| Author |
Message |
jkegley
Guest
|
 Posted:
Wed Sep 21, 2005 8:52 pm Post subject:
NT to AD upgrade question (advanced) |
|
|
I am designing an upgrade strategy for about 3000 users from a single NT 4
domain to a single Active Directory domain model. I have questions regarding
DNS suffix settings and DNS. I also have concerns about how to make sure the
clients will "connect" to the AD DC's instead of the BDC Servers to get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a single dns
server in the DMZ for external name space resolution only. They are using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the external DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on the DC, and
have it zone transfer to the external DNS server. Will this facilitate the
access to the DC's from the clients? IF so, then after that clients are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate and
receive kerberos (encrypt connection) to the Active Directory, rather than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external name space
for their DNS primary suffix. This namespace is company.org, but the netbios
NT4 domain name is abc_company. This means that once I upgrade the PDC and
perform dcpromo, I will make the AD DNS zone abc_company.local, but the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients connection to AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are static
configured to use this DNS server) and perform a zone transfer from the AD
server's zone
4. After validate that clients are getting kerb tickets, and connecting to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server. Set AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges. Please reply
with validation of my solutions that I have included. Thanks! |
|
| Back to top |
|
 |
Vincent Xu [MSFT]
Guest
|
| Posted:
Thu Sep 22, 2005 8:51 am Post subject:
RE: NT to AD upgrade question (advanced) |
|
|
Hi,
I have 1 question at first: As you said "clients are static ip address
configuration and pointing to a single dns server in the DMZ for external
name space resolution only" Is that mean all clients have public IP
address?
As we all know, in the external DNS server, we just make a partnership of a
name and an IP. The name is for the guys in Internet who want to access the
box. He tried to query the IP of the box with the name. The following
communication is pure IP to IP,nothing about the name. But in AD, DNS is an
important part and is used for internal affair.
So, For your Challenge 1. If you want to transfer the internal DNS data
with external DNS server, you may do it. But That is nothing about the
"facilitate the access to the DC's from the clients" and You must set the
prefered DNS settings with the internal DNS server. Either by DHCP server
or Manually.
For your Challenge 2: The client sure will authenticate with the PDC. It is
by design.
For your Challenge 3: As I said at first, the name in external DNS server
is used for the guys in the Internet, not for the interal box. So the
clients DNS suffix should be abc_company.local as well. I'm not sure why
you think the clients will still have just company.local as their suffix
So regarding the steps in you plan, my suggestions is:
We may needn't to create a secondary zone on external DNS server but we
must set the preffered DNS to the AD DNS at first.
I'd like to recommend you refer to following articles:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx>
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx>
Let me know if you have anything unclear, I'll try my best to be of
assistance.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
| Quote: | Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
Subject: NT to AD upgrade question (advanced)
Date: Wed, 21 Sep 2005 12:11:03 -0700
Lines: 51
Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12056
X-Tomcat-NG: microsoft.public.windows.server.migration
I am designing an upgrade strategy for about 3000 users from a single NT
4
domain to a single Active Directory domain model. I have questions
regarding
DNS suffix settings and DNS. I also have concerns about how to make sure
the
clients will "connect" to the AD DC's instead of the BDC Servers to get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a single dns
server in the DMZ for external name space resolution only. They are
using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the external DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on the DC,
and
have it zone transfer to the external DNS server. Will this facilitate
the
access to the DC's from the clients? IF so, then after that clients are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate and
receive kerberos (encrypt connection) to the Active Directory, rather
than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external name
space
for their DNS primary suffix. This namespace is company.org, but the
netbios
NT4 domain name is abc_company. This means that once I upgrade the PDC
and
perform dcpromo, I will make the AD DNS zone abc_company.local, but the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients connection to
AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are static
configured to use this DNS server) and perform a zone transfer from the
AD
server's zone
4. After validate that clients are getting kerb tickets, and connecting
to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server. Set AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges. Please reply
with validation of my solutions that I have included. Thanks!
|
|
|
| Back to top |
|
|
jkegley
Guest
|
| Posted:
Thu Sep 22, 2005 4:51 pm Post subject:
RE: NT to AD upgrade question (advanced) |
|
|
Let me be clear. The DNS Server that is in the DMZ, is multi homed. It has
a public IP (nat'd) and a private IP. The clients in the network are already
pointing to it. I cannot manually change the DNS setting on the clients. I
cannot change DHCP as the clients are static. Once the clients are
connecting to AD, I can GPO that setting to get them to point to the DC for
DNS.
