Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CNAME record for Decommissioned Domain Controller: Best Practice?

Posted on 2014-03-05
7
Medium Priority
?
1,446 Views
Last Modified: 2014-05-27
I have some domain controllers I am decommissioning in a rather large environment; I am replacing them with new DCs, and ultimately will be using the former DC IP addresses. This addresses alot of the issues around statically addressed machines/devices.  But in thinking of a lot of unknowns, I wonder how to get apps to function that may be specifically binding to DCs by FQDN or hostname.
Is it feasible to create an A or CNAME record for the old server name to point to the new one? Will this cause kerberos issues or problems with our PKI Infrastructure?  If anyone has any information on this that would be helpful - trying my best to use best practice here and not anything too "hack-tastic"
0
Comment
Question by:mcburn13
  • 3
  • 2
  • 2
7 Comments
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 39906977
i wouldn't use cname records for domain controller or even use the same IP addresses
there could be situations where if it's expecting to talk to a certain server and the cname records points to a different server and detects that then it's a problem.   is there a reason why the IP addresses need to stay the same?
0
 
LVL 1

Author Comment

by:mcburn13
ID: 39906988
The reason the IPs would stay the same is simple: We are talking about a 2000 user environment- there are PCs, servers, printers, routers probably all over the place (could be hundreds)  with statically addresses DNS servers.  It wouldn't be feasible to do that discovery but the unavoidable part is that since the DC names will be changing (newer naming convention) I need a solution there.
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 39907025
i can understand the dns part with static addresses on the devices
but what about dhcp?  is that being used for PCs?  that shouldn't be an issue in terms of dns servers.  do you have applications that are binding to domain controllers - say, for ldap authentication?  probably a good time to take inventory and make records of things since you have a lot of unknowns.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:mcburn13
ID: 39907054
That is the whole thing- There are apps binding to some of these specific DCs by name.  While I am embarking on a mission to get the app people to help with the discovery- I am also exploring this option. I am wondering if the CNAME or A record method is supported somehow or if it would cause any specific issues. While in a perfect world I'd love to travel the country and personally check every device it really isn't happening. We use DHCP for PCs, but there are going to be some that get hardcoded, servers that are hardcoded and things like network attached storage, printers etc...
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39911951
I really do not see any harm in creating new servers with same hostname and IP as previous to save application outage, changes
It will work perfectly

For PKI migration scenarios, it will work as long as your actual hostname on source and destination server remains same
Because CA hard code its server hostname (FQDN) in issued certificate AIA and CDP

As far as unknown applications, you don't know about them right now and you will not knowing after building new DCs as well
So why not keep same hostname and IP address for replaced Domain controllers to save at least from known ones
That is how to deal with applications in migration scenarios
You can take exception in your company policy to retain old host names

Those applications where DC hostname is configured, you can configure CNAME records
But I suggest you to test this 1st in same environment to avoid surprises later

Those applications where DC name \ IP is hardcoded, you cannot change those DC name \ IP address, but you can use CNAME, but I suggest you to test it 1st

Mahesh
0
 
LVL 1

Author Comment

by:mcburn13
ID: 39924378
We really need to use the new naming convention- Does anyone know of actual documentation out there to support this method or case study?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39925656
Your issue is environment specific

In order to get resolution to your problem, you need to publish application information here on this blog so that any one familiar with those apps can help you
If applications are developed for your specific needs (Custom application), only application developer \ vendor can help you

Migration scenarios are never painless and you won't get much information regarding custom application migration process \ case study out on the internet directly

You need to sit with application vendor \ developer to understand application authentication \ possible changes \ workarounds \ impacts and then you need to come up with proper migration plan.

Some times UAT \ DEV departments can do that job for you by creating parallel environment in UAT \ DEV
But above is applicable to large organizations

For smaller organizations, you need to build test bed on your own for your custom application testing

I think I have finish this thread from my side, just curious what others are saying

Mahesh
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question