0

I have an old domain that was first set up in NT4 days. It has been through several admins, some better than others. The last upgrade done was from 2003 to 2008 R2 via a migration to new DCs. I'm now receiving several strange NTP errors.

I tracked this down to DNS resolution problems for my internal domain.

There are about half a dozen entries for mydomain.org:

  • 100.100.100.6 (legacy DC, demoted)
  • 192.168.100.80 (new NC)
  • 172.168.100.80 (web server)
  • 100.100.100.0 (?)
  • 172.16.1.0 (?)
  • 192.168.100.81 (2nd new DC)
  • 100.100.100.15 (legacy DC, demoted).

All that I should need here for proper AD function is the two new DCs correct?

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115

1 Answers1

1

You're right. The only thing that you should need for it to work properly are the NS and A records for your current DCs. You also want to make sure that each DC that is running DNS holds a SOA record for just itself. You also want to make sure that none of the old servers are listed anywhere in the _msdcs zone either. You might need to use ntdsutil to clean up old DC metadata if there are old entries there.

The fact that there is a web server in there as well is a bit confusing, do you have a split-brain DNS setup where your internal name is the same as your old? If so, you might want to proceed with caution and open a new question with more detail about how to resolve that issue. If you don't have split-brain it was probably just someone without a clue trying to play sysadmin.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Thanks Mark - that is just what I needed. Our domain was set up with the same name we use externally. My guess is the webserver was added for that reason. – Tim Brigham Dec 01 '11 at 17:35
  • 2
    @timbrigham There is some black magic ninja voodoo configurations that have to happen when you share an internal AD domain name with your external one. Sometimes people run IIS on DCs with redirects, other people pray to the devil. Either way, you should proceed with caution and strongly consider doing an [AD Domain Rename](http://technet.microsoft.com/en-us/library/cc738208%28WS.10%29.aspx) to change your AD Domain to an unused subdomain of your public one. – MDMarra Dec 01 '11 at 17:42
  • I know exactly what you mean.. I'll bring it up to my boss again. – Tim Brigham Dec 01 '11 at 17:45