I need to give the clients the ability to find a DC through DNS. I was
planning on doing this by setting up a zone on the "dmz" DNS server that
transfers the AD Integrated zone from the DC. My question is, will the
clients be able to use this zzone to find the PDC?
As for challenge 2, I was referencing this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309273
and for Challenge 3, the clients right now have EXTERNALnamespace.org as
their primary DNS suffix. After the upgrade, will their suffix be changed to
INTERNALnamespace.org?
Remember, I cannot manually change anything on the clients. Once they are
connected to the PDC and are getting GPO's I plan on enforcing a GPO setting
to change their prefered DNS server to the DC, and then delete the zone
transfer to the "DMZ" DNS server. What do you think? Thank you for your in
put.
"Vincent Xu [MSFT]" wrote:
| Quote: | Hi,
I have 1 question at first: As you said "clients are static ip address
configuration and pointing to a single dns server in the DMZ for external
name space resolution only" Is that mean all clients have public IP
address?
As we all know, in the external DNS server, we just make a partnership of a
name and an IP. The name is for the guys in Internet who want to access the
box. He tried to query the IP of the box with the name. The following
communication is pure IP to IP,nothing about the name. But in AD, DNS is an
important part and is used for internal affair.
So, For your Challenge 1. If you want to transfer the internal DNS data
with external DNS server, you may do it. But That is nothing about the
"facilitate the access to the DC's from the clients" and You must set the
prefered DNS settings with the internal DNS server. Either by DHCP server
or Manually.
For your Challenge 2: The client sure will authenticate with the PDC. It is
by design.
For your Challenge 3: As I said at first, the name in external DNS server
is used for the guys in the Internet, not for the interal box. So the
clients DNS suffix should be abc_company.local as well. I'm not sure why
you think the clients will still have just company.local as their suffix
So regarding the steps in you plan, my suggestions is:
We may needn't to create a secondary zone on external DNS server but we
must set the preffered DNS to the AD DNS at first.
I'd like to recommend you refer to following articles:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx
Let me know if you have anything unclear, I'll try my best to be of
assistance.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
Subject: NT to AD upgrade question (advanced)
Date: Wed, 21 Sep 2005 12:11:03 -0700
Lines: 51
Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12056
X-Tomcat-NG: microsoft.public.windows.server.migration
I am designing an upgrade strategy for about 3000 users from a single NT
4
domain to a single Active Directory domain model. I have questions
regarding
DNS suffix settings and DNS. I also have concerns about how to make sure
the
clients will "connect" to the AD DC's instead of the BDC Servers to get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a single dns
server in the DMZ for external name space resolution only. They are
using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the external DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on the DC,
and
have it zone transfer to the external DNS server. Will this facilitate
the
access to the DC's from the clients? IF so, then after that clients are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate and
receive kerberos (encrypt connection) to the Active Directory, rather
than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external name
space
for their DNS primary suffix. This namespace is company.org, but the
netbios
NT4 domain name is abc_company. This means that once I upgrade the PDC
and
perform dcpromo, I will make the AD DNS zone abc_company.local, but the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients connection to
AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are static
configured to use this DNS server) and perform a zone transfer from the
AD
server's zone
4. After validate that clients are getting kerb tickets, and connecting
to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server. Set AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges. Please reply
with validation of my solutions that I have included. Thanks!
|
|
|
| Back to top |
|
|
Vincent Xu [MSFT]
Guest
|
| Posted:
Fri Sep 23, 2005 12:50 pm Post subject:
RE: NT to AD upgrade question (advanced) |
|
|
Hi,
I do understand your situation. But let me be clear too.
In a NT4 domain, because it is not based on DNS, you can point the client
to anywhere. It doesn't matter. But in an AD domain, it is based on the
DNS, without DNS, the AD domain won't work. That is mean the DNS must
compatible with AD at least. What's more, there is several disadvantages
when using the DNS server in DMZ:
1. Security: if the DNS is attached from the Internet, the private data
would be lost.
