Solved

DC/DNS Move to New VLAN/Subnet

Posted on 2009-05-05
2
1,422 Views
Last Modified: 2012-05-06
Due to security considerations, we have created a "management" VLAN to which key systems and services (e.g. WSUS, antivirus central control, DCs, DNS services) will be moved from their current VLAN subnet to the new management VLAN/subnet. (All machines in the DMZ run in their own AD domain.) We need to move the two DCs/DNS servers to this new VLAN. The IP addresses, of course, will have to change and any machine pointing statically to the DNS servers will have to have those IP addresses changed. (We have already configured the VLAN to allow/route the needed traffic between the two VLANs.)

One of our techs seems to think it is as simple as changing the DNS/DC IP address (subnet is the same) to the new subnet/vlan IP addresses reserved for this purpose for both DC/DNS machines and then changing the other DMZ machines' DNS entries.

Having never done this before, I'm not so sure it is that simple. I'd rather be sure the process is done such that we don't lose the DNS resolution or screw-up AD.

If you have experience doing this and can give us the steps along with appropriate testing ideas or can point us to an appropriate KB article that relates to this, your help would be greatly appreciated.

Many thanks in advance for your help with this!
0
Comment
Question by:richlich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24307278
As long as all the clients that point to this server have been updated (static clients, DHCP clients, applications, etc) you should be ok.
This article may also help
http://technet.microsoft.com/en-us/library/cc758579.aspx
Change the static IP address of a domain controller
At the end of that the dcdiag /fix will reigister the new IP address for this records in DNS for the DC.  (restarting netlogon does it too)
Thanks
Mike
0
 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 250 total points
ID: 24307281
I recently had to move a DC to a new subnet.  Couple of things you need to make sure of:

1)  Ensure that the new subnet objects exist in AD Sites & Services and is associated with the correct site.
2)  Once the DC is moved, verify that all other domain controllers can resolve the new name/ip address to ensure there are no replication problems.

DNS is really the key to the whole situation as AD heavily relies on it.

Here is a good blog post on changing IP's on a domain controller:

http://www.totalnetsolutions.net/2007/07/29/how-to-change-a-domain-controller-ip/
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question