Server 2K3: replace PDC; change secondary DNS in DHCP?

[xSauronx]

The way AD has been set up and used here at school is...nonsensical to me. I just replaced an old box (B1) (2k3, running dhcp, dns, alone in its own .local domain) with a "new" box (B3).

We have a box that has been sitting as a DC (AD). It does nothing...no dns, no dhcp, nothing. It has all of 2 other machines joined to it. I prepped B3 to replace the old box as our primary dhcp/dns box; this also runs Server 2k3.

When I prepped B3, I was told to join it to AD. Now I need to replace AD so B3 can be the PDC and AD can be decommissioned. Ive never done this, here are the articles Im looking at:

http://support.microsoft.com/kb/555549
http://forums.techarena.in/windows-2000-active-directory/991454.htm

Is anything obvious missing, and what are the gotchas here that I need to be very careful with? It seems pretty straightforward.

With B3 up, I also modified another box (B4) to act as a DHCP/DNS backup. This is *not* joined to AD (for whatever that matters). My main concern is that I need to set B4 as the secondary DNS server within my DHCP settings.

I cant find any information on how to do this. Do I have to re-make all the DHCP scopes or is there a way to change this? Re-creating them would be a huge pain in the ass and is something that I have been able to avoid so far.

 

[imagoon]

#1, running DNS on a non-AD machine will not work properly as it needs a replica of the AD DNS structure to work properly. Your second DNS machine will basically be an "outsider" which will cause many AD related functions to fail if the clients are trying to use it.

You can export the DHCP config. I have done it but I need to go look it up.

I do not see you talking at all about seizing the 5 main AD roles so your heading in to a world of hurt.

Since your description is basic, I am going to assume the domain is pretty basic.

Approach I would take:

Join the soon to be new AD machine as a member server.
Promote it a DC. Promote it to a general catalog.
Configure DNS so both machines are sharing with each other.
Configure DHCP to role out that DNS config.
Wait for a while so they can sync each other.
Shutdown and export the DHCP configuration.
Deauthorize the old DHCP server.
Import the DHCP config on the new machine.
Swap the IP addresses of the new and old machine. Power them back on and verify they can talk.
After you get the all clear messages in the event log, transfer (don't seize) the 5 FSMO roles to the new machine.
Wait for the resyncs to finish.
Authorize the new dhcp server.
run dcpromo to remove the old machine from AD.

Please note I am trying to follow your text so I might be confused.

"AD" will be running DNS, if it isn't Active Directory is broken.
If "AD" is doing nothing else you can just transfer the 5 FSMO roles to another machine and dcpromo it out of the domain by promoting the new one in and then demoting the old one.
There really is nothing like a PDC in AD anymore. There is the PDC Emulator which is only used for Windows NT4/NT3.51 and 95 / 98. You still need to transfer the PDCE role though.

 

[Nothinman]

"AD" will be running DNS, if it isn't Active Directory is broken.

AFAIK that's not true. As long as the DCs have the ability to update DNS on the other server it'll be fine. It's not ideal since it'll complicate things, but it should still work.

 

[her209]

Very important that you perform this if this is the first DC in the forest.
http://support.microsoft.com/kb/324801

 

[imagoon]

AFAIK that's not true. As long as the DCs have the ability to update DNS on the other server it'll be fine. It's not ideal since it'll complicate things, but it should still work.

I say that because MS says so in the "generally accepted practice." You can develop very strange AD errors in cases where an AD replica is authoritative but all DNS servers it can contact are unavailable. Also in larger environments the extra DNS latency can wreck the AD performance.

 

[dphantom]

I say that because MS says so in the "generally accepted practice." You can develop very strange AD errors in cases where an AD replica is authoritative but all DNS servers it can contact are unavailable. Also in larger environments the extra DNS latency can wreck the AD performance.

Many large organizations use separate DNS servers and not the AD DCs. As long as the DC can update DNS, you won't have any issues. A poorly designed DNS infrastructure regardless of what it is hosted on will give you problems.

We use Linux DNS servers and point all our DCs to them.

 

[imagoon]

Many large organizations use separate DNS servers and not the AD DCs. As long as the DC can update DNS, you won't have any issues. A poorly designed DNS infrastructure regardless of what it is hosted on will give you problems.

We use Linux DNS servers and point all our DCs to them.

I haven't had a reason to try that for years. What daemon are you running, does it do all the dynamic dns and all that? I normally push MS DNS over linux because it integrates cleanly (without much effort) and most of the business I work with is small to mid size so there isn't much advantage to one over the other. Last time I tried it was a bit of a support nightmare because you had to manually add the bind entries.

