CNAME record for Decommissioned Domain Controller: Best Practice?

I have some domain controllers I am decommissioning in a rather large environment; I am replacing them with new DCs, and ultimately will be using the former DC IP addresses. This addresses alot of the issues around statically addressed machines/devices.  But in thinking of a lot of unknowns, I wonder how to get apps to function that may be specifically binding to DCs by FQDN or hostname.
Is it feasible to create an A or CNAME record for the old server name to point to the new one? Will this cause kerberos issues or problems with our PKI Infrastructure?  If anyone has any information on this that would be helpful - trying my best to use best practice here and not anything too "hack-tastic"
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
i wouldn't use cname records for domain controller or even use the same IP addresses
there could be situations where if it's expecting to talk to a certain server and the cname records points to a different server and detects that then it's a problem.   is there a reason why the IP addresses need to stay the same?
mcburn13Author Commented:
The reason the IPs would stay the same is simple: We are talking about a 2000 user environment- there are PCs, servers, printers, routers probably all over the place (could be hundreds)  with statically addresses DNS servers.  It wouldn't be feasible to do that discovery but the unavoidable part is that since the DC names will be changing (newer naming convention) I need a solution there.
Seth SimmonsSr. Systems AdministratorCommented:
i can understand the dns part with static addresses on the devices
but what about dhcp?  is that being used for PCs?  that shouldn't be an issue in terms of dns servers.  do you have applications that are binding to domain controllers - say, for ldap authentication?  probably a good time to take inventory and make records of things since you have a lot of unknowns.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mcburn13Author Commented:
That is the whole thing- There are apps binding to some of these specific DCs by name.  While I am embarking on a mission to get the app people to help with the discovery- I am also exploring this option. I am wondering if the CNAME or A record method is supported somehow or if it would cause any specific issues. While in a perfect world I'd love to travel the country and personally check every device it really isn't happening. We use DHCP for PCs, but there are going to be some that get hardcoded, servers that are hardcoded and things like network attached storage, printers etc...
I really do not see any harm in creating new servers with same hostname and IP as previous to save application outage, changes
It will work perfectly

For PKI migration scenarios, it will work as long as your actual hostname on source and destination server remains same
Because CA hard code its server hostname (FQDN) in issued certificate AIA and CDP

As far as unknown applications, you don't know about them right now and you will not knowing after building new DCs as well
So why not keep same hostname and IP address for replaced Domain controllers to save at least from known ones
That is how to deal with applications in migration scenarios
You can take exception in your company policy to retain old host names

Those applications where DC hostname is configured, you can configure CNAME records
But I suggest you to test this 1st in same environment to avoid surprises later

Those applications where DC name \ IP is hardcoded, you cannot change those DC name \ IP address, but you can use CNAME, but I suggest you to test it 1st

mcburn13Author Commented:
We really need to use the new naming convention- Does anyone know of actual documentation out there to support this method or case study?
Your issue is environment specific

In order to get resolution to your problem, you need to publish application information here on this blog so that any one familiar with those apps can help you
If applications are developed for your specific needs (Custom application), only application developer \ vendor can help you

Migration scenarios are never painless and you won't get much information regarding custom application migration process \ case study out on the internet directly

You need to sit with application vendor \ developer to understand application authentication \ possible changes \ workarounds \ impacts and then you need to come up with proper migration plan.

Some times UAT \ DEV departments can do that job for you by creating parallel environment in UAT \ DEV
But above is applicable to large organizations

For smaller organizations, you need to build test bed on your own for your custom application testing

I think I have finish this thread from my side, just curious what others are saying


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.