2. Reliability: If the DNS is down, all AD domain would not work.
3. Simpleness: You need to manually configure the DNS to make it compatible
with the AD.
So, what's your choice? The following sentence I think may helpful:
When you upgrade the primary domain controller in a Windows NT 4.0 domain
(the primary domain controller must be upgraded first, before backup domain
controllers), you will be offered several different options for the
handling of DNS. If there is no DNS server available to work with Active
Directory, you will be offered, by default, the option of installing DNS on
the domain controller you are upgrading (formerly the primary domain
controller).
Regarding your question:" My question is, will the clients be able to use
this zzone to find the PDC?" Yes, the clients are able to find the DC.
Regarding your challenge 1, there is no such gp to deploy preferred DNS
server, so you need to change it manually.
Regarding your challenge 2, it is a exception and we may follow the KB
article to fix it.
Regarding your challenge 3, If you join a client into a domain the client
will append the domain name as DNS suffix.
Let me know if you still have anything unclearly.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
| Quote: | Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW/fKvLYAL7SNkBRQ6oB/ft3YvuJQ==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
References: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
PdXr9IzvFHA.1364@TK2MSFTNGXA01.phx.gbl
Subject: RE: NT to AD upgrade question (advanced)
Date: Thu, 22 Sep 2005 06:51:02 -0700
Lines: 174
Message-ID: <35528D1B-9DF8-454E-81DF-477CA3FDC47E@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12081
X-Tomcat-NG: microsoft.public.windows.server.migration
Let me be clear. The DNS Server that is in the DMZ, is multi homed. It
has
a public IP (nat'd) and a private IP. The clients in the network are
already
pointing to it. I cannot manually change the DNS setting on the clients.
I
cannot change DHCP as the clients are static. Once the clients are
connecting to AD, I can GPO that setting to get them to point to the DC
for
DNS.
I need to give the clients the ability to find a DC through DNS. I was
planning on doing this by setting up a zone on the "dmz" DNS server that
transfers the AD Integrated zone from the DC. My question is, will the
clients be able to use this zzone to find the PDC?
As for challenge 2, I was referencing this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309273
and for Challenge 3, the clients right now have EXTERNALnamespace.org as
their primary DNS suffix. After the upgrade, will their suffix be
changed to
INTERNALnamespace.org?
Remember, I cannot manually change anything on the clients. Once they
are
connected to the PDC and are getting GPO's I plan on enforcing a GPO
setting
to change their prefered DNS server to the DC, and then delete the zone
transfer to the "DMZ" DNS server. What do you think? Thank you for your
in
put.
"Vincent Xu [MSFT]" wrote:
Hi,
I have 1 question at first: As you said "clients are static ip address
configuration and pointing to a single dns server in the DMZ for
external
name space resolution only" Is that mean all clients have public IP
address?
As we all know, in the external DNS server, we just make a partnership
of a
name and an IP. The name is for the guys in Internet who want to access
the
box. He tried to query the IP of the box with the name. The following
communication is pure IP to IP,nothing about the name. But in AD, DNS
is an
important part and is used for internal affair.
So, For your Challenge 1. If you want to transfer the internal DNS data
with external DNS server, you may do it. But That is nothing about the
"facilitate the access to the DC's from the clients" and You must set
the
prefered DNS settings with the internal DNS server. Either by DHCP
server
or Manually.
For your Challenge 2: The client sure will authenticate with the PDC.
It is
by design.
For your Challenge 3: As I said at first, the name in external DNS
server
is used for the guys in the Internet, not for the interal box. So the
clients DNS suffix should be abc_company.local as well. I'm not sure
why
you think the clients will still have just company.local as their suffix
So regarding the steps in you plan, my suggestions is:
We may needn't to create a secondary zone on external DNS server but we
must set the preffered DNS to the AD DNS at first.
