CNAME record for Decommissioned Domain Controller: Best Practice?

Posted on 2014-03-05
Last Modified: 2014-05-27
I have some domain controllers I am decommissioning in a rather large environment; I am replacing them with new DCs, and ultimately will be using the former DC IP addresses. This addresses alot of the issues around statically addressed machines/devices.  But in thinking of a lot of unknowns, I wonder how to get apps to function that may be specifically binding to DCs by FQDN or hostname.
Is it feasible to create an A or CNAME record for the old server name to point to the new one? Will this cause kerberos issues or problems with our PKI Infrastructure?  If anyone has any information on this that would be helpful - trying my best to use best practice here and not anything too "hack-tastic"
Question by:mcburn13
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 35

Expert Comment

by:Seth Simmons
ID: 39906977
i wouldn't use cname records for domain controller or even use the same IP addresses
there could be situations where if it's expecting to talk to a certain server and the cname records points to a different server and detects that then it's a problem.   is there a reason why the IP addresses need to stay the same?

Author Comment

ID: 39906988
The reason the IPs would stay the same is simple: We are talking about a 2000 user environment- there are PCs, servers, printers, routers probably all over the place (could be hundreds)  with statically addresses DNS servers.  It wouldn't be feasible to do that discovery but the unavoidable part is that since the DC names will be changing (newer naming convention) I need a solution there.
LVL 35

Expert Comment

by:Seth Simmons
ID: 39907025
i can understand the dns part with static addresses on the devices
but what about dhcp?  is that being used for PCs?  that shouldn't be an issue in terms of dns servers.  do you have applications that are binding to domain controllers - say, for ldap authentication?  probably a good time to take inventory and make records of things since you have a lot of unknowns.
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 39907054
That is the whole thing- There are apps binding to some of these specific DCs by name.  While I am embarking on a mission to get the app people to help with the discovery- I am also exploring this option. I am wondering if the CNAME or A record method is supported somehow or if it would cause any specific issues. While in a perfect world I'd love to travel the country and personally check every device it really isn't happening. We use DHCP for PCs, but there are going to be some that get hardcoded, servers that are hardcoded and things like network attached storage, printers etc...
LVL 37

Expert Comment

ID: 39911951
I really do not see any harm in creating new servers with same hostname and IP as previous to save application outage, changes
It will work perfectly

For PKI migration scenarios, it will work as long as your actual hostname on source and destination server remains same
Because CA hard code its server hostname (FQDN) in issued certificate AIA and CDP

As far as unknown applications, you don't know about them right now and you will not knowing after building new DCs as well
So why not keep same hostname and IP address for replaced Domain controllers to save at least from known ones
That is how to deal with applications in migration scenarios
You can take exception in your company policy to retain old host names

Those applications where DC hostname is configured, you can configure CNAME records
But I suggest you to test this 1st in same environment to avoid surprises later

Those applications where DC name \ IP is hardcoded, you cannot change those DC name \ IP address, but you can use CNAME, but I suggest you to test it 1st


Author Comment

ID: 39924378
We really need to use the new naming convention- Does anyone know of actual documentation out there to support this method or case study?
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39925656
Your issue is environment specific

In order to get resolution to your problem, you need to publish application information here on this blog so that any one familiar with those apps can help you
If applications are developed for your specific needs (Custom application), only application developer \ vendor can help you

Migration scenarios are never painless and you won't get much information regarding custom application migration process \ case study out on the internet directly

You need to sit with application vendor \ developer to understand application authentication \ possible changes \ workarounds \ impacts and then you need to come up with proper migration plan.

Some times UAT \ DEV departments can do that job for you by creating parallel environment in UAT \ DEV
But above is applicable to large organizations

For smaller organizations, you need to build test bed on your own for your custom application testing

I think I have finish this thread from my side, just curious what others are saying


Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question