Remove AD integrated DNS Ian Rowley 12/2/2008 11:26:01 AM I have been handed part of a project that involves removing DNS from AD and transferring to BIND. Current situation is: Domain ad.domain.com which is authorative (forward & reverse) for a subnet. It currently does zone tranfers for that subnet to the BIND DNS. AD has one DNS server (Win 2K3 R2) which is also the domain controller. The goal, at the moment, is to remove authority for the subnet but leave AD DNS still handling the underscore records for the domain. When the UNIX admins remove the authority for the subnet what do I need to do on the DC/DNS? Do I just change its ipconfig and point it's primary DNS to the BIND DNS server? Do I need to change the DNS from being AD integrated to something else? I've read elsewhere that I need to delete the zones and recreate the underscore records (?) I know in the MS world this is not ideal, but it is the scenario I'm in and any help would be greatly appreciated Regards Ian

Re: Remove AD integrated DNS "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 12/3/2008 4:19:53 AM In news:C31C3770-38EA-4E66-9281-210E9E4B6A84[ at ]microsoft.com, Ian Rowley <IanRowley[ at ]discussions.microsoft.com> requesting assistance, typed the following: [Quoted Text] > I have been handed part of a project that involves removing DNS from > AD and transferring to BIND. > > Current situation is: > Domain ad.domain.com which is authorative (forward & reverse) for a > subnet. It currently does zone tranfers for that subnet to the BIND > DNS. > > AD has one DNS server (Win 2K3 R2) which is also the domain > controller. > > The goal, at the moment, is to remove authority for the subnet but > leave AD DNS still handling the underscore records for the domain. > > When the UNIX admins remove the authority for the subnet what do I > need to do on the DC/DNS? > > Do I just change its ipconfig and point it's primary DNS to the BIND > DNS server? Do I need to change the DNS from being AD integrated to > something else? I've read elsewhere that I need to delete the zones > and recreate the underscore records (?) > > I know in the MS world this is not ideal, but it is the scenario I'm > in and any help would be greatly appreciated > > Regards > > Ian 1. Make sure the BIND servers allow updates in the zone. 2. Simply point to the BIND servers in IP properties of the DC(s) and ALL workstations, member servers, etc, in the AD infrastructure. 3. On the DC, run the following in a command prompt (to register into the new zone on the BIND servers) : ipconfig /registerdns net stop netlogon net start netlogon 4. Delete the zone in DNS 5. Uninstall DNS off the server. Now if updates are not allowed in BIND, you do NOT manually create the records in BIND. After running the above steps, go to system32\config\netlogon.dns file, and manually enter that data into the zone on the BIND server. If you change anything in AD regarding Sites config, GC, and others, you have to run those steps again, and manually enter the data from that file. Keep in mind, there is alot of data in that file. Careful typing. Keep in mind, AD integrated zones have a feature that BIND doesn't support, and that is Secure Updates, where it only allows any machine in an AD environment to register into the zone using Kerberos authentication. I know BIND uses TSEC for secure updates, but that is not compatible with Windows. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Re: Remove AD integrated DNS Ian Rowley 12/3/2008 3:00:03 PM HI Ace, Thanks for the info. I understand the info you gave as the process for complete removal of DNS from AD. What I need to acheive is a half-way house of AD DNS still running but only being responsible for the underscore records e.g. _msdcs.ad.domain.com, _sites etc. Do I just need to do everything you say but missout point 4 & 5? I think I understand the process, but just need clarification due to the strange nature of my original request regards Ian "Ace Fekay [Microsoft Certified Trainer]" wrote: [Quoted Text] > In news:C31C3770-38EA-4E66-9281-210E9E4B6A84[ at ]microsoft.com, > Ian Rowley <IanRowley[ at ]discussions.microsoft.com> requesting assistance, > typed the following: > > I have been handed part of a project that involves removing DNS from > > AD and transferring to BIND. > > > > Current situation is: > > Domain ad.domain.com which is authorative (forward & reverse) for a > > subnet. It currently does zone tranfers for that subnet to the