• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

NT4 to W2003 Upgrade Issues with DNS


I am looking at updating our NT4 domain to W2003 AD. I've tested doing an in-place upgrade of an NT4 PDC to W2003. Then what I want to do (as I hate relying on in-place upgrades) is build a fresh W2003 server, promote to DC, move all the FSMO roles over and then trash the original upgraded DC from NT4. Finally I plan to introduce at least one more W2003 DC as a backup and probably set it up as Global Catalog in addition to the first one. Both DCs would also host DNS integrated into AD and ultimately I plan to upgrade our Exchange 5.5 to Exchange 2003, once the AD network has settled down and is stable.

I have done parts of this but one thing puzzles me. Although the first in-place upgrade prompts to install a DNS server as first in site and sets up integration with AD, how do I do the same with the next (and ultimately primary) server? When I run dcpromo from the command line (or the AD wizard - I assume it amounts to the same thing), neither prompts to install and integrate DNS with AD. All the help I read says make sure you integrate DNS with AD but no-one explains how that is meant to happen - do you simply install DNS before running dcpromo and the integration is done silently, or afterwards and it just does it? Or are you supposed to install DNS in a specific way or run dcpromo in a specific way?

I hope someone can elighten me. Also, any gotchas/hints on the whole upgrade process where Exchange 5.5 and Citrix SP3/FR3 on W2K servers are in the domain would be handy.


  • 4
2 Solutions
I will first address your question about installing dns on the server that will be new from scratch.  It is your choice if you want to install dns before or during the dcpromo.  Either way, the dcpromo will configure the AD integrated zone you are asking about.  The only difference is that if dns is not already installed when you run dc promo, you will get a prompt during the dcpromo asking you to make a choice of one of three items, I recommend selecting "install dns and configure it for me".  You can always setup an AD integrated zone in dns by simply right clicking on forward lookup zones, typing in the name of your local domain and selecting active directory integrated zone.
When you bring the first ad server up in the domain, it has to be pointed to itself for dns so that the srv records are created.  I have always been told that you should make any server with active directory point to itself for dns, but I was on a microsoft call the other day, and they recommended that the primary server holding the fsmo roles be pointed to itself, then the other ad server point to this server for dns.
ajmcqueenAuthor Commented:
I know what you mean about the prompt about installing DNS when running dcpromo but what I meant to say (and obviously didn't clearly enough) was that I got this prompt with the first in-place upgrade but not the second new-build DC when I was running some installation tests. I think this must be because the second DC already a TCP/IP DNS entry pointed at the first before I ran dcpromo. It needed this DNS entry to join the domain and then I think this supressed the option for installing DNS via dcpromo. I thought this at the time and removed the DC role, removed the DNS entry and then ran dcpromo again but it still didn't prompt to install DNS. I think this may have been because it had cached the DNS link even though I had removed it. To be honest I have installed and removed both a DNS server and added and removed the DC role a few times to try and get the DNS prompt without luck. Probably the server (and AD as a whole) is now completely confused which just means I'll go back to my original disk images and start testing again!

Keen to hear if you agree with my ideas of why I didn't see the DNS install prompt within dcpromo.

Also, from what you said above, if a local DNS server is already installed before running dcpromo it does the AD integration anyway - is that right?
Finally, I too have heared that any additional DCs should point to the fsmo server for DNS. However are they saying that only one server should have DNS installed? We currently have both an ADSL line and a leased line out to the internet through different ISPs in our NT4 domain. There are two internal DNS servers, one uses external DNS servers on the ADSL and the other uses those on the leased line. All internal clients have both local DNS servers in their TCP/IP setups for redundancy. I was hoping to do the same in AD - is this a bad idea?

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

In the first part, you said you removed the dns entry.  Do you mean you deleted the forward look up zone, or you went in and actullay uninstalled dns.  The only time you will get the prompt is when the dns server is not installed on the machine.  dcpromo does not care if the dns server is setup or not as it will do the setup itself.

So, yes, if dns is already installed, the dcpromo will automatically configure the dns.  You DO have to have dns installed on all AD directory computers as this is a requirement.

Windows 2000 and 2003 basically revolve around the active directory integrated zones.  As stated above, the proper srv records need to be created for the entire network to communicate properly (those get created by pointing the active directory server to itself for dns).  Thus your dns setup should be this.

Server 1 (with ad)- has to point to itself
Server 2 (with ad)- can point to itself, but ms recommends pointing it to server 1
Clients wks - primary dns should point to server 1 and secondary dns should point to server 2

Here a link to a good summary of srv records...

I never have any of my internal machines (server or otherwise) point outside for dns.  With NT, you had WINS to communicate inside and dns to communicate outside.  Now that WINS is obselete (only needed if there are NT 4.0 or earlier network OS's) windows 2000 and 2003 use dns for internal and externl name resolution.
Chris DentPowerShell DeveloperCommented:

Having DNS installed on all domain controllers is not a requirement. DCPromo will check that a DNS service is avaible somewhere, either on the local machine or on the existing network, if it finds it then it won't make it a requirement to install another one. You can still install the DNS service, before or after the server is promoted and set it up with an AD Integrated zone inside DNS Manager. So, it is correct to say that AD is heavily reliant on DNS, but this doesn't necessarily mean reliant on AD Integrated zones, to know why it's probably best to briefly explain what the zone types are (history is fun).

The traditional two zone types are Master (Primary) and Slave (Secondary), Master is in effect a writable zone - new entries can be added to it, there should be only one master. Slave is Read Only, and you can have lots of slaves. The introduction of AD Integrated zones moves away from the old Master / Slave model by allowing Multiple Masters - since the zone file is stored and Replicated between servers using Active Directory you can write to any available server and they will quickly sort out who knows what.

The ability to do this is especially important with Active Directory - all AD services, such as the location of Authentication Servers, are stored in DNS as a Service Record (the records under _msdcs). These records aren't particularly pleasant reading for us, and maintaining them manually is painful, so DNS is normally set to accept Dynamic Updates - the ability of a client to automatically add entries to a DNS.

With the old DNS model (one Master, lots of Slaves) this means there's a lot of responsibility for one server, and a bit of a problem if that one server does something wrong - an obvious single point of failure. So the Multiple-Master model came along with replication of DNS data going on through AD, along with all the user accounts and other bits and pieces, instead of each Slave DNS transferring from one Master. This makes for a much neater system and allows a much more even spread of work.

Basically... instead of your zone files being stored in %systemroot%\system32\dns they get stored in AD - you can see them if you load AD Users and Computers and turn on the Advanced Features, they hide under System and MicrosoftDNS.

Hope that all makes sense.


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now