Enterprise Server Strategies for the CIOAt my company we have an NT4 network that we want to upgrade to Windows 2000.
Currently our ISP handles our DNS for external and internal use. During upgrade to Windows 2000, we
want to use the same namespace Mycompany.com for our domain name and for our internal DNS. How do
we delegate the Active Directory zone in our ISP's DNS, which is static, and what should we do to
configure DNS on the domain controller? Do we have to change TCP/IP property for the DNS address to
the Win2k domain controller (DC) before upgrade?
Requires Free Membership to View
Are you sure you want to do this? Generally, it is not a bad idea to use a different DNS name
and structure for the internal identity of the company. It reduces reliance on external agencies
and improves the overall security of the site. But, if you heart is set on it, here is what you
will want to do:
- You will have to see if the ISP will allow zone updates from your internal DNS servers. That is
the ISP will be secondary and your systems will be primary. Most likely they will not allow this.
Also, understand that ALL of the names of your internal systems will be available to
everyone on the Web. Thus, if I want to search for your CEOs laptop to find it's direct IP address
-- I can.
Let's assume that your ISP said, "No, we won't accept DNS updates from you." Here's how we proceed.
- You must create DNS servers ahead of time and they should not be Active Directory (AD)
integrated zones (which reduces security of the DNS zone a little, but increases security for the
domain controllers in that they are not exposed to the external network). This means that the DNS
servers are NOT domain controllers. They will be sitting on a very exposed location on your
external facing network. They should be locked down as hard as possible and only be running DNS
services. Keep in mind they do not necessarily have to be Windows machines either. Linux will work
just fine -- you just need to configure it to allow dynamic updates from the internal network
subnet.
- You must configure the DNS servers with the MyCompany.com zone and validate that they are
working.
- Since your ISP won't let you update the zones, you will need to contact the ISP or the registry
company that manages your MyCompany.com domain. You need to tell them that you want to adjust the
SOA (start of authority) for the domain to two new servers and give them the name and IP addresses
of the two DNS servers you built. It will take 24-72 hours for this change to complete.
- Configure you firewall (and you do have a firewall between the Internet and your internal
network, don't you?) so that the internal systems can contact the DNS servers and so that the
internal systems can update the DNS records.
- Change the NT 4.0 PDC's DNS entries to point to the two new DNS servers.
- Find a backup domain controller (BDC) and power it off as a precaution in case something goes
wrong with your upgrade.
- Upgrade the NT 4.0 primary domain controller (PDC) to Windows 2000, telling the system to use
the two new DNS servers for AD dynamic updates. If the system fails to update the records, you will
need to figure out what is wrong with the firewall, network, or DNS servers that dynamic updates
aren't allowed. DO NOT CONTINUE with the upgrade until this is resolved.
- Once the upgrade completes, you are ready to upgrade the remaining BDCs.
- When everything appears to be working correctly, alter the Windows 2000 AD to run in native mode.
This was first published in March 2003
Join the conversationComment
Share
Comments
Results
Contribute to the conversation