dns settings during an in-place upgrade

[NetGear]

Hi,

I'm going to upgrade our NT domain to Windows 2000. Should I empty the dns
settings of the server that will be upgraded before I upgrade the server to
Windows 2000 AD? Or can I leave them to point our current dns server which
is Windows NT and change them just after the upgrade process?

What about my backup domain controllers and member servers. Should their
primary dns server settings point to the new AD ddns server before I upgrade
the primary domain controller that will be our new dns server or can I make
the change after I see that everything works fine?

 

[Herb Martin]

I'm going to upgrade our NT domain to Windows 2000. Should I empty the dns

settings of the server that will be upgraded before I upgrade the server to
Windows 2000 AD? Or can I leave them to point our current dns server which
is Windows NT and change them just after the upgrade process?

No, you should not empty them but rather point them to your Dynamic DNS --
if this going to become your FIRST Dynamic DNS server (e.g., first Win2000)
then point the client NIC DNS Server at itself -- will upgrade the DNS
server
on the same box.

If you don't have a DNS server on this box, you could empty this value but I
don't think it matters as DCPromo usually asks if you wish to add the DNS
but
I would prefer putting DNS on this server so that it can be first a
Secondary to
your current, then switch and take over the Primary, then upgrade using
DCPromo.

What about my backup domain controllers and member servers. Should their
primary dns server settings point to the new AD ddns server before I upgrade
the primary domain controller that will be our new dns server or can I make
the change after I see that everything works fine?

Make the PDC (you are upgrading the PDC, right? -- It is the ONLY machine
that can upgrade the domain) a DNS server, change it to primary. Point the
other DNS servers for the zone to it as Secondaries. Then DCPromo the
PDC/DNS
primary.

Sooner or later they must point to the DYNAMIC ZONE (not necessary a
specific server.)

All internal servers and clients need to point to the Dynamic DNS zone
server
set that supports the Domain.

 

[Herb Martin]

"Ace Fekay [MVP]"

Just to add to Herb's reply, NT4 DNS *cannot* support Active Directory's SRV
requirements. Need to retire that guy.

Nope, that's incorrect. NT4 can support the SRV requirement to be
a Seondary for Win2000+ Domains -- it cannot support the dynamic
updates normally required of the primary.

Both NT 4 and BIND 4.9.2+ can act as secondaries.

 

[Herb Martin]

Both NT 4 and BIND 4.9.2+ can act as secondaries.

Herb, not quite sure where you get your information from, but NO, it cannot
support AD's requirements for SRVs.

It's CLEARLY stated here that NT40's DNS DOES NOT SUPPORT ACTIVE DIRECTORY's
SRV REQUIREMENTS. I thought we had this conversation in the past???

Not that I recall -- because I would have given you a reference....

http://support.microsoft.com/default.aspx?scid=kb;EN-US;237675

You never tried it right? (I did presume that everyone ran NT4 with all
service packs however.)
http://support.microsoft.com/?kbid=203009

NT 4 SP4+ support SRV records as a secondary.

 

[Ace Fekay [MVP]]

Just to add to Herb's reply, NT4 DNS *cannot* support Active Directory's SRV
requirements. Need to retire that guy.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

"Ace Fekay [MVP]"


Nope, that's incorrect. NT4 can support the SRV requirement to be
a Seondary for Win2000+ Domains -- it cannot support the dynamic
updates normally required of the primary.

Both NT 4 and BIND 4.9.2+ can act as secondaries.

Herb, not quite sure where you get your information from, but NO, it cannot
support AD's requirements for SRVs.

It's CLEARLY stated here that NT40's DNS DOES NOT SUPPORT ACTIVE DIRECTORY's
SRV REQUIREMENTS. I thought we had this conversation in the past???

http://support.microsoft.com/default.aspx?scid=kb;EN-US;237675


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Sure, the article mentions that it supports it as a secondary and NT4 SP4

removes the errror. But as far as supporting the look ups from clients, I

It's not a secondary unless it supports lookups.

haven't tried it, nor have I seen any documentation supporting using an NT4
DNS as a secondary for AD clients, and nor have I tried it. Curious, have
you?

Yes. With services packs NT4 works fine as a Secondary.

By the time Win2000 Released, all of my NT machines were running
SP5 or or SP6a.

 

[Ace Fekay [MVP]]

In

Not that I recall -- because I would have given you a reference....

Tried to search for it, but couldn't find the thread.

You never tried it right? (I did presume that everyone ran NT4 with
all service packs however.)
http://support.microsoft.com/?kbid=203009

NT 4 SP4+ support SRV records as a secondary.

Sure, the article mentions that it supports it as a secondary and NT4 SP4
removes the errror. But as far as supporting the look ups from clients, I
haven't tried it, nor have I seen any documentation supporting using an NT4
DNS as a secondary for AD clients, and nor have I tried it. Curious, have
you?

