RE: NT to AD upgrade question (advanced)
- From: "jkegley" <jkegley@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Sep 2005 06:51:02 -0700
Let me be clear. The DNS Server that is in the DMZ, is multi homed. It has
a public IP (nat'd) and a private IP. The clients in the network are already
pointing to it. I cannot manually change the DNS setting on the clients. I
cannot change DHCP as the clients are static. Once the clients are
connecting to AD, I can GPO that setting to get them to point to the DC for
DNS.
I need to give the clients the ability to find a DC through DNS. I was
planning on doing this by setting up a zone on the "dmz" DNS server that
transfers the AD Integrated zone from the DC. My question is, will the
clients be able to use this zzone to find the PDC?
As for challenge 2, I was referencing this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309273
and for Challenge 3, the clients right now have EXTERNALnamespace.org as
their primary DNS suffix. After the upgrade, will their suffix be changed to
INTERNALnamespace.org?
Remember, I cannot manually change anything on the clients. Once they are
connected to the PDC and are getting GPO's I plan on enforcing a GPO setting
to change their prefered DNS server to the DC, and then delete the zone
transfer to the "DMZ" DNS server. What do you think? Thank you for your in
put.
"Vincent Xu [MSFT]" wrote:
> Hi,
>
> I have 1 question at first: As you said "clients are static ip address
> configuration and pointing to a single dns server in the DMZ for external
> name space resolution only" Is that mean all clients have public IP
> address?
>
> As we all know, in the external DNS server, we just make a partnership of a
> name and an IP. The name is for the guys in Internet who want to access the
> box. He tried to query the IP of the box with the name. The following
> communication is pure IP to IP,nothing about the name. But in AD, DNS is an
> important part and is used for internal affair.
>
> So, For your Challenge 1. If you want to transfer the internal DNS data
> with external DNS server, you may do it. But That is nothing about the
> "facilitate the access to the DC's from the clients" and You must set the
> prefered DNS settings with the internal DNS server. Either by DHCP server
> or Manually.
>
> For your Challenge 2: The client sure will authenticate with the PDC. It is
> by design.
>
> For your Challenge 3: As I said at first, the name in external DNS server
> is used for the guys in the Internet, not for the interal box. So the
> clients DNS suffix should be abc_company.local as well. I'm not sure why
> you think the clients will still have just company.local as their suffix
>
> So regarding the steps in you plan, my suggestions is:
>
> We may needn't to create a secondary zone on external DNS server but we
> must set the preffered DNS to the AD DNS at first.
>
> I'd like to recommend you refer to following articles:
>
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
> erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx>
>
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
> it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx>
>
> Let me know if you have anything unclear, I'll try my best to be of
> assistance.
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
>
> --------------------
> >>Thread-Topic: NT to AD upgrade question (advanced)
> >>thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
> >>X-WBNR-Posting-Host: 68.119.96.10
> >>From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >>Subject: NT to AD upgrade question (advanced)
> >>Date: Wed, 21 Sep 2005 12:11:03 -0700
> >>Lines: 51
> >>Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@xxxxxxxxxxxxx>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >> charset="Utf-8"
> >>Content-Transfer-Encoding: 7bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.migration
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.migration:12056
> >>X-Tomcat-NG: microsoft.public.windows.server.migration
> >>
> >>I am designing an upgrade strategy for about 3000 users from a single NT
> 4
> >>domain to a single Active Directory domain model. I have questions
> regarding
> >>DNS suffix settings and DNS. I also have concerns about how to make sure
> the
> >>clients will "connect" to the AD DC's instead of the BDC Servers to get
> >>policies. Here we go:
> >>
> >>Clients: XP PRo and 2k3 PRo
> >>clients are static ip address configuration and pointing to a single dns
> >>server in the DMZ for external name space resolution only. They are
> using
> >>netbios and WINS for internal resolution.
> >>
> >>Challenge 1: Clients are staticly defined to point to the external DNS
> >>server.
> >>Solution 1: When upgrading the PDC, create the AD DNS zone on the DC,
> and
> >>have it zone transfer to the external DNS server. Will this facilitate
> the
> >>access to the DC's from the clients? IF so, then after that clients are
> >>connecting to AD, I can GPO the prefered DNS Setting.
> >>
> >>Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate and
> >>receive kerberos (encrypt connection) to the Active Directory, rather
> than
> >>the BDC?
> >>Solution 2: ???
> >>
> >>Challenge 3: All of the clients are configured with the external name
> space
> >>for their DNS primary suffix. This namespace is company.org, but the
> netbios
> >>NT4 domain name is abc_company. This means that once I upgrade the PDC
> and
> >>perform dcpromo, I will make the AD DNS zone abc_company.local, but the
> >>clients will still have just company.local as their suffix.
> >>
> >>Solutoin 2: Is this a problem, will it affect the clients connection to
> AD
> >>after the PDC is upgraded?
> >>
> >>Here are my initial steps:
> >>
> >>1. Take BDC offline
> >>2. Upgrade PDC to AD
> >>3. Create secondary zone on external DNS server (clients are static
> >>configured to use this DNS server) and perform a zone transfer from the
> AD
> >>server's zone
> >>4. After validate that clients are getting kerb tickets, and connecting
> to
> >>AD, GPO the preffered DNS server to be the AD server(s).
> >>5. Secure AD zone and delete secondary zone on DMZ DNS server. Set AD
> >>server to forward to DMZ DNS server.
> >>6. Upgrade additional BDC's and demote from AD.
> >>
> >>
> >>
> >>Please reply with questions, or solutions to my challenges. Please reply
> >>with validation of my solutions that I have included. Thanks!
> >>
> >>
> >>
>
>
.
- Follow-Ups:
- RE: NT to AD upgrade question (advanced)
- From: Vincent Xu [MSFT]
- RE: NT to AD upgrade question (advanced)
- References:
- RE: NT to AD upgrade question (advanced)
- From: Vincent Xu [MSFT]
- RE: NT to AD upgrade question (advanced)
- Prev by Date: RE: change netbios domain name after migration
- Next by Date: Re: Local profiles don't get new domain suffix??
- Previous by thread: RE: NT to AD upgrade question (advanced)
- Next by thread: RE: NT to AD upgrade question (advanced)
- Index(es):
Relevant Pages
|
