DHCP/DNS problems when migrating computers

Discussion in 'Server Migration' started by Steve Kadish, Mar 20, 2009.

  1. Steve Kadish

    Steve Kadish Guest

    Hi all,

    We recently merged with another company and we are trying to merge their
    users and computers into our forest. So far the testing has mostly gone
    smoothly, but I had one problem with my test of migrating a workstation.

    The source domain uses Active Directory DHCP. The target domain uses a DHCP
    server on a Cisco router. When I migrated the computer, it continued to get
    a DHCP address from the source domain's DC, along with the source domain's
    DNS servers. Therefore it didn't register itself properly with the target
    domain's DNS servers; the workstation appeared in both domains but was
    inaccessible from either. We had to manually set the IP, gateway, and DNS.

    Can anyone give me any advice on how we can handle this problem?

    Thanks,
    - Steve
     
    Steve Kadish, Mar 20, 2009
    #1
    1. Advertisements

  2. Hello Steve,

    Both DHCP servers are on thesame subnet? Well, then first come first serve.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Mar 20, 2009
    #2
    1. Advertisements

  3. Steve Kadish

    Marcin Guest

    Steve,
    have you considered configuring DNS Server via a GPO linked to the OU
    hosting migrated comptuers in the target domain? This would take precedence
    over the the setting assigned through DHCP. For more info, refer to
    http://support.microsoft.com/kb/294785

    hth
    Marcin
     
    Marcin, Mar 20, 2009
    #3
  4. In
    How is DNS configured between both companies?

    Are both networks on the same subnet now, or are the offices using a VPN to
    connect? Based on your post, it would appear that they are on the same
    subnet/

    One suggestion:
    If you are assimilating the company, and both systems (yours and theirs) are
    on the same subnet (assumption based on the description in your post), the
    first thing is to coexist DNS by creating Secondary zones of the other on
    yours, and vice versa.
    Then settle on ONE DHCP server, namely yours, the Windows DHCP service.
    Stick to your DNS servers. The secondaries zones on your DNS server have
    references to the Master zones on the other system's DNS, so when an update
    comes in from one of their machine through your DHCP, based on the Primary
    DNS Suffix, it will attempt to register into their DNS zone, and the
    secondary will send it up to the Master, on THEIR DNS server.
    So there is nothing to worry about their systems properly still registering
    in to their DNS Of course, make sure you have enough IPs to accomodate all
    machines.

    I hope that helps.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Mar 22, 2009
    #4
  5. Steve Kadish

    Steve Kadish Guest

    Hi all,

    Thanks for the responses!

    Actually the networks are on different subnets. I am routing between all
    the subnets and everything is on private lines so there are no VPNs.

    Also, our DHCP server is the Cisco one. "Their" DHCP server is the Active
    Directory one.

    Marcin - thanks for the GPO suggestion and link. Definitely a possibility.

    Ace - we already have the secondary DNS zones set up as you describe; this
    was done when we created the trusts between the domains. If I understand you
    correctly, you are suggesting that we only use our DNS servers in *both* DHCP
    configs and let DNS sort it out. Is that right? That would be simple, and
    elegant.

    Thanks,
    - Steve
     
    Steve Kadish, Mar 23, 2009
    #5
  6. In
    Simple and elogant, yes, and if you are routed, that will work. VPN or
    routed, same thing, you are connected. As for which machine gets an IP from
    a DHCP server, the ones on their subnet is getting their config from their
    DNS, and your subnet from your router. So I do not see how they are getting
    an IP from your router or your machines are getting from their DHCP unless
    of course the Cisco router is interconnecting and you have a DHCP scope set
    for both subnets on the router. If that is the case, I would suggest to
    disable the other scope otherwise it is a conflict of DHCP services on the
    same subnet.

    Since you are assimilating THEM, I would suggest to move away from Cisco
    DHCP and use your own DC as the DHCP server. And I highly suggest to use
    WINS on both sides. Configure a WINS server on one of your servers, probably
    the same DC you confgure DHCP on. Then configure the following options on
    your server. Add the WINS options on THEIR DHCP server for YOUR WINS server:
    Also use YOUR DNS server instead of theirs on their side. This is the first
    step to pointing everything on your end.

    003 Router address
    006 Internal DNS address
    015 Internal AD DNS domain name
    044 Wins Address
    046 WINS Mode - 0x8

    This way all resolution is on your end instead of theirs. It consolidates it
    and centralizes it, and makes it easier towards the final switch over.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Mar 23, 2009
    #6
  7. Hi Ace,

    Unfortunately, moving from Cisco DHCP to Microsoft DHCP is not trivial,
    because we have 14 locations and each has a Cisco router with a DHCP pool on
    it. However, IP addressing is not the problem. Their computers are getting
    IPs from their DHCP server, and ours from our server, as it should be. The
    only problem is with the DNS registration.

    It seems to me that I can set up WINS as you suggest event with the Cisco
    DHCP. My only question is about option 15 - the DNS domain name. Let's call
    our domain "parentco.com" and their domain "childco.com." Right now their
    unmigrated workstations are "computer1.childco.com." If I set the WINS
    option 15 to "parentco.com" on their WINS server, which is what I think you
    are suggesting, won't all of their workstations become
    "computer1.parentco.com" and become a problem?

    Thanks,
    - Steve
     
    R. Steven Kadish, Mar 23, 2009
    #7
  8. In
    Good point about the 015, so we'll keep that out. As for DNS, you can
    consolidate it to your DNS servers by changing their DHCP 006 options to
    point to your DNS. Registration works based on the machine's Primary DNS
    Suffix. When a machine registers, even into a DNS server that has a
    secondary zone, say their machines are sending the registration to your
    machine, the MNAME is queried and the registration request is sent to their
    DNS server, then the secondary zone transfers and updates on to your
    machine. So it is ok to have a secondary of their zone and the reg requests
    go to them. As for their DCs, they can still point to themselves, and still
    be able to resolve their own and your domain (because of them having a
    secondary of your zone).

