Microsoft DNS Forwarding

wrecktangle · ‎08-27-2020

I’m planning a migration from Microsoft AD-integrated DNS to Infoblox. Up to this point, I've only migrated Linux BIND servers. This group of DNS servers are running on Domain Controllers. After migration, the DCs will remain and I plan to configure them as forwarders because we have large number of servers and appliances statically pointed to the DCs.

Here’s my plan for the Microsoft DCs after they are properly communicating with Infoblox:

Delete the forward and reverse zones out of AD
Clear DNS cache on the DCs
Perform a test query as well as an SOA query against a DC to make sure the serials are consistent.

The problem is I’m not very familiar with Microsoft DNS and what isn’t clear is how the Microsoft forwarders will handle reverse entries. Will the forwarders forward reverse queries? Are there any other steps needed on the Microsoft DCs to properly configure them as forwarders?

aralvidra02 · ‎08-31-2020

Hi,

On my understanding, if wants to migrate Microsoft AD integrate DNS, we needs to allow update from the domain controller (DC) and let the DC updates the AD integrate records to Infoblox. To enable the DC update the AD integrated records you needs to revoke the DNS service from the AD. If the DNS service are not stop from the DC, it wont do the updates.

At a high level you can:

1. Static import the records to the _zones and any other relevant zones

2. Validate you have the data and the systems are functional (everything should work without issue until the domain controllers attempt to make DNS changes)

3. Remove the records from the _zones (a trick is to uncheck "Automatically create underscore zones" form the 'Active Directory' tab of the zone properties as this will remove the zones and records, then re-enable/check the option to recreate the now empty underscore zones)

5. Change DC DNS configuration point to Infoblox

6. stop DNS service on DC

7. Restart netlogon to repopulate the records

wrecktangle · ‎09-01-2020

Hi and thanks. However, I have documented and understand the steps to migrate from Microsoft to Infoblox. What is not clear is how to properly place the DC in a forwarding state, after the migration is complete. What is the proper way to configure DNS forwarding on the Microsoft DC?

aralvidra02 · ‎09-02-2020

Hi thanks to clarify,

From the step that you mention, i can see that you will remove all the zone out of the AD. What about the Active Directory DNS object? are going to make it static record (_ldap._tcp.west._sites.DomainDnsZones.example.net. 600 IN SRV 0 100 389 dc02. example.net.)? while this record are recommended to be added dynamically (using DDNS) by the domain controller it self.

So, if referring to step that i mention before. There is no DNS service on the Microsoft DC anymore. All will be handled by Infoblox. All the servers and client should point to Infoblox. and for sure there will be no DNS forwarding on the DC, since the DNS server at DC will be revoke/stop from it.

Actually, infoblox also have whitepaper about how to migrate the DNS to Infoblox in best prac

if you want to see what i've done in lab about migrating DNS service from Microsoft AD to Infoblox, here's my documentation.

*https://www.youtube.com/watch?v=Ba1n-vgfA90&t=40s

Thanks.

THE GAME HAS CHANGED

NIOS DNS DHCP IPAM

Microsoft DNS Forwarding

lerRe: Microsoft DNS Forwarding

Re: lerRe: Microsoft DNS Forwarding

Re: Microsoft DNS Forwarding