-
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[NetGear]

Make the PDC (you are upgrading the PDC, right? -- It is the ONLY machine
that can upgrade the domain) a DNS server, change it to primary. Point the
other DNS servers for the zone to it as Secondaries. Then DCPromo the
PDC/DNS
primary.

Thank you for your response. If I install and configure the dns service to
the PDC before the upgrade process, the dcpromo says that could not
configure the zone because one already exists. That can be fixed by stopping
and restarting the netlogon and dns services in my Windows 2000 domain
controller. Then it writes the SRV records to the zone file, but in the zone
properties I can not find the option to "Allow only secure updates" Only YES
and NO options exist there.

But wouldn't it work if I make the things in following order?

1. Promote the BDC server that will be upgraded to PDC
2. Point its primary dns server address to itself
3. Upgrade the server to Windows 2000
4. Run dcpromo and after succesful dcpromo process change the backup domain
controllers and member servers primary dns address to point to the new AD
dns server and add them a dns suffix that corresponds to our domainname. And
of course add static records to the AD DNS server for them. Their secondary
dns server address will still point to our current NT dns server for a
while. I'm going to install an BIND name server to be our secondary dns
server.

I'm going to leave our current NT dns service to serve our remote access
clients that do not log on to our domain.

 

[Herb Martin]

Thank you for your response. If I install and configure the dns service to

the PDC before the upgrade process, the dcpromo says that could not
configure the zone because one already exists. That can be fixed by stopping
and restarting the netlogon and dns services in my Windows 2000 domain
controller. Then it writes the SRV records to the zone file, but in the zone
properties I can not find the option to "Allow only secure updates" Only YES
and NO options exist there.

Those are the only choices for a Primary -- (afterwards) you can later
change to AD Integrated to get the "secure choice."

But wouldn't it work if I make the things in following order?

1. Promote the BDC server that will be upgraded to PDC

Sure but everything above now applies to the NEW PDC (old BDC)

2. Point its primary dns server address to itself
3. Upgrade the server to Windows 2000
4. Run dcpromo and after succesful dcpromo process change the backup domain
controllers and member servers primary dns address to point to the new AD
dns server and add them a dns suffix that corresponds to our domainname. And
of course add static records to the AD DNS server for them. Their secondary
dns server address will still point to our current NT dns server for a
while. I'm going to install an BIND name server to be our secondary dns
server.

You could also promote a PDC with NO DNS (temporarily), and none in the
NIC properties and DCPromo is then smart enough to figure you NEED DNS
and offer to install it -- you will have a "split" zone (for a few minutes)
but only
the DC is affected.

As soon as you "get the DC up" you can do a (weird) switch:
Make this DNS a secondary (you lose your AD records)
DNS zone transfer from primary DNS
Reverse roles: Primary <--> Secondary
Make Primary (on new DC) Dynamic
Restart NetLogon Service

That last is the main trick to know -- no matter how bad you (or DCPromo)
messes up the DNS you can always fix it then restart "NetLogon" to get the
new AD DNS subdomains and records. (Do that before you try to make
any more DCs.)

 

[NetGear]

You could also promote a PDC with NO DNS (temporarily), and none in the
NIC properties and DCPromo is then smart enough to figure you NEED DNS
and offer to install it -- you will have a "split" zone (for a few minutes)
but only
the DC is affected.

Does it really harm anything that I have split zone because all of the
clients and servers that participate the domain will use the W2K server dns
service as their primary? Also the NT server that has dns service running
for our remote access clients. There are about 10 hosts in our Windows NT
internal dns zone. As you can see we have had very deep confidence to
netbios name services

 

[Herb Martin]

Does it really harm anything that I have split zone because all of the

clients and servers that participate the domain will use the W2K server dns
service as their primary?

Split zones matter -- when you need them and when you don't intend them.
When you need them to form a Shadow zone to publish external resources
on the Internet, and to hide internal resources from outsiders they are
very good.

When you have a zone split accidentally where the DNS server set either
has different info or isn't replicating successfully that is bad.

Primary is a TYPE of server-zone (only server that makes changes)

Clients configure DNS server "preferences." The terms are confusing
enough without swapping them.

All internal machines should configure the internal DNS server (set.)

Also the NT server that has dns service running
for our remote access clients. There are about 10 hosts in our Windows NT
internal dns zone. As you can see we have had very deep confidence to
netbios name services

NetBios is fine and even still necessary -- most complaints about it are due
to administrator incompetence or ignorance. Most people never see the
REAL limitations of NetBIOS (large networks, many WINS servers, etc.)

If you are using that "remote access DNS" similar to a "public DNS" then
splitting MAY make sense -- but realize that typically ALL manual external
changes must be repeated by you manually on the internal DNS (unless those
names/IPs are irrelevant to internal users.)