Isolate DNS role from all domain controllers

Posted on 2014-02-18
Medium Priority
Last Modified: 2014-02-18

I have a question on separating out DNS, and I don't want to miss any steps.  We currently have 3 locations, and we want to add 2 DNS servers to each location as stand alone servers.  Right now, DNS is handled by the DC pairs at each site respectively.  The goal is to have 2 separate DC's and 2 separate DNS servers (total of 4) at each site location.  I am aware of the process to spin up the machines, join them to the domain as member servers, and ten add the DNS roles to them, but what else needs to be done to ensure they take over, and the DC DNS roles can be safely suspended to prevent any disruption?

Thanks all!
Question by:cocosyseng
LVL 70

Accepted Solution

KCTS earned 668 total points
ID: 39867566
Can I ask why you want to separate DNS in this way. AD Integrated DNS is much for secure and efficient
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 668 total points
ID: 39867577
You can allow zone transfers from the AD integrated production DC to the stand alone DNS server hosting a secondary zone of the AD integrated zone.

That zone could be made primary.   All clients (static and DHCP) need to point to the new boxes for DNS.

Make sure to note any forwarders/stub zones/etc on the current box.

Out of curiosity why do you want to go from AD Integrated to stand alone.   Are you having issues with AD Integrated DNS?


LVL 61

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 664 total points
ID: 39867620
I have the same general advice and questions as the others, with one last caveat. While you cancelable zone transfers and make the standalone DNS servers primary, the blast part of your question... about suspending the DNS role on the DCs...would still be problematic. There is a reason ADDS configures DNS and has that dependency. There are things ADDS does with the AD zones that will not work properly if the DNS services on the DC are suspended. You don't have to make the zones AD integrated. You don't even need to have other machines look at them beyond your visible DCs properly transferring. But they need to exist and they do need to have changes reflect out onto your visible DCs. You can't simply suspend the services.

Author Comment

ID: 39867639
You are correct, my apologies, we are going to leave DNS as is.  DHCP is the one that we actually now need to move.  Sorry guys!

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their Grid shared hosting experience that much smoother.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question