Setup a new 2003 DNS in a mixed mode of 2000 and NT4

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi, I'm setting up a new Domain Controller, the first Windows 2003 Enterprise
server. I want to load DNS on this machine, we believe that their maybe
issues with the current DNS, so we are trying to build it fresh. But won't I
inherit the same issues if I install this new server in the domain as a DC
with AD and DNS and install a secondary zone. If I install 2ndary zone will I
be able to convert it to primary later? Point being what is the best way to
put up the 1st 2003 Enterprise server with DNS in a mixed mode network and
will it mess anything up? Please help. Thanks!!
 
FYI: Mixed mode is not a DNS issue.

Also "mixed mode" is a technical term that ONLY refers
to the AD and the Domain Controllers -- it has practically
nothing to do with client machines that run older operating
systems, or even with servers which are not DCs.

Mixed mode means you have NT BDCs in your domain (or
at least still have the option to install such) and native mode
both removes that option and increases the capabilities or
features of AD.

PBJ said:
Hi, I'm setting up a new Domain Controller, the first Windows 2003 Enterprise
server. I want to load DNS on this machine, we believe that their maybe
issues with the current DNS, so we are trying to build it fresh.
Click to expand...

?

DNS is not that complicated so unless there is some
other reason, it usually makes more sense to just fix
the configuration errors.
But won't I
inherit the same issues if I install this new server in the domain as a DC
with AD and DNS and install a secondary zone.
Click to expand...

Well, you will be copying the zone from another (the other) DNS
so you will be copying the good and the bad from the master.

Secondary DNS servers:
Secondary DNS servers (for a zone) copy the zone (all of the
resource records) from another DNS server that holds that
same zone.
If I install 2ndary zone will I
be able to convert it to primary later?
Click to expand...

Yes, it's trivial in the GUI.
Point being what is the best way to
put up the 1st 2003 Enterprise server with DNS in a mixed mode network and
will it mess anything up? Please help. Thanks!!
Click to expand...

Install Win2003 on a Server, DCPromo (.exe or dialog box) the machine
to become the first DC.

It will ask you if you need a DNS server if it cannot find your
existing DNS server. This MUST be a dynamic Zone.


General DNS setup for AD:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
 
In
PBJ said:
Hi, I'm setting up a new Domain Controller, the first
Windows 2003 Enterprise server. I want to load DNS on
this machine, we believe that their maybe issues with the
current DNS, so we are trying to build it fresh. But
won't I inherit the same issues if I install this new
server in the domain as a DC with AD and DNS and install
a secondary zone. If I install 2ndary zone will I be able
to convert it to primary later? Point being what is the
best way to put up the 1st 2003 Enterprise server with
DNS in a mixed mode network and will it mess anything up?
Please help. Thanks!!
Click to expand...

What are the issues you are having?
Is it really a DNS issue, or is it an AD domain name issue?

Because you are correct, if the issue is caused by the AD domain name, then
you will still have the issue. It would help if you would say what the
issues are and what you are trying to achieve.
 
Install Win2003 on a Server, DCPromo (.exe or dialog box) the machine
to become the first DC.
Click to expand...

If I say it is the first DC, what will happen to all my AD users, groups and
group policy stuff?
 
THanks Kevin, the issue is that we have a Windows 2000 Domain offsite they
are connected to us via T1 but on a different subnet. Here on site we have a
mixed mode domain, we have 2 Win 2000DC's plus NT4 servers. We cannot create
a trust between these 2 domains. They are 2 totally different domains and not
a child domain. We've looked at the firewall settings to make sure all
particular ports that need to be used between the 2 networks are. At one
point we were able to see their domain and we don't know how we all of a
sudden lost it.
Is this DNS related or what else can we look at? Thanks.
 
If I say it is the first DC, what will happen to all my AD users, groups and
group policy stuff?
Click to expand...

If it's the first DC it can't be in the same domain as the existing
DC's (or PDC on a NT domain). It would be a new domain. That means
it doesn't get any users or groups or anything until you either add
them or migrate them using ADMT.

These aren't DNS issues, these are domain and networking issues, and
something you need to straighten out before you even think about DNS.

Jeff
 
Hi, I'm setting up a new Domain Controller, the first Windows 2003 Enterprise
server. I want to load DNS on this machine, we believe that their maybe
issues with the current DNS, so we are trying to build it fresh.
Click to expand...

Fix your "issues" first, then add a new DC. Unless you're moving to a
brand new domain, you can't "fix" DNS by adding a new DC with AD
integrated DNS.
But won't I
inherit the same issues if I install this new server in the domain as a DC
with AD and DNS and install a secondary zone.
Click to expand...

If it's a DC in a new domain, then you inherit nothing. The secondary
zone won't be AD integrated, so it too can't have issues. And if
you're just adding a DC to the domain in AD integrated, why are you
dealing with a secondary?
If I install 2ndary zone will I
be able to convert it to primary later?
Click to expand...

Always, and even back again.
Point being what is the best way to
put up the 1st 2003 Enterprise server with DNS in a mixed mode network and
will it mess anything up?
Click to expand...

Mixed mode isn't a DNS issue. Do you have an Active Directory domain
currently? If not, and you're moving to one, then look at server
migration and upgrades in a server group, and don't worry about DNS at
this point. It sounds like you're very confused and concerned about
your DNS when you are facing bigger issues that you either don't
realize or don't understand.

So, do you currently have a W2K AD domain? If not, is it an NT
domain? And if you don't have AD now, is this your attempt to move to
AD?

