Convert AD-integrated DNS zones to Primary DNS zones

Glenn Dalton

4/25/24, 5:47 PM

We have inherited a domain with 2008 R2 domain controllers running DNS on them. We want to add Windows Server 2019 to the domain then demote the 2008 R2 domain controllers to just DNS servers. We are firewalling them then and we will run the domain with Windows Server 2019 DCs and the 2008 R2 DNS servers for a little before retirement. (Because Domain Controllers need to be a minimum OS for Microsoft Password management for Azure).
I have never reversed it like this and normally we export the zones to another DNS server solution then delete them one at a time. What information do I need to pass on to the local network folks to look out for? What more administration will they need to do in this state?
Just FYI, it needs to be done this way because of legacy stuff on-site and we can't speed up retirement of that but we need to deploy the Azure password reset stuff. I just want to know what issues to look for when we convert the DNS zones from AD-integrated to Primary or Secondary.

106

1 + 4

domain-name-system

active-directory

dns-zone

azure-active-directory

joeqwerty

4/25/24, 9:18 PM

Why would you do this? Introduce your Windows Server 2019 Domain Controllers. Make sure you've migrated everything to them (DHCP, Print, etc.) and demote the Windows Server 2008 R2 servers altogether. Why would you keep the Windows Server 2008 R2 servers as DNS servers?

Glenn Dalton

4/26/24, 9:42 PM

We use a different DNS solution than Microsoft in my company. and we intend to retire this domain completely at some point. My team supports AD objects and we lockdown the DCs so only team members can login with special IDs. We don't support DNS and don't want to support DNS.

LeeM

5/1/24, 11:34 PM

You say you don't manage AD DNS, but *you do* on those 2008 boxes, whether or not you do actively. The domain controllers rely on it heavily, as do the domain clients. Where do you think they get the _SRV records for domain services? If you want to ignore DNS, up to you, but I *strongly recommend* you simply DC-promo your new machines, let them replicate the DNS zones and everything else - since your domain is apparently *functioning fine* at present - then transfer the FSMOs and unpromo the legacy DCs. Then go back to ignoring DNS per your current practice.

LeeM

5/1/24, 11:40 PM

Maybe your third-party DNS manages the domain _SRVs - even `bind` can do it if your network team loves writing scripts and messing around - but if the DCs currently have AD-integrated zones and the domain is healthy, I don't understand why you wouldn't want to simply **maintain** that same state when migrating to the new boxes. It'd be a lot more effort and risk to do as you propose and dismantle something that is working right now with no issues.

Score:2

Server

joeqwerty

4/27/24, 11:30 AM

I guess I'm confused. In your comment you say that you don't want to manage DNS but in your question you're asking how you can transfer the DNS zones to the Windows Server 2008 R2 servers... so you can manage them.

Confusion aside, promote the Windows Server 2019 servers to Domain Controllers. Demote your Windows 2008 R2 servers. When you're ready to decommission AD DS you can simply do that from the Windows Server 2019 Domain Controllers.

If you need to keep the Windows Server 2008 R2 servers because of "legacy stuff" and you need the Windows Server 2019 servers for "Microsoft password management for Azure" (whatever that means. I'll assume you mean for Azure AD Connect, but please clarify), then simply introduce one or two Windows Server 2019 Domain Controllers, leave the Windows Server 2008 R2 Domain Controllers as is, and decommission all Domain Controllers when you decommission AD DS. It sounds like you're making this more complex than it needs to be.

+ 1

Glenn Dalton

4/30/24, 2:36 PM

We already have Azure AD connect servers in our main domain. All of the domains are "connected" via an IAM solution like Sailpoint. We are trying to implement Azure AD Password protection in a hybrid environment which requires loading components on the on-premises domain controllers. It isn't really supported on older operating systems of Windows Server.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Convert AD-integrated DNS zones to Primary DNS zones

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.