How can you de-couple DNS server from the AD Domain Controller?

Question

I have an environment where Active Directory Domain Controllers host their own DNS domains (as is common).

However we are trying to separate DNS and host it on a standalone server (to eventually move to Linux Bind, but for now just the decoupling)

I have tested this in a lab environment but can't get the decoupling to work.

Step One - Basic Setup

• Create an AD zone "mylab.com"
• Add a domain controller "server1.mylab.com"
• AD can update the domain perfectly fine

Step Two - Move out DNS zone

• Backup and delete the entire zone "mylab.com"
• Create a Conditional Forwarder for "mylab.com" pointing to standalone DNS server
• Manually create a new zone "mylab.com" on the standalone DNS server
• Allow Insecure Updates on the standalone server (On Bind it would be 'allow-update ACL')

Step Three - Test DNS Updates from AD to Standalone

• Restart NetLogon Service

this should trigger the DC to create all the AD related DNS records on "mylab.com" hosted on the new Standalone DNS server.

but I don't see any attempts of DNS updates on the standalone DNS server logs.

I do see DNS queries coming in from the DC, but no updates)

Answer 1

I don't see any mention of updating the name server records. The link below describes the process which involves a dns zone transfer.

https://community.spiceworks.com/topic/2266049-migrating-from-windows-dns-to-bind-dns-on-linux

Answer 2

The steps are all correct. I got it working with the same steps.

The only issue was the FQDN of the NS records may need to be forwarded separately if they are not part of the same domain. Otherwise the DC won't know where to send the DDNS updates. It does this by first looking up the SOA and NS records of the zone.

In my specific environment, I had to modify the NS records to be in the same zone.