Migrating Microsoft AD Domain to Existing BIND9 Infrastructure

Millar, Jay Jay.Millar at stjohn.org
Fri Feb 11 22:00:04 UTC 2005 

To clarify, there are actually three domains involved:

   domain.com - static, BIND9 master server A
ad.domain.com - dynamic, AD domain, BIND9 master server A
    other.com - dynamic, AD domain, MS DNS master server B

We do in fact want to migrate the hosts in the 'other.com' domain to our =
existing 'ad.domain.com' domain using AD with our BIND9 master.  The 'ad.=
domain.com' is an existing AD domain which we have managed using BIND9 fo=
r several years.  In the end, we will have accomplished consolidation of =
our internal domain space (which will greatly simplify things for us), as=
 well as having eliminated our MS DNS server infrastructure (which most o=
f us here see as a very good thing).

So, my theory was that the migration from one domain to the other would s=
imply involve 'unregistering' systems in the 'other.com' domain, then re-=
registering them as new systems in 'ad.domain.com' one at a time.

"Millar, Jay" <Jay.Millar at stjohn.org> wrote:

>We currently have a BIND9 implementation supporting our Active Directory=
 =3D
>domain, and have been successfully running this configuration for severa=
l=3D
> years (in part, thanks to you folks!).  In any event, we have been pres=
e=3D
>nted an 'opportunity' to migrate a separate Active Directory domain mana=
g=3D
>ed by Microsoft DNS servers into our existing infrastructure.  Our compa=
n=3D
>y has merged with another (smaller) entity, which was running this setup=
=2E
>
>In any event, we would like to rid ourselves of these legacy Microsoft D=
N=3D
>S servers supporting the other domain, and eliminate the other domain en=
t=3D
>irely.  Of course, this will require some interesting work from a client=
 =3D
>configuration perspective...but that's not my immediate concern.  I'd li=
k=3D
>e to validate my line of thinking as to how to migrate these Microsoft-m=
a=3D
>naged, AD registered servers.
>
>My thought was that it would be a matter of arranging a scheduled transi=
t=3D
>ion period for each affected server.  We would likely want to do this on=
e=3D
> at a time.  The admin of the affected server would 'unregister' the sys=
t=3D
>em from the old domain, and reconfigure it to point to our BIND9 DNS ser=
v=3D
>ers using the new domain.  The reconfiguration would accomplish the task=
 =3D
>of registering the server into our BIND9 managed AD tree....and once thi=
s=3D
> was done, the proper adjustments would have to be made for clients that=
 =3D
>had been accessing that server.
>
>Does this sound like the proper approach, and if anyone has done this ty=
p=3D
>e of migration before, are there any 'gotchas' that I should be wary of?

I am not sure I understand what will happen.  If the current domain is

     AD.example.com

and the master DNS for this domain is a MX W2k DNS Server, then all
DDNS updates from W2k workstations in that domain will be sent to the
MS DNS Server.  If you configure those workstations one-by-one to
use your BIND server as a DNS server, then either

     a) that BIND server will have the zone as a master.  But you
        can't have the same zone mastered on different servers with
        different contents.  The machines that use the MS DNS Server
        will see a different set of machine registrations than those
        machines that use the BIND DNS server.

     b) that BIND server will be a slave to the MS W2k DNS master,
        and all DDNS updates will be sent to the MS Server, as that
        server name will be in the SOA MNAME field.

Are you changing domain names?  If not, then why try to eliminate the
MS W2k DNS Server?  Use it for the AD zones, and slave those zones
on your BIND Server.

If I have misinterpreted your plans, then clarify what you want to do.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



CONFIDENTIALITY NOTICE:  This email message and any accompanying data are=
 confidential, and intended only for the named recipient(s).  If you are =
not the intended recipient(s), you are hereby notified that the dissemina=
tion, distribution, and or copying of this message is strictly prohibited=
=2E  If you receive this message in error, or are not the named recipient=
(s), please notify the sender at the email address above, delete this ema=
il from your computer, and destroy any copies in any form immediately.

More information about the bind-users mailing list