I'd like to recommend you refer to following articles:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx
Let me know if you have anything unclear, I'll try my best to be of
assistance.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
Subject: NT to AD upgrade question (advanced)
Date: Wed, 21 Sep 2005 12:11:03 -0700
Lines: 51
Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12056
X-Tomcat-NG: microsoft.public.windows.server.migration
I am designing an upgrade strategy for about 3000 users from a single
NT
4
domain to a single Active Directory domain model. I have questions
regarding
DNS suffix settings and DNS. I also have concerns about how to make
sure
the
clients will "connect" to the AD DC's instead of the BDC Servers to
get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a single
dns
server in the DMZ for external name space resolution only. They are
using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the external
DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on the
DC,
and
have it zone transfer to the external DNS server. Will this
facilitate
the
access to the DC's from the clients? IF so, then after that clients
are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate
and
receive kerberos (encrypt connection) to the Active Directory, rather
than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external
name
space
for their DNS primary suffix. This namespace is company.org, but the
netbios
NT4 domain name is abc_company. This means that once I upgrade the
PDC
and
perform dcpromo, I will make the AD DNS zone abc_company.local, but
the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients connection
to
AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are static
configured to use this DNS server) and perform a zone transfer from
the
AD
server's zone
4. After validate that clients are getting kerb tickets, and
connecting
to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server. Set
AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges. Please
reply
with validation of my solutions that I have included. Thanks!
|
|
|
| Back to top |
|
|
jkegley
Guest
|
| Posted:
Fri Sep 23, 2005 4:51 pm Post subject:
RE: NT to AD upgrade question (advanced) |
|
|
Hello, Thank you for your comments. I think I understand that the clients
will contact the AD DC's via WINS and Broadcast, not DNS. I agree that the
DNS server in the DMZ is not best practice, but that is what I have to work
with.... I can change the DNS setting using a Group Policy. The setting is:
Computer Configuration\Administrative Templates\Network\DNS Client\DNS
Servers settings
I can also change the DNS suffix Setting.
Unfortunatlly, this will only apply to Windows XP, and not the 2000
workstations.
I do not have the capability to visit each workstation.
I guess you have helped me validate that the clients will auto "discover"
the AD Dc's. And that the zone transfer to the DNS server that the clients
are all pointing to will faciliate the contact of AD, and that the DNS Suffix
will have to be GPO'd.
Thanks.
"Vincent Xu [MSFT]" wrote:
| Quote: | Hi,
I do understand your situation. But let me be clear too.
In a NT4 domain, because it is not based on DNS, you can point the client
to anywhere. It doesn't matter. But in an AD domain, it is based on the
DNS, without DNS, the AD domain won't work. That is mean the DNS must
compatible with AD at least. What's more, there is several disadvantages
when using the DNS server in DMZ:
1. Security: if the DNS is attached from the Internet, the private data
would be lost.
2. Reliability: If the DNS is down, all AD domain would not work.
3. Simpleness: You need to manually configure the DNS to make it compatible
with the AD.
So, what's your choice? The following sentence I think may helpful:
When you upgrade the primary domain controller in a Windows NT 4.0 domain
(the primary domain controller must be upgraded first, before backup domain
controllers), you will be offered several different options for the
handling of DNS. If there is no DNS server available to work with Active
Directory, you will be offered, by default, the option of installing DNS on
the domain controller you are upgrading (formerly the primary domain
controller).
Regarding your question:" My question is, will the clients be able to use
this zzone to find the PDC?" Yes, the clients are able to find the DC.
Regarding your challenge 1, there is no such gp to deploy preferred DNS
server, so you need to change it manually.
Regarding your challenge 2, it is a exception and we may follow the KB
article to fix it.
Regarding your challenge 3, If you join a client into a domain the client
will append the domain name as DNS suffix.
Let me know if you still have anything unclearly.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW/fKvLYAL7SNkBRQ6oB/ft3YvuJQ==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
References: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
PdXr9IzvFHA.1364@TK2MSFTNGXA01.phx.gbl
Subject: RE: NT to AD upgrade question (advanced)
Date: Thu, 22 Sep 2005 06:51:02 -0700
Lines: 174
Message-ID: <35528D1B-9DF8-454E-81DF-477CA3FDC47E@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12081
X-Tomcat-NG: microsoft.public.windows.server.migration
Let me be clear. The DNS Server that is in the DMZ, is multi homed. It
has
a public IP (nat'd) and a private IP. The clients in the network are
already
pointing to it. I cannot manually change the DNS setting on the clients.
I
cannot change DHCP as the clients are static. Once the clients are
connecting to AD, I can GPO that setting to get them to point to the DC
for
DNS.
