller, it is crucial to ensure that the DNS settings are correctly configured to avoid issues with domain logins and DFS connections after the server reboots.

Here are some steps you can take to troubleshoot and resolve the issue:

1. Verify DNS Configuration: Ensure that the DNS server settings on your new server point to the correct DNS servers that host the parent zone.
2. Check for Existing Delegations: If the parent zone exists, check if there are existing delegation records that might be misconfigured.
3. Manual Delegation Creation: If necessary, create the DNS delegation manually in the parent DNS zone to ensure that the new domain controller can be resolved correctly.
4. Firewall and Port Configuration: Double-check that all required ports are open and that there are no firewall rules blocking the necessary traffic between the servers.
5. Review DFS Configuration: Since you mentioned issues with DFS connections, ensure that DFS is correctly configured and that the servers can communicate with each other without any restrictions.

If the issue persists after these checks, you may need to consult additional documentation or support resources specific to your environment to further diagnose the problem.

References:

• Troubleshoot domain controller deployment
• Active Directory Domain Services (AD DS) configuration wizard page descriptions
• Active Directory Replication Error 8524: The DSA operation is unable to proceed because of a DNS lookup failure

Hi John Scarchilli,

The warning you’re seeing usually means the parent DNS zone doesn’t have the right delegation records for the new domain controller. While some environments can safely ignore this, the fact that you can’t log in after reboot suggests DNS replication or DFS connectivity isn’t working as expected.

Here are a few things to check: make sure the parent zone has the correct NS records pointing to the new Server 2025 DNS server, confirm replication between the 2019 and 2025 servers is healthy, and run dcdiag /test:DNS /v and repadmin /replsummary for more detail. Also, double‑check that DFS and related services are running and that firewall rules allow traffic on ports 53, 88, 135, and the dynamic RPC range. If the issue continues, I recommend opening a case with Microsoft Support to see if a compatibility update or hotfix is needed for Server 2025.

I hope this helps point you in the right direction. If you find this answer useful, please don’t forget to click “Accept Answer” 🙂.

Harry.

Let me know if you still need my help.