Q

If we configure internal DNS with the same namespace as our domain name, how do we delegate the AD z

At my company we have an NT4 network that we want to upgrade to Windows 2000. Currently our ISP handles our DNS for external and internal use. During upgrade to Windows 2000, we want to use the same namespace Mycompany.com for our domain name and for our internal DNS. How do we delegate the Active Directory zone in our ISP's DNS, which is static, and what should we do to configure DNS on the domain controller? Do we have to change TCP/IP property for the DNS address to the Win2k domain controller (DC) before upgrade?
Are you sure you want to do this? Generally, it is not a bad idea to use a different DNS name and structure for the internal identity of the company. It reduces reliance on external agencies and improves the overall security of the site. But, if you heart is set on it, here is what you will want to do:
  1. You will have to see if the ISP will allow zone updates from your internal DNS servers. That is the ISP will be secondary and your systems will be primary. Most likely they will not allow this. Also, understand that ALL of the names of your internal systems will be available to everyone on the Web. Thus, if I want to search for your CEOs laptop to find it's direct IP address -- I can.

    Let's assume that your ISP said, "No, we won't accept DNS updates from you." Here's how we proceed.

  2. You must create DNS servers ahead of time and they should not be Active Directory (AD) integrated zones (which reduces security of the DNS zone a little, but increases security for the domain controllers in that they are not exposed to the external network). This means that the DNS servers are NOT domain controllers. They will be sitting on a very exposed location on your external facing network. They should be locked down as hard as possible and only be running DNS services. Keep in mind they do not necessarily have to be Windows machines either. Linux will work just fine -- you just need to configure it to allow dynamic updates from the internal network subnet.

  3. You must configure the DNS servers with the MyCompany.com zone and validate that they are working.

  4. Since your ISP won't let you update the zones, you will need to contact the ISP or the registry company that manages your MyCompany.com domain. You need to tell them that you want to adjust the SOA (start of authority) for the domain to two new servers and give them the name and IP addresses of the two DNS servers you built. It will take 24-72 hours for this change to complete.

  5. Configure you firewall (and you do have a firewall between the Internet and your internal network, don't you?) so that the internal systems can contact the DNS servers and so that the internal systems can update the DNS records.

  6. Change the NT 4.0 PDC's DNS entries to point to the two new DNS servers.

  7. Find a backup domain controller (BDC) and power it off as a precaution in case something goes wrong with your upgrade.

  8. Upgrade the NT 4.0 primary domain controller (PDC) to Windows 2000, telling the system to use the two new DNS servers for AD dynamic updates. If the system fails to update the records, you will need to figure out what is wrong with the firewall, network, or DNS servers that dynamic updates aren't allowed. DO NOT CONTINUE with the upgrade until this is resolved.

  9. Once the upgrade completes, you are ready to upgrade the remaining BDCs.

  10. When everything appears to be working correctly, alter the Windows 2000 AD to run in native mode.
And there you have it.
This was first published in March 2003

Dig deeper on Domain Name System (DNS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close