BIND > > DNS. > > > > AD has one DNS server (Win 2K3 R2) which is also the domain > > controller. > > > > The goal, at the moment, is to remove authority for the subnet but > > leave AD DNS still handling the underscore records for the domain. > > > > When the UNIX admins remove the authority for the subnet what do I > > need to do on the DC/DNS? > > > > Do I just change its ipconfig and point it's primary DNS to the BIND > > DNS server? Do I need to change the DNS from being AD integrated to > > something else? I've read elsewhere that I need to delete the zones > > and recreate the underscore records (?) > > > > I know in the MS world this is not ideal, but it is the scenario I'm > > in and any help would be greatly appreciated > > > > Regards > > > > Ian > > 1. Make sure the BIND servers allow updates in the zone. > 2. Simply point to the BIND servers in IP properties of the DC(s) and ALL > workstations, member servers, etc, in the AD infrastructure. > 3. On the DC, run the following in a command prompt (to register into the > new zone on the BIND servers) : > ipconfig /registerdns > net stop netlogon > net start netlogon > 4. Delete the zone in DNS > 5. Uninstall DNS off the server. > > Now if updates are not allowed in BIND, you do NOT manually create the > records in BIND. After running the above steps, go to > system32\config\netlogon.dns file, and manually enter that data into the > zone on the BIND server. If you change anything in AD regarding Sites > config, GC, and others, you have to run those steps again, and manually > enter the data from that file. Keep in mind, there is alot of data in that > file. Careful typing. > > Keep in mind, AD integrated zones have a feature that BIND doesn't support, > and that is Secure Updates, where it only allows any machine in an AD > environment to register into the zone using Kerberos authentication. I know > BIND uses TSEC for secure updates, but that is not compatible with Windows. > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT > Microsoft Certified Trainer > > For urgent issues, you may want to contact Microsoft PSS directly. > Please check http://support.microsoft.com for regional support phone > numbers. > >

Re: Remove AD integrated DNS "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 12/5/2008 4:18:57 AM In news:DD74DC8C-C187-46F2-AE85-CC26ABE53647[ at ]microsoft.com, Ian Rowley <IanRowley[ at ]discussions.microsoft.com> requesting assistance, typed the following: [Quoted Text] > HI Ace, > > Thanks for the info. > > I understand the info you gave as the process for complete removal of > DNS from AD. What I need to acheive is a half-way house of AD DNS > still running but only being responsible for the underscore records > e.g. _msdcs.ad.domain.com, _sites etc. > > Do I just need to do everything you say but missout point 4 & 5? > > I think I understand the process, but just need clarification due to > the strange nature of my original request > > regards > > Ian I'm not sure I understand your question or what you are trying to achieve. Are you saying you want to just register the AD SRV records (the ones with the underscores), but not all domain controllers' LdapIpAddress ( the record with the 'same as parent' hostname in parenthesis) and it's host record (the "A" record)? What I outlined was what I assumed you wanted to stop using the Windows Server's DNS service, and use the BIND service. I don't know if it helps, because I am not fully understanding your request, but keep in mind, you can't split registration record types between two servers, meaning you can't have the SRV records register to one DNS server, and other types of records register into another. It's all or nothing. Whatever DNS server ALL domain controllers are using, MUST also be the same DNS server that the client machines, member servers and all domain controllers are using. This is because that DNS server now has the necessary records to find domain resources (SRVs, GC, LdapIpAddress, host, etc). If you mix DNS addresses in IP properties of these machines, say to one DNS server that has the records, and to another that doesn't (such as an ISP's DNS server, router, etc), then you are inviting numerous errors into the mix. Maybe you can elaborate a bit on your intentions and end result you are trying to achieve. Can you give a specific scenario with domain controller names, a sample workstation, DNS IP addresses, etc, so I can get a better handle on your request? -- Ace