I need to give the clients the ability to find a DC through DNS. I was
planning on doing this by setting up a zone on the "dmz" DNS server that
transfers the AD Integrated zone from the DC. My question is, will the
clients be able to use this zzone to find the PDC?
As for challenge 2, I was referencing this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309273
and for Challenge 3, the clients right now have EXTERNALnamespace.org as
their primary DNS suffix. After the upgrade, will their suffix be
changed to
INTERNALnamespace.org?
Remember, I cannot manually change anything on the clients. Once they
are
connected to the PDC and are getting GPO's I plan on enforcing a GPO
setting
to change their prefered DNS server to the DC, and then delete the zone
transfer to the "DMZ" DNS server. What do you think? Thank you for your
in
put.
"Vincent Xu [MSFT]" wrote:
Hi,
I have 1 question at first: As you said "clients are static ip address
configuration and pointing to a single dns server in the DMZ for
external
name space resolution only" Is that mean all clients have public IP
address?
As we all know, in the external DNS server, we just make a partnership
of a
name and an IP. The name is for the guys in Internet who want to access
the
box. He tried to query the IP of the box with the name. The following
communication is pure IP to IP,nothing about the name. But in AD, DNS
is an
important part and is used for internal affair.
So, For your Challenge 1. If you want to transfer the internal DNS data
with external DNS server, you may do it. But That is nothing about the
"facilitate the access to the DC's from the clients" and You must set
the
prefered DNS settings with the internal DNS server. Either by DHCP
server
or Manually.
For your Challenge 2: The client sure will authenticate with the PDC.
It is
by design.
For your Challenge 3: As I said at first, the name in external DNS
server
is used for the guys in the Internet, not for the interal box. So the
clients DNS suffix should be abc_company.local as well. I'm not sure
why
you think the clients will still have just company.local as their suffix
So regarding the steps in you plan, my suggestions is:
We may needn't to create a secondary zone on external DNS server but we
must set the preffered DNS to the AD DNS at first.
I'd like to recommend you refer to following articles:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx
Let me know if you have anything unclear, I'll try my best to be of
assistance.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
Subject: NT to AD upgrade question (advanced)
Date: Wed, 21 Sep 2005 12:11:03 -0700
Lines: 51
Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12056
X-Tomcat-NG: microsoft.public.windows.server.migration
I am designing an upgrade strategy for about 3000 users from a single
NT
4
domain to a single Active Directory domain model. I have questions
regarding
DNS suffix settings and DNS. I also have concerns about how to make
sure
the
clients will "connect" to the AD DC's instead of the BDC Servers to
get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a single
dns
server in the DMZ for external name space resolution only. They are
using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the external
DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on the
DC,
and
have it zone transfer to the external DNS server. Will this
facilitate
the
access to the DC's from the clients? IF so, then after that clients
are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL authenticate
and
receive kerberos (encrypt connection) to the Active Directory, rather
than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external
name
space
for their DNS primary suffix. This namespace is company.org, but the
netbios
NT4 domain name is abc_company. This means that once I upgrade the
PDC
and
perform dcpromo, I will make the AD DNS zone abc_company.local, but
the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients connection
to
AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are static
configured to use this DNS server) and perform a zone transfer from
the
AD
server's zone
4. After validate that clients are getting kerb tickets, and
connecting
to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server. Set
AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges. Please
reply
with validation of my solutions that I have included. Thanks!
|
|
|
| Back to top |
|
|
Vincent Xu [MSFT]
Guest
|
| Posted:
Mon Sep 26, 2005 8:51 am Post subject:
RE: NT to AD upgrade question (advanced) |
|
|
Hi,
I'm glad to hear that my info helps.
