3

Here is my situation:

I have inherited a Windows 2003 domain with only 1 domain controller, we'll call it DC1. DC1 is also the DNS, DHCP and Exchange server for this organization. DC1 was originally a Small Business Server but was upgraded to Server 2003 Standard at some point.

There used to be a second domain controller and DNS server called DC2, but it crashed and was never removed cleanly from the domain. I have used ntdsutil to remove DC2 metadata and have deleted the computer account in Active Directory, but Name Server (NS) and Start of Authority (SOA) references to DC2 are scattered all over my DNS Forward Lookup Zone.

I have a brand new Exchange 2007 server on the way to replace what is currently DC1 (Exchange 2003, DNS, DHCP, DC). I therefore need to complete the following tasks:

  1. Promote a new server on the domain to be a domain controller.
  2. Transfer the FSMO roles from DC1 to the new domain controller.
  3. Install DNS and DHCP on the new domain controller.
  4. Remove the DNS and DHCP roles from DC1 and remove it from the domain.
  5. After my new Exchange 2007 server is in place, reload DC1 and turn it into a secondary domain controller and DNS server.

I am worried that in step 3 of my plan, I will end up replicating bad DNS records to my new domain controller. What is the best way to clean up my existing DNS before replicating it to my new server? It seems like it would be best just to have a clean Forward Lookup Zone, but I don't really understand how that zone works.

I already have DNS scavenging turned on, but it never seems to clean up any of the references to DC2, the domain controller and DNS server that failed some time ago. Can I just delete the entire Forward Lookup Zone? Does it recreate itself?

Can somebody explain to me what the different containers (_msdcs,domain.local,zone.domain.local) in the Forward Lookup Zone are?

Kyle Noland
  • 1,039
  • 3
  • 19
  • 21

2 Answers2

2

I already have DNS scavenging turned on, but it never seems to clean up any of the references to DC2, the domain controller and DNS server that failed some time ago.

You need to enable scavenging both at the server level and at the Domain level. Check properties of both to enable scavenging or delete the specific records yourself.

Can I just delete the entire Forward Lookup Zone? Does it recreate itself?

This is what you definitely do NOT want to do. Once you have your new DC up with DNS installed, make sure your Domain is AD Integrated and set it for replication to all domain or forest DNS servers. I prefer all forest but that's just me. When you decommission the old DC and remove everything make sure to re-point all of your clients and servers to the new DNS server IP address. I would suggest running them in parallel for a period of time to get all the clients and servers updated to using the new IP while the old one is still also available.

You are absolutely spot on in rebuilding the current DC as a second DC. You ALWAYS want to have 2 DCs and 2 DNS servers for an AD infrastructure. I personally insist on having at least one be a physical DC versus having both virtualized.

I am worried that in step 3 of my plan, I will end up replicating bad DNS records to my new domain controller. What is the best way to clean up my existing DNS before replicating it to my new server? It seems like it would be best just to have a clean Forward Lookup Zone, but I don't really understand how that zone works.

When in doubt, keep it. If things are working as expected and you don't want to break them, let sleeping dogs lie. If there are records you know are bad, get rid of them, but only records that you know what they do and only if you know for a fact that they are superfluous.

Kevin Colby
  • 1,760
  • 10
  • 14
1

The _msdcs _sites _tcp _udp are the areas of DNS that are critical to Active Directory, they contain the service records for AD its self. The other zones will contain the information for the computers on your network etc.

  • _msdcs - Contains all the GUIDs for all domains in the forest and a list of Global Catalogue Servers
  • _sites - Site Objects
  • _TCP. _UDP - DNS information for Domain Controllers

So, if you need to remove bad records in your normal DNS zones, thats fine. The other areas are where problems can occur. However if you do find that AD's DNS records are messed up, you can fix them by running netdiag/fix from the command line.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114