R
RichardK
Hi all
I'll try and explain this as best I can...
We are planning to upgrade our Windows NT 4 Domain to Windows 2000 as
an interim measure.(i.e. not going to Win 2003 yet) as we have a
urgent need at the moment upgrade several servers due to aging
hardware becoming end-of-life.
This includes replacing & rebuilding all current NT 4 PDC/BDCs (total
of 3) and a dozen or so other NT/2000 member servers.
Rather than rebuilding them as NT 4 PDC/BDCs again, I thought it would
be a good opportunity to build them as Win 2000 and DCPROMO them
afterwards
(I may have to in-place upgrade the PDC first, take existing BDC
offline etc. as per std recommendations for upgrading).
Presently, in the geographic location which we have control of, we
have a single NT 4 Domain with no trusts to any other domains in
place.
There is a PDC and 3 BDCs and approx. 60 Member Servers (a mix of NT
4.0 and Win 2000), 150 workstations (NT/2000/XP) and 200 user accounts
in the Domain.
The remainder of our users (~1500) login into NDS and have a volatile
user acct created in a workgroup. i.e. the overall percentage of users
that need domain access (IT personnel mainly to access files on
application member servers) is low.
Also we dont have any Domain logon scripts, replication, Exchange, NT
Domain policies, Dial-in, etc. in the either - i.e. a very simple
domain structure.
The intended target AD structure would be flat i.e. domain still, no
OUs, no extra Group Policy, etc. It will be a placeholder Domain until
a project starts at the end of 2004 to move everything into a proper
organization-wide AD structure (our company is split across 3 states
with differing support models and organisations including outsourcers
in each)
However, all servers, workstations, etc. point to a primary and
secondary BIND DNS server which is maintained elsewhere and out of our
support control.
e.g. DNS domain is called abc.mycompany.com and clients point to
200.200.61.1 (pri) and 200.200.89.30 (sec) (obviously not the real IP
address and name)
As we do not manage the BIND server, and it would be a _real_ hassle
to integrate AD in there in from a support, logistic and political
point of view. It is difficult enough to put A records in at the
moment...
These Windows servers/clients also all register themselves to the
current NT 4.0 WINS servers that we have which are on the NT 4
PDC/BDCs and replicate between each
Given this, what is the best option to upgrade to a limited AD
structure given our DNS and BIND limitations ?
1. Create a totally new DNS AD integrated domain e.g.
ad.mycompany.local and just put the Win 2000 DCs in that AD integrated
DNS domain so AD can function and replicate correctly between DCs
All existing member servers will still need to point to the existing
BIND servers - though we would put A records in for the new DCs into
the BIND domain. I wouldnt like to put new suffixes and extra DNS IP
addresses in - the idea would be to minimise visits to all
servers/workstations etc..
Also we turn off Dynamic DNS resolution on Win2000/XP/NT servers/wkst
anyway (as it tries to update the BIND server unsucessfully).
We are happy to upgrade and use Win 2000 WINS on the DCs for windows
host resolution as we do at present (i.e. for hosts that dont have A
DNS records setup on the BIND server).
Given this scenario, would we point every DC DNS IP address to the
Win2000 DNS servers and for TCP/IP properties enter in both
ad.mycompany.local and abc.mycompany.com DNS domains and both DNS
servers i.e. AD and BIND ones?
or
2. Create a child subdomain to the abc.mycompany.com BIND domain
called ad.xyz.abc.mycompany.com. totally delegated.
If so do we have to create all the "_" domains i.e. _msdcs, _tcp, etc.
at each subdomain level
i.e. at abc.mycompany.com and also further up at mycompany.com.
We would create the Win2000 DNS server at the xyz.abc.mycompany.com
level and create an ad.xyz.abc.mycompany.com subdomain under this for
neatness.
If we could get away of creating the whole subdomain under without
touching the parent at all it would be a lot easier.
From what I have read this may not be possible - i.e. you have to
delegate the "_" zones
Again, we would still use WINS for Windows Name resolution for non A
record hosts.
Again, given this scenario, would we point every DC DNS IP address to
these Win2000 DNS servers and for TCP/IP properties enter both AD and
the "upstream" BIND DNS server addresses?
Thanks for you help in advance...
