Sounding out proposed AD DNS config

  • Thread starter Thread starter news.microsoft.com
  • Start date Start date
N

news.microsoft.com

I'd just like to run this by some of you fine people that have been working
with AD *and* DNS. I'd like some feedback on whether anyone can see any
issues with this setup.

We currently have an NT4 domain that we're about to do an in-place upgrade
to Server 2003. All clients are XP clients and reside in this NT4 domain. We
have another AD 2000 domain that hosts 2 DNS servers that all XP clients use
for DNS.

We will upgrade this NT4 domain, install DNS and AD and integrate the DNS
info into AD. We have 2 domain controllers. We will configure the DNS
servers in the 2000 AD domain with secondary zone records for the account
domain the XP workstations live in.

We've tested this setup in a lab, and it seems to work. Can anyone see any
problems with this? Perhaps a problem with dynamic dns updates? A penny for
your thoughts.

Thanks

Rowley
 
In
news.microsoft.com said:
I'd just like to run this by some of you fine people that have been
working with AD *and* DNS. I'd like some feedback on whether anyone
can see any issues with this setup.

We currently have an NT4 domain that we're about to do an in-place
upgrade to Server 2003. All clients are XP clients and reside in this
NT4 domain. We have another AD 2000 domain that hosts 2 DNS servers
that all XP clients use for DNS.

We will upgrade this NT4 domain, install DNS and AD and integrate the
DNS info into AD. We have 2 domain controllers. We will configure the
DNS servers in the 2000 AD domain with secondary zone records for the
account domain the XP workstations live in.

We've tested this setup in a lab, and it seems to work. Can anyone
see any problems with this? Perhaps a problem with dynamic dns
updates? A penny for your thoughts.

Thanks

Rowley
Click to expand...

The NT4 domain you are upgrading, will it be a child domain or a new tree
under the current AD domain that exists or a completely separate Forest?
That makes a big bearing on your proposal.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
It will be a new tree. The other AD domain will be decommissioned soon after
the upgrade.

R

"Ace Fekay [MVP]"
 
In
news.microsoft.com said:
It will be a new tree. The other AD domain will be decommissioned
soon after the upgrade.
Click to expand...

If it's a new tree in the current (existing) forest, then the new DC that
will be created in the new tree needs to use the existing DNS server in the
existing Forest root domain in order to establish contact and find the
current resources and services. Once you get the new tree up and going,
please be aware the Forest Roles need to be transferred to the new DCs in
the new tree.

Any reason you need a new tree in your existing forest? If you are migrating
the users into it, it may be prudent to establish a new domain in a new tree
in a brand new forest.

Ace
 
In
news.microsoft.com said:
It will be a new tree. The other AD domain will be decommissioned
soon after the upgrade.

R
Click to expand...

In addition, the GC roles need to be moved over.

How about this, install a pristine new Forest, use the ADMT tool to migrate
your users, computers, groups, and other resources, into the new domain.
Using SID History, ADMT will create the new user accounts keeping the old
SID so they can access the old domain's resources until it's decommissioned.
ADMT will, in conjunction with the SID HIstory, translate security on the
client machines so the new user accounts will be able to use their old
profiles.

Ace
 
Thanks for your input Ace.

My mistake, still getting used to the lingo - we are installing a new forest
by upgrading our existing NT4 account domain.

Yep, we would've loved a pristine forest, unfortunately our department
hasn't the time or resources to make this happen, hence the upgrade. The
existing forest is there purely because we purchased a product, had it
running in our NT4 environment for a while then discovered it was much
easier to manage with AD, so we created this forest for this purpose only
and established some trusts. It will shortly be decommisioned. Clients that
use the DNS on these servers are not members of any domain in this forest,
they purely use it to resolve local and www dns zones.

We did the upgrade in the early hours of yesterday am. We upgraded our PDC,
installed DNS and AD and then XFER'd the domain as a secondary to our
existing DNS servers which were located in our existing (and temporary) AD
environment. This seems to be working rather well, with no apparent issues,
clients are logging on without issue; we are also getting correct dynamic
registration of client DNS records too which is nice. It appears that
clients only try to register dynamically with the nameservers listed in the
SOA and no others.

So far so good. We can now take our time removing this AD resource domain
and bringing the services into our recently upgraded forest.

Regards

Rowley



"Ace Fekay [MVP]"
 
In
news.microsoft.com said:
Thanks for your input Ace.

My mistake, still getting used to the lingo - we are installing a new
forest by upgrading our existing NT4 account domain.

Yep, we would've loved a pristine forest, unfortunately our department
hasn't the time or resources to make this happen, hence the upgrade.
The existing forest is there purely because we purchased a product,
had it running in our NT4 environment for a while then discovered it
was much easier to manage with AD, so we created this forest for this
purpose only and established some trusts. It will shortly be
decommisioned. Clients that use the DNS on these servers are not
members of any domain in this forest, they purely use it to resolve
local and www dns zones.

We did the upgrade in the early hours of yesterday am. We upgraded
our PDC, installed DNS and AD and then XFER'd the domain as a
secondary to our existing DNS servers which were located in our
existing (and temporary) AD environment. This seems to be working
rather well, with no apparent issues, clients are logging on without
issue; we are also getting correct dynamic registration of client DNS
records too which is nice. It appears that clients only try to
register dynamically with the nameservers listed in the SOA and no
others.

So far so good. We can now take our time removing this AD resource
domain and bringing the services into our recently upgraded forest.

Regards

Rowley
Click to expand...

Yes, lingo does help, and can lead to miscommunication. However, it's
exellent to hear you came up with a plan and executed it without any
problems.

Cheers!

Ace
 
Back
Top