Jeff
 
I have a Windows 2000 Active directory domain, with some NT 4 servers. Read
my reply to Kevin which tells you the issue I'm having with trust
relationships to another domain, I don't personally believe it is a DNS issue
or and AD issue. I don't know what the issue is with the trusts, my boss
believes it is a DNS issue for some reason or another.
 
In
PBJ said:
THanks Kevin, the issue is that we have a Windows 2000
Domain offsite they are connected to us via T1 but on a
different subnet. Here on site we have a mixed mode
domain, we have 2 Win 2000DC's plus NT4 servers. We
cannot create a trust between these 2 domains. They are 2
totally different domains and not a child domain. We've
looked at the firewall settings to make sure all
particular ports that need to be used between the 2
networks are. At one point we were able to see their
domain and we don't know how we all of a sudden lost it.
Is this DNS related or what else can we look at? Thanks.
Click to expand...


When you say "See" do you mean as in Network Places?
Are you using WINS?

Instead of opening ports in the firewall between these Networks configure a
VPN connection between them. This way the only port you need open in the
firewall is the VPN port.
 
PBJ said:
If I say it is the first DC, what will happen to all my AD users, groups and
group policy stuff?
Click to expand...

If it IS THE FIRST DC, then you don't have any AD users etc.

If you have AD users you already have AD and at least one
DC.

Installing another DC will either make it an additional
(not first) DC in the existing domain, or create a new
domain which will have NO effect on the existing users etc.

It will neither harm nor help those existing users (ignoring
Forest considerations.)
 
THanks Kevin, the issue is that we have a Windows 2000 Domain offsite they
are connected to us via T1 but on a different subnet. Here on site we have a
mixed mode domain, we have 2 Win 2000DC's plus NT4 servers. We cannot create
a trust between these 2 domains. They are 2 totally different domains and not
a child domain. We've looked at the firewall settings to make sure all
particular ports that need to be used between the 2 networks are. At one
point we were able to see their domain and we don't know how we all of a
sudden lost it.
Is this DNS related or what else can we look at? Thanks.
Click to expand...

You cannot create a trust because of a technical issue, or you cannot
create a trust because of a company policy?

Do you have valid NetBIOS name resolution for the domain controllers,
either through WINS or a properly configured LMHosts file? And are
NetBIOS ports allowed between the networks through the firewalls?

Jeff
 
Yes Iam talking about seeing it in network places, I can ping them by IP.
When we try to do a trust it does not see it. It says the domain cannot be
contacted and will be installed as a non-windows trust.
No, we do not have WINS, do we have to?
 
PBJ said:
Yes Iam talking about seeing it in network places, I can ping them by IP.
When we try to do a trust it does not see it. It says the domain cannot be
contacted and will be installed as a non-windows trust.
No, we do not have WINS, do we have to?
Click to expand...
`

Yes...

If you have Windows on an IP network with more than
one subnet (i.e., with routers).
 
In
PBJ said:
Yes Iam talking about seeing it in network places, I can
ping them by IP. When we try to do a trust it does not
see it. It says the domain cannot be contacted and will
be installed as a non-windows trust.
No, we do not have WINS, do we have to?
Click to expand...
WINS is the easiest IMO, WINS is less work than LMHosts. If you LMHosts then
someone is going to have to keep them current. You cannot rely on NetBIOS
Broadcasts because you have multiple subnets and NetBIOS broadcasts don't
cross routers.
 
We opened all of the ports that were in this TID# 179442
But I noticed from the FW logs that the NetBios broadcasts were not allowed.
 
We opened all of the ports that were in this TID# 179442
But I noticed from the FW logs that the NetBios broadcasts were not allowed.
Click to expand...

Many firewalls won't pass NetBIOS brodcasts even if you open NetBIOS
ports for communication. NetBIOS brodcasts include broadcast
resolution of names as well as WINS broadcasts, so if you have an issu
involving the name resolution, allowing NetBIOS broadcasts through
your firewall may help. But it also sends traffic across zones that
may be unneeded, as well as containing information about your network.

Jeff
 
Jeff Cochran said:
allowed.

Many firewalls won't pass NetBIOS brodcasts even if you open NetBIOS
ports for communication. NetBIOS brodcasts include broadcast
resolution of names as well as WINS broadcasts, so if you have an issu
involving the name resolution, allowing NetBIOS broadcasts through
your firewall may help. But it also sends traffic across zones that
may be unneeded, as well as containing information about your network.
Click to expand...

Almost no firewalls will pass NetBIOS broadcasts since
most firewalls are implemented on some type of ROUTER
and routers pass NO broadcasts by default.

So this is true, even of non-firewall routers within an network.
 
Almost no firewalls will pass NetBIOS broadcasts since
most firewalls are implemented on some type of ROUTER
and routers pass NO broadcasts by default.

So this is true, even of non-firewall routers within an network.
Click to expand...

Most enterprise-level firewalls allow some sort of NetBIOS broadcast
transfer. NetBIOS doesn't route, but that doesn't mean it can't be
passed by a device that routes. :)

Jeff
 
Most enterprise-level firewalls allow some sort of NetBIOS broadcast
transfer. NetBIOS doesn't route, but that doesn't mean it can't be
passed by a device that routes. :)
Click to expand...

True of many serious routers but the above is of
course why I qualified just about all of this
discussion with "by default."

Also note, that if you do this, you essentally
turn you network into a single "subnet" for
NetBIOS purposes -- technically it is a single
broadcast domain, and you will only have one
Master Browser so it will be functionally
equivalent to one net and remove the requirement
for the WINS servers.

It is also a poor (not terrible) practice to do open
such broadcasts.
 
Back
Top