Removing old Domain Controllers

I have 2 old Server 2003 Domain Controllers that I want to remove.  I have a 2008 domain controller holding all FSMO roles plus a 2012 server that is a domain controller.  I am trying to whittle away all queries to these old servers for DNS but really want to get the domain functional level up to 2008 soon.  Is this a good plan-Make the main dns zone for our domain a secondary zone for these 2 servers (our zones are Active Directory Integrated), then dcpromo out the 2 old servers, leaving DNS running while continuing to eliminate possible sources of DNS queries.
habs1994Asked:
Who is Participating?
 
DrDave242Commented:
Ah, OK. In that case, yes, your AD-integrated zones will have to be configured as secondary zones on those servers, and zone transfers will need to be set up to copy them from the other DCs.

You may find it simpler to demote the 2003 DCs first, then recreate the zones as secondaries. I'm not sure you can change an existing zone from AD-integrated primary to standard secondary on a DC, since it'll be replicating the zone within AD from the other DCs already. You might end up with multiple copies of the zone in that case.
0
 
DrDave242Commented:
Changing the zone to a secondary on those servers won't affect whether they're queried by other machines. The only way to make sure nothing queries those servers is to make sure nothing is configured to use them for DNS. If your clients obtain their IP addresses from DHCP, you can use the DHCP console to configure the list of DNS servers that is given to those clients. Machines with static addresses will have to be manually configured.

As long as nothing is configured to use only those 2003 servers, though, you should be fine. The Windows DNS client will eventually query every DNS server in its list if the first one or two don't respond (details are given here). The worst thing you'll see is a delay of up to a few seconds.
0
 
habs1994Author Commented:
No DHCP clients query them any longer, just a few devices that may require replacement/reconfigure that may take some time.  I don't want to ensure no other machines query just yet, just that those machines can have their roles as Domain Controllers while still servicing the occassional DNS request.
0
 
habs1994Author Commented:
Typed a little too fast.  I want to ensure that the old DCs can be demoted and still service the occassional DNS request.
0
 
footechCommented:
What I have observed is that when you change a Primary AD-integrated zone directly to a Secondary, it will remove the zone from AD and when this is replicated the zone gets deleted from all other participating DCs.

So I think your procedure will have to be to demote the old DCs, removing them from replication, after which you can set up the zones as Secondary on those machines.

If you wanted to change the DNS config before demotion, you would have to set the zone as a primary non-AD-integrated zone on a DC that will remain, set up other servers as secondary, then after demotion of DCs you could change the zone back to AD-integrated (removing the secondary from the other remaining DC(s) first).  Easier to make a mistake with this method.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.