- You will have to see if the ISP will allow zone updates from your internal DNS servers. That is
the ISP will be secondary and your systems will be primary. Most likely they will not allow this.
Also, understand that ALL of the names of your internal systems will be available to
everyone on the Web. Thus, if I want to search for your CEOs laptop to find it's direct IP address
-- I can.
Let's assume that your ISP said, "No, we won't accept DNS updates from you." Here's how we proceed.
- You must create DNS servers ahead of time and they should not be Active Directory (AD)
integrated zones (which reduces security of the DNS zone a little, but increases security for the
domain controllers in that they are not exposed to the external network). This means that the DNS
servers are NOT domain controllers. They will be sitting on a very exposed location on your
external facing network. They should be locked down as hard as possible and only be running DNS
services. Keep in mind they do not necessarily have to be Windows machines either. Linux will work
just fine -- you just need to configure it to allow dynamic updates from the internal network
- You must configure the DNS servers with the MyCompany.com zone and validate that they are
- Since your ISP won't let you update the zones, you will need to contact the ISP or the registry
company that manages your MyCompany.com domain. You need to tell them that you want to adjust the
SOA (start of authority) for the domain to two new servers and give them the name and IP addresses
of the two DNS servers you built. It will take 24-72 hours for this change to complete.
- Configure you firewall (and you do have a firewall between the Internet and your internal
network, don't you?) so that the internal systems can contact the DNS servers and so that the
internal systems can update the DNS records.
- Change the NT 4.0 PDC's DNS entries to point to the two new DNS servers.
- Find a backup domain controller (BDC) and power it off as a precaution in case something goes
wrong with your upgrade.
- Upgrade the NT 4.0 primary domain controller (PDC) to Windows 2000, telling the system to use
the two new DNS servers for AD dynamic updates. If the system fails to update the records, you will
need to figure out what is wrong with the firewall, network, or DNS servers that dynamic updates
aren't allowed. DO NOT CONTINUE with the upgrade until this is resolved.
- Once the upgrade completes, you are ready to upgrade the remaining BDCs.
- When everything appears to be working correctly, alter the Windows 2000 AD to run in native mode.
This was first published in March 2003