Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, June 13, 2010 11:59 AM
Hi all,
I am currently in the middle of a migration, getting rid of some old domains.
Unfortunately in one domain one of the two Domain Controllers had a hardware failure. So there is just one DNS server left for the domain (domainA.domain.com). I am currently thinking about moving the zone domainA.domain.com directly on one of the new a DNS server in the new domain structure (domain.domain.group) instead of replacing the hardware.
Of course I have to change the DNS settings on the remaining systems to the new servers but what else I have to do so the server is getting the master for this specific zone etc.!? Can someone let me know what else I have to do?
Any help is greatly appreciated.
M.
All replies (8)
Monday, June 14, 2010 2:26 PM âś…Answered
Hello Ace,
thank you for your answer.
The domain controller has been successfully removed from the AD with no leftovers.
[quote]
**If you simply want to move the zone to another DNS server that is not in the same domain or forest, but to use that DNS server for the domainA.domain.com AD domain, you can simply allow zone transfers in the current existing DC's DNS zone (domainA.domain.com) so a DNS server that is not a DC in the domainA.domain.com zone or any other non-DC can get a copy, then create a Secondary zone on the other DNS server, and specify the Master as the DC in domainA.domain.com. Then you will have a read only copy on that DNS server. If you want that to become the primary for domainA, then allow updates and point all machines' DNS settings to only use that DNS server.
**[/quote]The (supposed to be) new DNS Server is member of the the new forrest. I transfered the zone already onto it but I have no idea what I have to do to make it master of the zone DomainA.domain.com which is updated correctly. From what you wrote and what I understood so far is that I have to configure it as "Primary Server" in the SOA tab. Do I have to activate Dynamic updates for "Nonsecure and Secure" updates as well?
Furthermore I would like to shutdown the DNS on the remaining DC in domainA.domain.com. Any things I have to think about regarding the Active Directory etc.? Do the clients update their records automatically in the correct zone or do I have to do anything else?
Thank you again.
M
Hi MaikDunker,
Good to hear you properly removed the failed DC.
If you've already transferred the zone to the new DC/DNS in the new forest, and have confirmed all the data shows up (SRV and hosts records), then you can now simply change the zone type to AD integrated. It will now be the SOA of the zone. Any DNS server that hosts a writeable copy is an SOA. After you've changed the zone type, or even before (it doesn't really matter), you can now simply point the old DC and the machines in the other domain, to use the new server as their DNS address.
Oh, and make sure that you do not set the new zone to Secure Updates Only. This setting forces machines to update after first authenticating using Kerberos. It allows machines in its own domain/forest to authenticate to register and will prevent the old DC and machines in the other domain/forest from registering, including Linux and other non-Windows machines and devices (if you have any). Set it to Secure and Unsecure updates for now until you remove the old infrastructure. If you do have non-Windows machines that you want to allow update, then you should leave it as Unsecure.
You should be good to go!
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Sunday, June 13, 2010 4:03 PM
Hi all,
I am currently in the middle of a migration, getting rid of some old domains.
Unfortunately in one domain one of the two Domain Controllers had a hardware failure. So there is just one DNS server left for the domain (domainA.domain.com). I am currently thinking about moving the zone domainA.domain.com directly on one of the new a DNS server in the new domain structure (domain.domain.group) instead of replacing the hardware.
Of course I have to change the DNS settings on the remaining systems to the new servers but what else I have to do so the server is getting the master for this specific zone etc.!? Can someone let me know what else I have to do?
Any help is greatly appreciated.
M.
Hello Maik,
Your question is not entirely clear.
- Is domainA.domain.com a child domain of domain.com in the same forest?
- Is domainA.domain.com the only domain in the forest?
- Is the zone on the remaining DC AD Integrated? If so, what replication scope is the zone set to?
If you have an AD domain with two domain controllers, and one is lost to a hardware failure, did you also run a Metadata Cleanup to remove the failed DC'sreference from the AD database? Did you also seize the FSMO roles to the remaining existing DC? I'm not sure if you've addressed the FSMO roles or ran a Metadata cleanup, however I am posting relevant links to guide you in the process just in case you need assistance in this area:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801
Cleanup Metadata Windows 2003
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx
As far as the domainA.domain.com zone, if it is AD integrated, then that means the zone data is stored in the AD database. If both DCs were domain controllers, then the zone should still exist on the existing DC.
It also appears you are asking about a migration? You mentioned:
"I am currently thinking about moving the zone domainA.domain.com directly on one of the new a DNS server in the new domain structure (domain.domain.group) instead of replacing the hardware."
Does that mean you are migrating from an AD domain called DomainA.domain.com to a new AD domain called Domain.domain.group?
