- You will have to see if the ISP will allow zone updates from your internal DNS servers. That is the ISP will be secondary and your systems will be primary. Most likely they will not allow this. Also, understand that ALL of the names of your internal systems will be available to everyone on the Web. Thus, if I want to search for your CEOs laptop to find it's direct IP address -- I can.
Let's assume that your ISP said, "No, we won't accept DNS updates from you." Here's how we proceed.
Step 2 of 2:
- You must create DNS servers ahead of time and they should not be Active Directory (AD) integrated zones (which reduces security of the DNS zone a little, but increases security for the domain controllers in that they are not exposed to the external network). This means that the DNS servers are NOT domain controllers. They will be sitting on a very exposed location on your external facing network. They should be locked down as hard as possible and only be running DNS services. Keep in mind they do not necessarily have to be Windows machines either. Linux will work just fine -- you just need to configure it to allow dynamic updates from the internal network subnet.
- You must configure the DNS servers with the MyCompany.com zone and validate that they are working.
- Since your ISP won't let you update the zones, you will need to contact the ISP or the registry company that manages your MyCompany.com domain. You need to tell them that you want to adjust the SOA (start of authority) for the domain to two new servers and give them the name and IP addresses of the two DNS servers you built. It will take 24-72 hours for this change to complete.
- Configure you firewall (and you do have a firewall between the Internet and your internal network, don't you?) so that the internal systems can contact the DNS servers and so that the internal systems can update the DNS records.
- Change the NT 4.0 PDC's DNS entries to point to the two new DNS servers.
- Find a backup domain controller (BDC) and power it off as a precaution in case something goes wrong with your upgrade.
- Upgrade the NT 4.0 primary domain controller (PDC) to Windows 2000, telling the system to use the two new DNS servers for AD dynamic updates. If the system fails to update the records, you will need to figure out what is wrong with the firewall, network, or DNS servers that dynamic updates aren't allowed. DO NOT CONTINUE with the upgrade until this is resolved.
- Once the upgrade completes, you are ready to upgrade the remaining BDCs.
- When everything appears to be working correctly, alter the Windows 2000 AD to run in native mode.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.