Regards
Richard
Melbourne, Australia
I'll try and explain this as best I can...
We are planning to upgrade our Windows NT 4 Domain to Windows 2000 as
an interim measure.(i.e. not going to Win 2003 yet) as we have a
urgent need at the moment upgrade several servers due to aging
hardware becoming end-of-life.
This includes replacing & rebuilding all current NT 4 PDC/BDCs (total
of 3) and a dozen or so other NT/2000 member servers.
Rather than rebuilding them as NT 4 PDC/BDCs again, I thought it would
be a good opportunity to build them as Win 2000 and DCPROMO them
afterwards
(I may have to in-place upgrade the PDC first, take existing BDC
offline etc. as per std recommendations for upgrading).
Presently, in the geographic location which we have control of, we
have a single NT 4 Domain with no trusts to any other domains in
place.
There is a PDC and 3 BDCs and approx. 60 Member Servers (a mix of NT
4.0 and Win 2000), 150 workstations (NT/2000/XP) and 200 user accounts
in the Domain.
The remainder of our users (~1500) login into NDS and have a volatile
user acct created in a workgroup. i.e. the overall percentage of users
that need domain access (IT personnel mainly to access files on
application member servers) is low.
Also we dont have any Domain logon scripts, replication, Exchange, NT
Domain policies, Dial-in, etc. in the either - i.e. a very simple
domain structure.
The intended target AD structure would be flat i.e. domain still, no
OUs, no extra Group Policy, etc. It will be a placeholder Domain until
a project starts at the end of 2004 to move everything into a proper
organization-wide AD structure (our company is split across 3 states
with differing support models and organisations including outsourcers
in each)
However, all servers, workstations, etc. point to a primary and
secondary BIND DNS server which is maintained elsewhere and out of our
support control.
e.g. DNS domain is called abc.mycompany.com and clients point to
200.200.61.1 (pri) and 200.200.89.30 (sec) (obviously not the real IP
address and name)
As we do not manage the BIND server, and it would be a _real_ hassle
to integrate AD in there in from a support, logistic and political
point of view. It is difficult enough to put A records in at the
moment...
These Windows servers/clients also all register themselves to the
current NT 4.0 WINS servers that we have which are on the NT 4
PDC/BDCs and replicate between each
Given this, what is the best option to upgrade to a limited AD
structure given our DNS and BIND limitations ?
1. Create a totally new DNS AD integrated domain e.g.
ad.mycompany.local and just put the Win 2000 DCs in that AD integrated
DNS domain so AD can function and replicate correctly between DCs
All existing member servers will still need to point to the existing
BIND servers - though we would put A records in for the new DCs into
the BIND domain. I wouldnt like to put new suffixes and extra DNS IP
addresses in - the idea would be to minimise visits to all
servers/workstations etc..
Also we turn off Dynamic DNS resolution on Win2000/XP/NT servers/wkst
anyway (as it tries to update the BIND server unsucessfully).
We are happy to upgrade and use Win 2000 WINS on the DCs for windows
host resolution as we do at present (i.e. for hosts that dont have A
DNS records setup on the BIND server).
Given this scenario, would we point every DC DNS IP address to the
Win2000 DNS servers and for TCP/IP properties enter in both
ad.mycompany.local and abc.mycompany.com DNS domains and both DNS
servers i.e. AD and BIND ones?
or
2. Create a child subdomain to the abc.mycompany.com BIND domain
called ad.xyz.abc.mycompany.com. totally delegated.
If so do we have to create all the "_" domains i.e. _msdcs, _tcp, etc.
at each subdomain level
i.e. at abc.mycompany.com and also further up at mycompany.com.
We would create the Win2000 DNS server at the xyz.abc.mycompany.com
level and create an ad.xyz.abc.mycompany.com subdomain under this for
neatness.
If we could get away of creating the whole subdomain under without
touching the parent at all it would be a lot easier.
From what I have read this may not be possible - i.e. you have to
delegate the "_" zones
Again, we would still use WINS for Windows Name resolution for non A
record hosts.
Again, given this scenario, would we point every DC DNS IP address to
these Win2000 DNS servers and for TCP/IP properties enter both AD and
the "upstream" BIND DNS server addresses?
Thanks for you help in advance...
Regards
Richard
Melbourne, Australia