Changing SOA & DNS server for an Active Directory DDNS zone

[Kevin Darcy]

Andy Blanchard wrote:

>Does anyone have any ideas on the smoothest method of migrating the
>SOA and owner of the writable data for a dynamic Windows AD domain
>between two BIND v9.x servers?  I don't seem to be having much luck
>with finding a definitive answer to this one, and the best I have so
>far is as follows:
>
>Stop the DNS server on the current master (to flush pending updates)
>Stop the DNS server on the intended master (ditto)
>Copy the zone file from the current master to the replacement
>
>Then, on the new master:
>
>   Change the SOA record and increment the serial number by hand
>   Change "named.conf" to reflect the new status
>   Restart BIND
>
>And on the old master, and the other slaves:
>
>   Change "named.conf" to slave the zone from the new master server
>   Restart BIND / reload the BIND configuration
>
If you want to minimize the number/possibility of missed Dynamic Updates 
during the transition, lower the TTL value on the SOA record and/or 
force propagation of the SOA record change to all of the slaves and/or 
set up the old master to forward Dynamic Updates to the new master.

>That *seems* to cover everything from the point of view of BIND, but
>is there anything else I should be doing, and are there any changes
>that need to be made to the Windows' domain controllers?
>
AFAIK, the Domain Controllers determine the identify of the master from 
SOA.MNAME and nothing else.

Make sure, of course, that the Domain Controllers have Dynamic Update 
capability to the new master. If firewalls or Intrusion Detection 
devices are involved, for instance, then their rules may need to be updated.

- Kevin