I'm trying to figure out the best course of action regarding the migration of Non-integrated DNS from 2 Windows 2000 SP4 based DC to newer Windows 2003 based DCs.
Currently, we have two W2K DCs (native mode) domain which I am trying to migrate away from to an all Win2003 DC based domain. As part of this migration step, I also want to demote these DCs.
-We want to avoid walking around 550+ clients with static IPs and changing primary/secondary DNS entries.
(100 XP Pro, 250 WinCE/Linux Thin clients, 100 or so network switches, Linux machines, 3 Mac OS clients etc)
Most have manually created DNS A/PTR records.
-We want to stay within recommended/easily understandable DC/DNS design.
-Not 100% convinced that we want to Integrated DNS into AD... although I can see how that can solve replication/registration/reliability issues as long as you have at least ONE DC/DNS combo around.
-Don't really have to worry about secure DNS registrations, but it's nice...
One of our current W2K DCs, was the original forest root -DC4 below- (i.e. first NT 4.0 server upgraded to a DC.) This same DC is also currently our PRIMARY DNS server for the main DNS domain.
Also, all clients at our current site point to these two as their Primary -DC4- & Secondary DNS server -DC5. (We have about 550 STATIC IPs' - some geographically dispersed
to a few hours of travel time of each other).
I'm slightly favoring Suggestion C since it allows us to perform future upgrades of our DCs; but I don't think we can integrate DNS into AD with this option.
Suggestion A:
Step 0. Demote the 2nd W2K SP4 DC (DC5) to just be a secondary DNS. (DONE as of 5/22/2009)
Step 1. On a Win2003 DC (DC2): Convert all secondary DNS zones for the "company.com"; domain to a primary DNS zone (i.e. forward AND reverse zones). Point all Secondary DNS servers to this DNS server. Verify that dnslint doesn't show any issues.
Step 2. Change IP of the Primary Win2000 DC to something else. Change the new Win2003 DC/Primary DNS server's IP to 10.168.1.4; Do the same with a 2nd Win2003 DC...
Step 3. Integrate the DNS with AD on Primary DNS running W2003. Let AD replicate DNS...
Pro: Avoid having to change 550+ individual client's
Cons: Have to change the IP address of two DCs (one of which is a DHCP server etc...)
Suggestion B.
Essentially the same process EXCEPT in Step 2 we ADD the old IP address of the Win2000 DC to be a second IP of the Win2003 R2 SP2 server. i.e.
Win2003 R2 SP2 DC: 10.168.1.43 AND 10.168.1.4 (single NIC, no teaming, vlans or any other 'feature' enabled.)
Pro: Avoids having to change 550+ individual client's IP settings.
Cons: LOTS of people saying "Don't have 2 IP's on a DC; but most refer to a situation where one interface of a DC is unreachable by clients (i.e. acting like a small firewall or something...) Others point to odd WINS entries... etc...
Suggestion C.
Idea: Create two member servers that are NON-DCs. Install them to be DNS Secondaries; Swap IPs of the original primary and secondary DNS server (W2K DCs).
Pros: We are not tying DNS to be on a DC. Therefore we can migrate DCs to any future versions on our timetable... -W20008- etc...
Cons: I seem to recall a MS KB or an MSDN/Technet article that recommended that Windows clients be best to use a DNS server that is also a DC... but can't remember WHERE I read that. (something to do with SLOW XP Startup times perhaps due to DC location issues.)
Suggestion: ?
*********** DETAILS of Domain below ***************
All DCs also run DNS, and ALL are Global Catalog servers.
Forest name: company.com (fake domain)
SITE A
DC1.company.com = W2003 R2 SP2, Secondary DNS for primary DNS zone, Global Catalog, Schema master, Domain Naming -located in our Disaster recovery site. IP Bridgehead
IP: 10.168.248.44
SITE B
DC2.company.com = W2003 R2 SP2, Global Catalog, PDC, RID, Infrastructure. IP bridgehead
Secondary DNS for company.com,
IP: 10.168.1.43
DC3.company.com = W2003 R2 SP2, Global Catalog, Secondary DNS for company.com, DHCP, IP bridgehead
IP: 10.168.1.41
DC4.company.com = W2K SP4, Global Catalog, Primary DNS for company.com and all reverse zones. This is also a Domain Terminal Server Licensing server.
(Formerly the first W2K server in an NT 4.0 domain; Oldest Server: HP Proliant ML370 G2)
IP: 10.168.1.4
*** PRIMARY DNS FOR 550+ clients
DC5.company.com = W2K SP4, RECENTLY DEMOTED To just be a member server running DNS. Currently it is a Secondary DNS for 550 clients in the top AD domain.
