Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DC/DNS Move to New VLAN/Subnet

Posted on 2009-05-05
2
Medium Priority
?
1,537 Views
Last Modified: 2012-05-06
Due to security considerations, we have created a "management" VLAN to which key systems and services (e.g. WSUS, antivirus central control, DCs, DNS services) will be moved from their current VLAN subnet to the new management VLAN/subnet. (All machines in the DMZ run in their own AD domain.) We need to move the two DCs/DNS servers to this new VLAN. The IP addresses, of course, will have to change and any machine pointing statically to the DNS servers will have to have those IP addresses changed. (We have already configured the VLAN to allow/route the needed traffic between the two VLANs.)

One of our techs seems to think it is as simple as changing the DNS/DC IP address (subnet is the same) to the new subnet/vlan IP addresses reserved for this purpose for both DC/DNS machines and then changing the other DMZ machines' DNS entries.

Having never done this before, I'm not so sure it is that simple. I'd rather be sure the process is done such that we don't lose the DNS resolution or screw-up AD.

If you have experience doing this and can give us the steps along with appropriate testing ideas or can point us to an appropriate KB article that relates to this, your help would be greatly appreciated.

Many thanks in advance for your help with this!
0
Comment
Question by:richlich
2 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 750 total points
ID: 24307278
As long as all the clients that point to this server have been updated (static clients, DHCP clients, applications, etc) you should be ok.
This article may also help
http://technet.microsoft.com/en-us/library/cc758579.aspx
Change the static IP address of a domain controller
At the end of that the dcdiag /fix will reigister the new IP address for this records in DNS for the DC.  (restarting netlogon does it too)
Thanks
Mike
0
 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 750 total points
ID: 24307281
I recently had to move a DC to a new subnet.  Couple of things you need to make sure of:

1)  Ensure that the new subnet objects exist in AD Sites & Services and is associated with the correct site.
2)  Once the DC is moved, verify that all other domain controllers can resolve the new name/ip address to ensure there are no replication problems.

DNS is really the key to the whole situation as AD heavily relies on it.

Here is a good blog post on changing IP's on a domain controller:

http://www.totalnetsolutions.net/2007/07/29/how-to-change-a-domain-controller-ip/
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question