Demoting a Windows 2003 Server DC with DNS
I need to demote a Windows 2003 DC, but I have a Forward Lookup Zone cname record in the DNS that was created on the 2003 DC that I want to demote and I want to make sure I don't lose it on my other 2008R2 DC. The 2 DC's (2003 and 2008R2) are replicating fine and I need that forward lookup zone cname record (created on the 2003 DC) for Google Safe Search to work and Google's directions don't work on 2008R2, so I NEED that forward lookup zone cname record to stay on the 2008R2 DC.
I wish I could just keep the 2003 DC running, but I'm installing a firewall/web filter which reads AD groups on all DCs and the agent won't install on the 2003 server so I have to demote it or the people who are authenticated on the domain by the 2003 DC won't be seen by the web filter and given the privileges to certain websites. I'm at a high school and the teachers need to be able to get to youtube, facebook, etc... while I need to block the students from more of the internet.
So, in the end I just want to demote the 2003 DC to a member server, but I want to make sure I don't lose that Forward Lookup Zone cname record on the 2008R2 DC once I demote the 2003 DC. Is there something I can do on the 2008R2 server to ensure it stays? Or, am I good now so I can just demote?
I wish I could just keep the 2003 DC running, but I'm installing a firewall/web filter which reads AD groups on all DCs and the agent won't install on the 2003 server so I have to demote it or the people who are authenticated on the domain by the 2003 DC won't be seen by the web filter and given the privileges to certain websites. I'm at a high school and the teachers need to be able to get to youtube, facebook, etc... while I need to block the students from more of the internet.
So, in the end I just want to demote the 2003 DC to a member server, but I want to make sure I don't lose that Forward Lookup Zone cname record on the 2008R2 DC once I demote the 2003 DC. Is there something I can do on the 2008R2 server to ensure it stays? Or, am I good now so I can just demote?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK, yes, NS record is related only with Name Server (DNS server). It informs your AD environment which servers in a domain play DNS server role. That's correct, NS record has nothing common with Forward Lookup zone/Reverse Lookup zone
Normally, when you do not delete DNS zone but only removes DNS role from server all records are untouched in DNS database because they are still using by other DNS servers (DNS zone is still in use). But as Kevin said, please ensure if 2008 R2 DNS Management console also sees that CNAME (it should without any problem).
Yes, CNAME will be still host in your DNS zone even if 2008R2 doesn't allow to create it. This records already exists and DNS will use it but you would not be able to create new ones for that.
The only good way of doing DNS backup is doing regularly System State backup of each DC. In case that it will fail, you can do authoritative restore for DNS server
http://technet.microsoft.com/pl-pl/library/bb727048%28en-us%29.aspx (it's all about AD backup strategy)
Krzysztof
Normally, when you do not delete DNS zone but only removes DNS role from server all records are untouched in DNS database because they are still using by other DNS servers (DNS zone is still in use). But as Kevin said, please ensure if 2008 R2 DNS Management console also sees that CNAME (it should without any problem).
Yes, CNAME will be still host in your DNS zone even if 2008R2 doesn't allow to create it. This records already exists and DNS will use it but you would not be able to create new ones for that.
The only good way of doing DNS backup is doing regularly System State backup of each DC. In case that it will fail, you can do authoritative restore for DNS server
http://technet.microsoft.com/pl-pl/library/bb727048%28en-us%29.aspx (it's all about AD backup strategy)
Krzysztof
ASKER
My plan when I get to work Monday morning will be to do the steps in iSiek's link (thanks for that) to demote the server to a member server. Then I'll remove the dns service from the 2003 server.
My understanding is that the cname record for the forward lookup zone I can't create on the 2008r2 server will still be on my 2008r2 machine. I just want to make absolutely sure, because I can't have it disappear on my 2008r2 machine or I'll just have to make the 2003 server (which will allow me to create the cname record for the forward lookup zone) a DC with DNS again. Kevinhsieh seems pretty clear I can do this if I see the record on my 2008r2 machine, which I can. I will test to make sure I can do an nslookup to the 2008r2 machine and get the proper response, but I have before and it has responded correctly.
On a sidenote - is there any way to backup just a forward lookup zone on a 2008r2 machine so if I did lose it I could always just restore the backup, instead of having to recreate that individual forward lookup zone by adding the 2003 server as a DC with DNS just to create it again and replicate it to the 2008r2 server??
Thanks for your help.