IP: 10.168.1.2"
*** SECONDARY DNS for 550+ clients
Currently, we have two W2K DCs (native mode) domain which I am trying to migrate away from to an all Win2003 DC based domain. As part of this migration step, I also want to demote these DCs.
-We want to avoid walking around 550+ clients with static IPs and changing primary/secondary DNS entries.
(100 XP Pro, 250 WinCE/Linux Thin clients, 100 or so network switches, Linux machines, 3 Mac OS clients etc)
Most have manually created DNS A/PTR records.
-We want to stay within recommended/easily understandable DC/DNS design.
-Not 100% convinced that we want to Integrated DNS into AD... although I can see how that can solve replication/registration/reliability issues as long as you have at least ONE DC/DNS combo around.
-Don't really have to worry about secure DNS registrations, but it's nice...
One of our current W2K DCs, was the original forest root -DC4 below- (i.e. first NT 4.0 server upgraded to a DC.) This same DC is also currently our PRIMARY DNS server for the main DNS domain.
Also, all clients at our current site point to these two as their Primary -DC4- & Secondary DNS server -DC5. (We have about 550 STATIC IPs' - some geographically dispersed
to a few hours of travel time of each other).
I'm slightly favoring Suggestion C since it allows us to perform future upgrades of our DCs; but I don't think we can integrate DNS into AD with this option.
Suggestion A:
Step 0. Demote the 2nd W2K SP4 DC (DC5) to just be a secondary DNS. (DONE as of 5/22/2009)
Step 1. On a Win2003 DC (DC2): Convert all secondary DNS zones for the "company.com"; domain to a primary DNS zone (i.e. forward AND reverse zones). Point all Secondary DNS servers to this DNS server. Verify that dnslint doesn't show any issues.
Step 2. Change IP of the Primary Win2000 DC to something else. Change the new Win2003 DC/Primary DNS server's IP to 10.168.1.4; Do the same with a 2nd Win2003 DC...
Step 3. Integrate the DNS with AD on Primary DNS running W2003. Let AD replicate DNS...
Pro: Avoid having to change 550+ individual client's
Cons: Have to change the IP address of two DCs (one of which is a DHCP server etc...)
Suggestion B.
Essentially the same process EXCEPT in Step 2 we ADD the old IP address of the Win2000 DC to be a second IP of the Win2003 R2 SP2 server. i.e.
Win2003 R2 SP2 DC: 10.168.1.43 AND 10.168.1.4 (single NIC, no teaming, vlans or any other 'feature' enabled.)
Pro: Avoids having to change 550+ individual client's IP settings.
Cons: LOTS of people saying "Don't have 2 IP's on a DC; but most refer to a situation where one interface of a DC is unreachable by clients (i.e. acting like a small firewall or something...) Others point to odd WINS entries... etc...
Suggestion C.
Idea: Create two member servers that are NON-DCs. Install them to be DNS Secondaries; Swap IPs of the original primary and secondary DNS server (W2K DCs).
Pros: We are not tying DNS to be on a DC. Therefore we can migrate DCs to any future versions on our timetable... -W20008- etc...
Cons: I seem to recall a MS KB or an MSDN/Technet article that recommended that Windows clients be best to use a DNS server that is also a DC... but can't remember WHERE I read that. (something to do with SLOW XP Startup times perhaps due to DC location issues.)
Suggestion: ?
*********** DETAILS of Domain below ***************
All DCs also run DNS, and ALL are Global Catalog servers.
Forest name: company.com (fake domain)
SITE A
DC1.company.com = W2003 R2 SP2, Secondary DNS for primary DNS zone, Global Catalog, Schema master, Domain Naming -located in our Disaster recovery site. IP Bridgehead
IP: 10.168.248.44
SITE B
DC2.company.com = W2003 R2 SP2, Global Catalog, PDC, RID, Infrastructure. IP bridgehead
Secondary DNS for company.com,
IP: 10.168.1.43
DC3.company.com = W2003 R2 SP2, Global Catalog, Secondary DNS for company.com, DHCP, IP bridgehead
IP: 10.168.1.41
DC4.company.com = W2K SP4, Global Catalog, Primary DNS for company.com and all reverse zones. This is also a Domain Terminal Server Licensing server.
(Formerly the first W2K server in an NT 4.0 domain; Oldest Server: HP Proliant ML370 G2)
IP: 10.168.1.4
*** PRIMARY DNS FOR 550+ clients
DC5.company.com = W2K SP4, RECENTLY DEMOTED To just be a member server running DNS. Currently it is a Secondary DNS for 550 clients in the top AD domain.
IP: 10.168.1.2"
*** SECONDARY DNS for 550+ clients