If you simply want to move the zone to another DNS server that is not in the same domain or forest, but to use that DNS server for the domainA.domain.com AD domain, you can simply allow zone transfers in the current existing DC's DNS zone (domainA.domain.com) so a DNS server that is not a DC in the domainA.domain.com zone or any other non-DC can get a copy, then create a Secondary zone on the other DNS server, and specify the Master as the DC in domainA.domain.com. Then you will have a read only copy on that DNS server. If you want that to become the primary for domainA, then allow updates and point all machines' DNS settings to only use that DNS server.
Otherwise if I misunderstood your intentions, please elaborate and provide more specifics with server names, specific domain names, same forest, different forest, etc, to better understand your current and future infrastructure to better assist.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, June 14, 2010 11:56 AM
Hello Ace,
thank you for your answer.
The domain controller has been successfully removed from the AD with no leftovers.
[quote]
**If you simply want to move the zone to another DNS server that is not in the same domain or forest, but to use that DNS server for the domainA.domain.com AD domain, you can simply allow zone transfers in the current existing DC's DNS zone (domainA.domain.com) so a DNS server that is not a DC in the domainA.domain.com zone or any other non-DC can get a copy, then create a Secondary zone on the other DNS server, and specify the Master as the DC in domainA.domain.com. Then you will have a read only copy on that DNS server. If you want that to become the primary for domainA, then allow updates and point all machines' DNS settings to only use that DNS server.
**[/quote]
The (supposed to be) new DNS Server is member of the the new forrest. I transfered the zone already onto it but I have no idea what I have to do to make it master of the zone DomainA.domain.com which is updated correctly. From what you wrote and what I understood so far is that I have to configure it as "Primary Server" in the SOA tab. Do I have to activate Dynamic updates for "Nonsecure and Secure" updates as well?
Furthermore I would like to shutdown the DNS on the remaining DC in domainA.domain.com. Any things I have to think about regarding the Active Directory etc.? Do the clients update their records automatically in the correct zone or do I have to do anything else?
Thank you again.
M
Monday, June 14, 2010 4:20 PM
Hi Ace,
thank you very much for sharing your knowledge with me.
One things still remains unclear: Hwo do the clients register in the correct zone? Do I have to change anything on the client or do they just register with their corresponding QDN of their "home" domain?
Thank you,
M.
Monday, June 14, 2010 4:54 PM
Hi Ace,
thank you very much for sharing your knowledge with me.
One things still remains unclear: Hwo do the clients register in the correct zone? Do I have to change anything on the client or do they just register with their corresponding QDN of their "home" domain?
Thank you,
M.
Hi MaikDunker,
It's automatic. As long as the machine's Primary DNS Suffix matches the zone name, registration is not disabled on the client, and the zone allows updates, and the machine is ONLY using the correct DNS server(s) (the new ones), it will register just as it did on the old one.
Like I mentioned, make sure you don't select Secure Updates Only, or it won't register because the DC/DNS is in a different domain. After you've migrated all the workstations to the new domain, then you can select Secure Only.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, June 14, 2010 5:54 PM
In addition, in case I wasn't clear, simply change the clients and the old DC to only use the new DNS server, and remove ALL other entries in the DNS settings in the NIC properties. Assuming you've also moved DHCP, make sure that DHCP Scope Option 006 only shows the new server, nothing else.
Cheers!
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, June 14, 2010 6:06 PM
Hello Ace,
again, thank you very much.
[quote]
**Then you will have a read only copy on that DNS server.
**[/quote]
So activating Unsecure and secure updates will make the zone "writable"? Furthermore what about the _msdcs.domainA.domain.com records? Do I have to create them manually? I haven't seen them transfered over to the new DNS and wondering why...?
Thank you,
M.
Monday, June 14, 2010 7:51 PM
Hello Ace,
again, thank you very much.
[quote]
**Then you will have a read only copy on that DNS server.
**[/quote]So activating Unsecure and secure updates will make the zone "writable"? Furthermore what about the _msdcs.domainA.domain.com records? Do I have to create them manually? I haven't seen them transfered over to the new DNS and wondering why...?
Thank you,
M.
You are welcome so far.
Yes, I should have mentioned, that the _msdcs.domainA.com zone needs to be transferred, too.
Once you've transferred it and made it AD integrated, you will need to go into the domainA.com zone, and create a delegation. Right-click, new Delegation, type in "_msdcs" (without the quotes). Then for the name server, type in the new server's IP (itself).
And yes, the setting Unsecure and Secure, allows updates, which essentially means it makes it writeable.
At this point, I think we've covered everything and nothing's left out.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.