CNAME record for Decommissioned Domain Controller: Best Practice?

Posted on 2014-03-05
Last Modified: 2014-05-27
I have some domain controllers I am decommissioning in a rather large environment; I am replacing them with new DCs, and ultimately will be using the former DC IP addresses. This addresses alot of the issues around statically addressed machines/devices.  But in thinking of a lot of unknowns, I wonder how to get apps to function that may be specifically binding to DCs by FQDN or hostname.
Is it feasible to create an A or CNAME record for the old server name to point to the new one? Will this cause kerberos issues or problems with our PKI Infrastructure?  If anyone has any information on this that would be helpful - trying my best to use best practice here and not anything too "hack-tastic"
Question by:mcburn13
  • 3
  • 2
  • 2
LVL 34

Expert Comment

by:Seth Simmons
ID: 39906977
i wouldn't use cname records for domain controller or even use the same IP addresses
there could be situations where if it's expecting to talk to a certain server and the cname records points to a different server and detects that then it's a problem.   is there a reason why the IP addresses need to stay the same?

Author Comment

ID: 39906988
The reason the IPs would stay the same is simple: We are talking about a 2000 user environment- there are PCs, servers, printers, routers probably all over the place (could be hundreds)  with statically addresses DNS servers.  It wouldn't be feasible to do that discovery but the unavoidable part is that since the DC names will be changing (newer naming convention) I need a solution there.
LVL 34

Expert Comment

by:Seth Simmons
ID: 39907025
i can understand the dns part with static addresses on the devices
but what about dhcp?  is that being used for PCs?  that shouldn't be an issue in terms of dns servers.  do you have applications that are binding to domain controllers - say, for ldap authentication?  probably a good time to take inventory and make records of things since you have a lot of unknowns.
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline


Author Comment

ID: 39907054
That is the whole thing- There are apps binding to some of these specific DCs by name.  While I am embarking on a mission to get the app people to help with the discovery- I am also exploring this option. I am wondering if the CNAME or A record method is supported somehow or if it would cause any specific issues. While in a perfect world I'd love to travel the country and personally check every device it really isn't happening. We use DHCP for PCs, but there are going to be some that get hardcoded, servers that are hardcoded and things like network attached storage, printers etc...
LVL 35

Expert Comment

ID: 39911951
I really do not see any harm in creating new servers with same hostname and IP as previous to save application outage, changes
It will work perfectly

For PKI migration scenarios, it will work as long as your actual hostname on source and destination server remains same
Because CA hard code its server hostname (FQDN) in issued certificate AIA and CDP

As far as unknown applications, you don't know about them right now and you will not knowing after building new DCs as well
So why not keep same hostname and IP address for replaced Domain controllers to save at least from known ones
That is how to deal with applications in migration scenarios
You can take exception in your company policy to retain old host names

Those applications where DC hostname is configured, you can configure CNAME records
But I suggest you to test this 1st in same environment to avoid surprises later

Those applications where DC name \ IP is hardcoded, you cannot change those DC name \ IP address, but you can use CNAME, but I suggest you to test it 1st


Author Comment

ID: 39924378
We really need to use the new naming convention- Does anyone know of actual documentation out there to support this method or case study?
LVL 35

Accepted Solution

Mahesh earned 500 total points
ID: 39925656
Your issue is environment specific

In order to get resolution to your problem, you need to publish application information here on this blog so that any one familiar with those apps can help you
If applications are developed for your specific needs (Custom application), only application developer \ vendor can help you

Migration scenarios are never painless and you won't get much information regarding custom application migration process \ case study out on the internet directly

You need to sit with application vendor \ developer to understand application authentication \ possible changes \ workarounds \ impacts and then you need to come up with proper migration plan.

Some times UAT \ DEV departments can do that job for you by creating parallel environment in UAT \ DEV
But above is applicable to large organizations

For smaller organizations, you need to build test bed on your own for your custom application testing

I think I have finish this thread from my side, just curious what others are saying


Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now