If you have other concerns or questions, please feel free to let me know.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
| Quote: | Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcXAWjrVFrgIaFOJRhC26QjrF8ZYDQ==
X-WBNR-Posting-Host: 12.222.177.230
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
References: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
PdXr9IzvFHA.1364@TK2MSFTNGXA01.phx.gbl |
<35528D1B-9DF8-454E-81DF-477CA3FDC47E@microsoft.com>
<MzhZQ9BwFHA.2960@TK2MSFTNGXA01.phx.gbl>
| Quote: | Subject: RE: NT to AD upgrade question (advanced)
Date: Fri, 23 Sep 2005 09:17:01 -0700
Lines: 314
Message-ID: <16CBF6A2-FC80-44A4-8221-D2453E7ACBB2@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12104
X-Tomcat-NG: microsoft.public.windows.server.migration
Hello, Thank you for your comments. I think I understand that the
clients
will contact the AD DC's via WINS and Broadcast, not DNS. I agree that
the
DNS server in the DMZ is not best practice, but that is what I have to
work
with.... I can change the DNS setting using a Group Policy. The setting
is:
Computer Configuration\Administrative Templates\Network\DNS Client\DNS
Servers settings
I can also change the DNS suffix Setting.
Unfortunatlly, this will only apply to Windows XP, and not the 2000
workstations.
I do not have the capability to visit each workstation.
I guess you have helped me validate that the clients will auto "discover"
the AD Dc's. And that the zone transfer to the DNS server that the
clients
are all pointing to will faciliate the contact of AD, and that the DNS
Suffix
will have to be GPO'd.
Thanks.
"Vincent Xu [MSFT]" wrote:
Hi,
I do understand your situation. But let me be clear too.
In a NT4 domain, because it is not based on DNS, you can point the
client
to anywhere. It doesn't matter. But in an AD domain, it is based on the
DNS, without DNS, the AD domain won't work. That is mean the DNS must
compatible with AD at least. What's more, there is several
disadvantages
when using the DNS server in DMZ:
1. Security: if the DNS is attached from the Internet, the private data
would be lost.
2. Reliability: If the DNS is down, all AD domain would not work.
3. Simpleness: You need to manually configure the DNS to make it
compatible
with the AD.
So, what's your choice? The following sentence I think may helpful:
When you upgrade the primary domain controller in a Windows NT 4.0
domain
(the primary domain controller must be upgraded first, before backup
domain
controllers), you will be offered several different options for the
handling of DNS. If there is no DNS server available to work with
Active
Directory, you will be offered, by default, the option of installing
DNS on
the domain controller you are upgrading (formerly the primary domain
controller).
Regarding your question:" My question is, will the clients be able to
use
this zzone to find the PDC?" Yes, the clients are able to find the DC.
Regarding your challenge 1, there is no such gp to deploy preferred DNS
server, so you need to change it manually.
Regarding your challenge 2, it is a exception and we may follow the KB
article to fix it.
Regarding your challenge 3, If you join a client into a domain the
client
will append the domain name as DNS suffix.
Let me know if you still have anything unclearly.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW/fKvLYAL7SNkBRQ6oB/ft3YvuJQ==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?=" <jkegley@discussions.microsoft.com
References: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
PdXr9IzvFHA.1364@TK2MSFTNGXA01.phx.gbl
Subject: RE: NT to AD upgrade question (advanced)
Date: Thu, 22 Sep 2005 06:51:02 -0700
Lines: 174
Message-ID: <35528D1B-9DF8-454E-81DF-477CA3FDC47E@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12081
X-Tomcat-NG: microsoft.public.windows.server.migration
Let me be clear. The DNS Server that is in the DMZ, is multi homed.
It
has
a public IP (nat'd) and a private IP. The clients in the network are
already
pointing to it. I cannot manually change the DNS setting on the
clients.
I
cannot change DHCP as the clients are static. Once the clients are
connecting to AD, I can GPO that setting to get them to point to the
DC
for
DNS.
I need to give the clients the ability to find a DC through DNS. I
was
planning on doing this by setting up a zone on the "dmz" DNS server
that
transfers the AD Integrated zone from the DC. My question is, will
the
clients be able to use this zzone to find the PDC?
As for challenge 2, I was referencing this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309273
and for Challenge 3, the clients right now have EXTERNALnamespace.org
as
their primary DNS suffix. After the upgrade, will their suffix be
changed to
INTERNALnamespace.org?
Remember, I cannot manually change anything on the clients. Once
they
are
connected to the PDC and are getting GPO's I plan on enforcing a GPO
setting
to change their prefered DNS server to the DC, and then delete the
zone
transfer to the "DMZ" DNS server. What do you think? Thank you for
your
in
put.