    As for WINS, WINS does not use the suffixes, as you are implying. The
    Primary DNS suffix defines the machine's domain, and the search suffix
    defines what suffix the client side hostname resolver uses when devolving
    single names. This means that on a machine that has a parentco.com suffix,
    and you ping 'machinename,' the client side resolver will append
    parentco.com to the name resulting in machinename.parentco.com, and then
    uses that to ping. You can facilitate resolution for both sides by adding
    the suffix of the other domain to each others' machines.

    WINS is simply NetBIOS name resolution to IP. This facilitates any NetBIOS
    based apps and services that require NetBIOS name resolution, and do NOT use
    suffixes. NetBIOS broadcasts are restricted across routers, and such apps
    and services will fail when trying to communicate across a router.. Some
    apps and serivice examples that use NetBIOS: browser service (network
    neighborhood), printer browsing, certain functions of Outlook's calendaring
    availability publishing, SQL, and many others.

    I hope that makes sense.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Mar 23, 2009
    #8
  9. Steve Kadish

    Steve Kadish Guest

    Hi Ace,

    Thanks for your continued help. I started implementing your suggestions and
    was successful up to a point. Here's what I did:

    - installed a WINS server in the target domain (parentco.com)
    - configured the DHCP server in the source domain (childco.com) with the 06,
    044, and 046 options. The workstations in the source domain are now using
    the DNS servers and WINS server in the target domain.

    Then I migrated a computer from the childco.com to parentco.com. Everything
    was successful. I could connect to the computer's ADMIN$ share remotely,
    etc. So far, so good. This was further than I had gotten before.

    However, the migrated computer STILL did not register itself in the target
    domain's DNS automatically. I could resolve computer74.childco.com (the
    original A record), but not computer74.parentco.com.

    I ran "ipconfig /registerdns" on the migrated computer, and then it
    registered itself in parentco's DNS. Now I have A records for BOTH
    computer74.childco.com and computer74.parentco.com.

    Shouldn't this DNS registration be happening automatically?

    Thanks much,
    - Steve
     
    Steve Kadish, Mar 24, 2009
    #9
  10. In
    Yes, it should have registered. What DNS servers is the DHCP server at the
    source domain using? You would want it to use the target's. Give that a
    shot.

    No problem for the help!!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Mar 25, 2009
    #10
  11. Steve Kadish

    Steve Kadish Guest

    Hi Ace,

    Thanks, but I already did set the DHCP server in the source domain to give
    out the DNS server(s) in the target domain - that was a suggestion you made
    earlier. I double-checked before the migration that it was, indeed, giving
    out those IPs for DNS.

    Here's something I thought of - I don't know if it's the culprit. In the
    DNS configuration on a workstation, there's a setting for "Register this
    connection's address in DNS" (on by default) and a setting for "Use this
    connection's DNS suffix in DNS registration" (off by default). I'm assuming
    that with the second setting turned off, it is only using the hostname, and
    maybe that's why it's not registering in the correct domain. What do you
    think?

    Thanks,
    - Steve
     
    Steve Kadish, Mar 25, 2009
    #11
  12. Steve, see if the following passage helps. Use an account that has
    permissions on both domains.

    The entity that registers it owns the record. The nice thing about DHCP
    owning the record is it will update it if DHCP gives the machine a new IP.
    Otherwise you'll see multiples of the same in DNS whether scavenging is
    enabled or not. I would force DHCP to own the record as well as enable
    scavenging to keep it clean. To force DHCP to own the record, you will need
    to do the following:

    1. Add the DHCP server to the DnsUpdateProxy Group.
    2. Force DHCP to register all records, Forward and PTR, (whether a client
    machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
    3. Set Option 015 to the AD domain name (such as example.com).
    4. Set Option 006 to only the internal DNS servers.
    5. If the zone is set for Secure Updates Only, then DHCP cannot update
    non-Microsoft clients and Microsoft clients that are not joined to the
    domain. In this case, you will need to create and configure a user account
    for use as credentials for DHCP to register such clients.
    If your DHCP servers are Windows 2003 or WIndows 2008, Configure a
    dedicated the user account you created as credentials in DHCP by going into
    DHCP COnsole, DHCP server properties, and on the Advanced tab of the DHCP
    Server
    Properties sheet click the Credentials button, and provide this account
    info.
    The user account does not need any elevated rights, a normal user account
    is fine, however I recommend using a Strong non-expiring password on the
    account.


    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Mar 25, 2009
    #12
  13. Steve Kadish

    Steve Kadish Guest

    Success!!!

    Adding credentials to the DHCP server seems to have done the trick!

    I also set both DNS zones for "secure and non-secure updates." I know it's
    a security risk, but at least it's only temporary.

    I could not add the DHCP server to the DNSUdateProxy group in the target
    domain, because that's a global group, so it wouldn't allow me to add objects
    from the source domain.

    Also, the DHCP was *already* set to always update the A and PTR records.

    But with the credentials in there (an account in the target domain), it is
    now properly removing the DNS records from the source domain and adding them
    to the target domain when the workstations reboots after migration.

    Thanks again for all your help! Now we can finally move forward with this
    project.

    Thanks,
    - Steve
     
    Steve Kadish, Mar 25, 2009
    #13
  14. Great to hear! Post back if you have any questions. If not, good luck with
    everything! It should be smooth sailing now!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Mar 25, 2009
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.