Demoting a Windows 2003 Server DC with DNS

I need to demote a Windows 2003 DC, but I have a Forward Lookup Zone cname record in the DNS that was created on the 2003 DC that I want to demote and I want to make sure I don't lose it on my other 2008R2 DC. The 2 DC's (2003 and 2008R2) are replicating fine and I need that forward lookup zone cname record (created on the 2003 DC) for Google Safe Search to work and Google's directions don't work on 2008R2, so I NEED that forward lookup zone cname record to stay on the 2008R2 DC.

I wish I could just keep the 2003 DC running, but I'm installing a firewall/web filter which reads AD groups on all DCs and the agent won't install on the 2003 server so I have to demote it or the people who are authenticated on the domain by the 2003 DC won't be seen by the web filter and given the privileges to certain websites. I'm at a high school and the teachers need to be able to get to youtube, facebook, etc... while I need to block the students from more of the internet.

So, in the end I just want to demote the 2003 DC to a member server, but I want to make sure I don't lose that Forward Lookup Zone cname record on the 2008R2 DC once I demote the 2003 DC. Is there something I can do on the 2008R2 server to ensure it stays? Or, am I good now so I can just demote?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you see the record on the 2008 R2 DNS servers? If you do you should be fine. You can also run nslookup against the 2008 R2 servers and see if you get the same results as you do when using the 2003 server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Krzysztof PytkoSenior Active Directory EngineerCommented:

you may wish following an article on my blog for that at

according to CNAME DNS records, it/they won't be removed. When you decommission 2003 DC, DNS zones are removed from DNS because it is not DC anymore and AD-I zones can be only stored bu DCs with DNS role installed. But CNAME records are not deleted not. They are still used as DNS other records. DNS cleans only up those DC related DNS records. If you will remove DNS server role from that 2003 box you will see that NS record will disappear and when you premanently remove server, you can simply delete A (host) records for that server

jim34Author Commented:
Just to clarify from iSiek's comment: "If you will remove DNS server role from that 2003 box you will see that NS record will disappear and when you premanently remove server, you can simply delete A (host) records for that server" - I think you mean the nameserver record which doesn't have anything to do with the forward lookup zone cname record, correct? I just want to make sure that forward lookup zone cname record doesn't disappear.

My plan when I get to work Monday morning will be to do the steps in iSiek's link (thanks for that) to demote the server to a member server. Then I'll remove the dns service from the 2003 server.

My understanding is that the cname record for the forward lookup zone I can't create on the 2008r2 server will still be on my 2008r2 machine. I just want to make absolutely sure, because I can't have it disappear on my 2008r2 machine or I'll just have to make the 2003 server (which will allow me to create the cname record for the forward lookup zone) a DC with DNS again. Kevinhsieh seems pretty clear I can do this if I see the record on my 2008r2 machine, which I can. I will test to make sure I can do an nslookup to the 2008r2 machine and get the proper response, but I have before and it has responded correctly.

On a sidenote - is there any way to backup just a forward lookup zone on a 2008r2 machine so if I did lose it I could always just restore the backup, instead of having to recreate that individual forward lookup zone by adding the 2003 server as a DC with DNS just to create it again and replicate it to the 2008r2 server??

Thanks for your help.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, yes, NS record is related only with Name Server (DNS server). It informs your AD environment which servers in a domain play DNS server role. That's correct, NS record has nothing common with Forward Lookup zone/Reverse Lookup zone

Normally, when you do not delete DNS zone but only removes DNS role from server all records are untouched in DNS database because they are still using by other DNS servers (DNS zone is still in use). But as Kevin said, please ensure if 2008 R2 DNS Management console also sees that CNAME (it should without any problem).

Yes, CNAME will be still host in your DNS zone even if 2008R2 doesn't allow to create it. This records already exists and DNS will use it but you would not be able to create new ones for that.

The only good way of doing DNS backup is doing regularly System State backup of each DC. In case that it will fail, you can do authoritative restore for DNS server (it's all about AD backup strategy)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.