"Vincent Xu [MSFT]" wrote:
Hi,
I have 1 question at first: As you said "clients are static ip
address
configuration and pointing to a single dns server in the DMZ for
external
name space resolution only" Is that mean all clients have public
IP
address?
As we all know, in the external DNS server, we just make a
partnership
of a
name and an IP. The name is for the guys in Internet who want to
access
the
box. He tried to query the IP of the box with the name. The
following
communication is pure IP to IP,nothing about the name. But in AD,
DNS
is an
important part and is used for internal affair.
So, For your Challenge 1. If you want to transfer the internal DNS
data
with external DNS server, you may do it. But That is nothing about
the
"facilitate the access to the DC's from the clients" and You must
set
the
prefered DNS settings with the internal DNS server. Either by DHCP
server
or Manually.
For your Challenge 2: The client sure will authenticate with the
PDC.
It is
by design.
For your Challenge 3: As I said at first, the name in external DNS
server
is used for the guys in the Internet, not for the interal box. So
the
clients DNS suffix should be abc_company.local as well. I'm not
sure
why
you think the clients will still have just company.local as their
suffix
So regarding the steps in you plan, my suggestions is:
We may needn't to create a secondary zone on external DNS server
but we
must set the preffered DNS to the AD DNS at first.
I'd like to recommend you refer to following articles:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a03bfbdc-91ce-4519-ae96-c7623979838c.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/57076e10-0467-47df-96fb-9be16b7dce2f.mspx
Let me know if you have anything unclear, I'll try my best to be of
assistance.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Thread-Topic: NT to AD upgrade question (advanced)
thread-index: AcW+4DWSUFRiEwSvSZW2UCwjnaQwfA==
X-WBNR-Posting-Host: 68.119.96.10
From: "=?Utf-8?B?amtlZ2xleQ==?="
jkegley@discussions.microsoft.com
Subject: NT to AD upgrade question (advanced)
Date: Wed, 21 Sep 2005 12:11:03 -0700
Lines: 51
Message-ID: <87F4D622-EA67-4D2E-9271-E1A4E00A04BB@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12056
X-Tomcat-NG: microsoft.public.windows.server.migration
I am designing an upgrade strategy for about 3000 users from a
single
NT
4
domain to a single Active Directory domain model. I have
questions
regarding
DNS suffix settings and DNS. I also have concerns about how to
make
sure
the
clients will "connect" to the AD DC's instead of the BDC Servers
to
get
policies. Here we go:
Clients: XP PRo and 2k3 PRo
clients are static ip address configuration and pointing to a
single
dns
server in the DMZ for external name space resolution only. They
are
using
netbios and WINS for internal resolution.
Challenge 1: Clients are staticly defined to point to the
external
DNS
server.
Solution 1: When upgrading the PDC, create the AD DNS zone on
the
DC,
and
have it zone transfer to the external DNS server. Will this
facilitate
the
access to the DC's from the clients? IF so, then after that
clients
are
connecting to AD, I can GPO the prefered DNS Setting.
Challenge 2: How do I make sure XP and 2k3 clients WILL
authenticate
and
receive kerberos (encrypt connection) to the Active Directory,
rather
than
the BDC?
Solution 2: ???
Challenge 3: All of the clients are configured with the external
name
space
for their DNS primary suffix. This namespace is company.org, but
the
netbios
NT4 domain name is abc_company. This means that once I upgrade
the
PDC
and
perform dcpromo, I will make the AD DNS zone abc_company.local,
but
the
clients will still have just company.local as their suffix.
Solutoin 2: Is this a problem, will it affect the clients
connection
to
AD
after the PDC is upgraded?
Here are my initial steps:
1. Take BDC offline
2. Upgrade PDC to AD
3. Create secondary zone on external DNS server (clients are
static
configured to use this DNS server) and perform a zone transfer
from
the
AD
server's zone
4. After validate that clients are getting kerb tickets, and
connecting
to
AD, GPO the preffered DNS server to be the AD server(s).
5. Secure AD zone and delete secondary zone on DMZ DNS server.
Set
AD
server to forward to DMZ DNS server.
6. Upgrade additional BDC's and demote from AD.
Please reply with questions, or solutions to my challenges.
Please
reply
with validation of my solutions that I have included. Thanks!
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in