Just wondering if they resolved all that.

 

[Genx87]

To replace a DC there are a few steps that may get you going in the right direction.

1. I always promote the new DC as a Domain Controller and a global catalog.
2. Then transfer the 5 FSMO roles. http://support.microsoft.com/kb/324801
3. Install any other roles on the new box.
4. Power down the old DC and wait for anything to happen. Verify in the event viewer everything is working on the new DC without the other DC up.
5. Once everything is working to your liking. Demote the original DC via dcpromo. And clean up DNS and sites and services.

If you are going to have a secondary DNS I suggest joining it to the AD. And if possible have a secondary DC that can handle authentication requests if your primary is rebooting or takes a dump.

 

[Nothinman]

I haven't had a reason to try that for years. What daemon are you running, does it do all the dynamic dns and all that? I normally push MS DNS over linux because it integrates cleanly (without much effort) and most of the business I work with is small to mid size so there isn't much advantage to one over the other. Last time I tried it was a bit of a support nightmare because you had to manually add the bind entries.

Just wondering if they resolved all that.

Bind has supported dynamic updates for years now. It's a little more effort, but not much if you already know bind. I setup AD at my apt once years ago to test it out and I'm 99% sure it was Win2K and I was able to setup my bind installation to accept dynamic updates from the DC pretty easily.

Does Windows DNS support DNS views?

 

[imagoon]

Bind has supported dynamic updates for years now. It's a little more effort, but not much if you already know bind. I setup AD at my apt once years ago to test it out and I'm 99% sure it was Win2K and I was able to setup my bind installation to accept dynamic updates from the DC pretty easily.

Does Windows DNS support DNS views?

From what I can tell, they prefer split horizon. Basically 2 servers, 1 inside and 1 outside.

 

[xSauronx]

Thanks for all the responses, I got busy and while Ive read the thread havent yet replied.

It is every bit as confusing and fucked-up as it may sound. AD wasnt being used, never was...but it was setup on a box serving DNS/DHCP to the campus. Literally nothing was connected to it as a member server, everyone here is done in Novel Netware 6.5 and Zenworks Desktop Manager. that old AD box is gone.

I joined the new box, to an AD server that...well pretty much just had AD installed and a very basic DNS config and was left alone. When I was told to connect to it, the admin thought AD was running on another box that was a WSUS server.

Reading this and doing some googling has got me straightened out where I dont think Ill have a problem with anything now. Ill make the secondary DNS/DHCP box a DC as well (im the only one working on this and my time is limited)

the
http://support.microsoft.com/kb/324801
is definitely something I needed, thanks for that.

Ive got backups of my dns/dhcp stuff made in case somethign fouls up, and we still have the ancient box that we can use as a backup in case I have missed something and ruin everything and we need a backup box to tide us over.

in summary: thanks to everyone; almost nothing here is ever setup properly; and im fixing that as i can

 

[Tsaico]

AFAIK that's not true. As long as the DCs have the ability to update DNS on the other server it'll be fine. It's not ideal since it'll complicate things, but it should still work.

AD requires DNS, there isn't any way around it. Now you can set up a trusted zone transfer between an domain DNS and non domain DNS. Then you should have all your internal resolution all you need as well as the external lookups should this one respond faster than the other. But from an administrative point of view,unless you have a specific reason to do this, why bother? Just have it part of the domain and you can give it other roles too, like a copy of the Global catalogue and DHCP, or whatever.

I also agree with the FSMO, be sure you transfer these roles to another server and confirm they are working before you power down or demote the old PDC. Having redundant roles (with the exception of the FSMO) is generally a good idea. I even went to a site one time where all 5 servers were DCs, complete with their own DNS, GC, and certain aspects of the same DHCP pool.

In regards to your other issues, I have had many sites that have varying levels of crap in their networks. Sometimes, it is just better to overhaul it and create a new domain and then join all the workstations over.

 

[Nothinman]

AD requires DNS, there isn't any way around it. Now you can set up a trusted zone transfer between an domain DNS and non domain DNS. Then you should have all your internal resolution all you need as well as the external lookups should this one respond faster than the other. But from an administrative point of view,unless you have a specific reason to do this, why bother? Just have it part of the domain and you can give it other roles too, like a copy of the Global catalogue and DHCP, or whatever.

I know AD requires DNS, but it doesn't require the DCs be DNS servers or even that the DNS servers be Windows. As long as the DCs can issue updates to the DNS servers to create SRV records it'll work fine no matter what OS or DNS daemon is used.