Making a MS 2008 DNS server the authority for a domain


I have an AD domain that originally had one Win 2003 Server as the only DC for the domain. This server also provided DHCP, and Wins services. I want to remove it from the domain as it is starting to fail.

In preparation for this I have a new MS 2008 Server that I have successfully joined to the AD and used DCpromo to make the new 2008 server a Domain controller.

The migration of the DNS and roles also worked fine as part of this process.

I now want to remove the 2003 server from the domain and make the 2008 server the primary authority for one of the domains that it manages the DNS for. At present it thinks the 2003 server is the primary authority for this domain, which is correct.

Can anyone tell me how to go about configuring the 2008 server DNS for that domain so it will act as the primary authority ?.

Thanks heaps in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

So are you going to use this for internet DNS or just internal? If Internet does the register have your IP to your firewall or DMZ pointing to your Windows DNS Server?

It's pretty cut and dry

Once you get all the records on both DNS servers your can dcpromo the 2003 machine and start removing the services.  Do you have a 2nd machine for your DC, DNS, etc as backup?
johnkanAuthor Commented:
Hi DMTechGrooup

In this case the DNS is being used just for the internal network. Some records in it are required to make the Mail server work properly.

We have 2 new 2008 Servers that will become the new DC's and DNS servers.

One of these 2008 Servers has already been DCpromo'd and is serving as a backup. It has all of the DNS records and is also providing DHCP services.

Thanks heaps
Make sure the existing 2003 DNS server is removed from DHCP assignments. If there are any other static IP adddress assignments (router,s switches, printers and/or other servers) inspect their settings to confirm they point only to the new Windows 2008 DC.

Other than that, there isn't a primary assignment is you're using AD-integrated DNS. If you're still using primary/secondary, confirm the Windows 2008 server has all the DNS records, change the type of DNS server on the Windows 2008 to Primary, and disable DNS server service on Windows 2003.

If it all runs right, you can decommission DNS on Windows 2003. If there's ANY issue, you can bring the Windows 2003 DNS back online and move the Windows 2008 server back to a secondary.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

johnkanAuthor Commented:
Ah ok.

Where do I set the DNS server on my mew 2008 server to primary ?. I did a bit of a hunt around but missed it.

Thanks heaps
In an active directory environment there is not a primary and secondary.. they are both considered equal so as long as all the records are there thats in the 2003 one then you are good.
johnkanAuthor Commented:

When I disconnect the 2003 domain controller I dont seem to get proper name resolution even though I have the DNS records set up on the new 2008 server as per the 2003 dns server I am wanting to disconnect.

Anything else I should check on the new 2008 server ?

Not sure if this is related but my login scripts are not run when I log in with just the new 2008 server running. They seem to run when the 2003 server is connected to the network though.

Thanks heaps
johnkanAuthor Commented:

As soon as I disconnect the original 2003 server then the 2008 server cant get any of the user or computer information at all. It gives me a message about not being able to contact the 2003 domain controller.

My 2008 server is being seen as a domain controller but doesnt seem to function as one if the 2003 server is not connected as well.

The 2003 server is starting to fail more regularly now, so I really need to get the 2008 server functioning as a domain controller fast.


Thanks in advance
Do you have forwarders set in the DNS of the 2003 machine for internet or does it do its own lookup?

As for the AD, you need to make sure the new server has all the FSMO roles as well.

As stated above, have you adjusted the DHCP to provide the new server as the primary DNS server? and any static machines need to be manually set as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnkanAuthor Commented:
Hi DMTechgroup

the 2008 server is providing the DHCP server ok. When I run an IPCONFIG /ALL on the workstations, they report the correct settings stating the new 2008 server IP is the first DNS entry.

The DNS on the 2003 server is functioning correctly, when its on and connected to the network, so I'm guessing its ok as it is.

It sounds like I haven't transferred the FSMO roles. I thought this might have been done when I performed the DCPromo on the 2008 server.

I will try this and let you know how it turns out.

Thanks heaps
johnkanAuthor Commented:
Hi DMTechgroup.

Ok, I have successfully completed the transfer of the 5 FSMO roles to the new 2008 Server

From the 2008 server I can open the Users and Computers MMC and see the users and computers.

When I look at Domain Controllers I see the 2003 server is a DC but the new 2008 server is a GC, I'm guessing it needs to be a DC also as I want it to authentic log ins and runs login scripts from the new 2008 server.

Is this correct ?

Thanks heaps
GC is global catalog.. you 2008 server should be the main server

It wouldnt transfer the FSMO roles to it if it were not.

Also go to run command.. type \\<2008servername\ and hit ok.. does it have a SYSVOL directory.. if it does in the scripts folder are your login scripts there?

Try running this from a few computers to see which DC they logged onto.
johnkanAuthor Commented:
Hello DMTechgroup

The l;ogon server is \\server2008, which just to confuse things is the 2003 server, the old one we want to get rid of.

How can I change this to the new 2008 server ?.

Not sure if this is relevant but the pre-windows 2000 domain name I am logging into does not have the '.local' bit at the end of it where as the domain everywhere else has the '.local' included.

Thanks heaps
johnkanAuthor Commented:
Hello DMTechgroup

I think I may have a clue as to why the new 2008 server is not acting as a PDC.

I checked the Server Manager Active Directory Domain services status and saw some errors.

The message is...

"This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected. "

This states it may impact on the PDC operations of the new 2008 server.

How can I force a full replication so the role can be validated ?.

Thansk heaps
johnkanAuthor Commented:
Hello DMTechgroup

Looks like the replication of the AD is not completing due to a DNS error.

The message I get when I try to force a replication of the AD is...

'The DSA operation is unable to proceed due because of a DNS lookup failure.'

When I look at the logs an error states...

'Name resolution for the name <domain name>.local timed out after none of the configured DNS servers responded.'

As the DNS was migrated from the 2003 server, I'm not sure what it is that it cant resolve

Thanks heaps
johnkanAuthor Commented:
Hi DMTechgroup

Seems there was a DNS entry deep in the bowels of the DNS that was causing this conflict.

Suddenly, under Sites and Services the 2003 and 2008 DC;s began to communicate and the replication completed. Which meant the 2008 Server became a fully functional PDC.

Now just need to resolve the final DNS problem causing the mail server to be uncontactable.

Thanks heaps for you good answers
Where is the mail server not contacted from? the outside world?  If so you firewall should be pointing the ports directly to the ip of the mail server.
johnkanAuthor Commented:
Hi DMTechgroup

Oddly enough from outside is fine, its from inside.

I can ping is FQDN and get the correct IP back but Outlook states it cant find it  using its FQDN

If I add a local record to the host file on the workstation it works fine.

Thanks heaps
do some nslookups from a workstation and verify there is an a record for the server
johnkanAuthor Commented:
hi DMTechgroup

Will Do.

I think its all good from here.

Thanks heaps for your efforts.
johnkanAuthor Commented:
Excellent advice
thanks heaps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.