none
Migration of DNS from Windows 2008 R2 to Windows 2012

    Question

  • Hello,

    We have a pair of Windows 2008 R2 servers running authoritative DNS services (they are not AD controllers, neither used as resolvers). There are ~20 domains + 10 DNSSEC domains hosted on those servers. We're considering to migrate them to Windows 2012 servers and retain IP addresses.

    I'd greatly appreciate if somebody could advise the basic steps for such migration (particularly the DNSSEC part).

    Many thanks.

    Monday, May 12, 2014 4:14 PM

All replies

  • Hi,

    Since these are not AD integrated zones it should be fairly simple to move them. Copy the zone file to the system32\dns directory on the new server. Create a new file-backed primary zone on the 2012 server using DNS Manager and when it asks you for the zone file choose "use this existing file."

    For signed zones, the most reliable procedure would be to unsign the zone on 2008 R2, move the zone to 2012, and then sign the zone on 2012. Of course, this will require that you also update trust anchors.

    Let me know if there are reasons this procedure won't work for you.

    -Greg

    Monday, May 12, 2014 10:32 PM
    Owner
  • Thank you very much Greg.

    Does the same procedure work for Windows 2003 servers (same setup -- not-AD integrated zones hosted on Windows 2003 server to be migrated to Windows 2012)?

    I've been also following this thread: http://social.technet.microsoft.com/Forums/windowsserver/en-US/7f92cb07-7a23-4d24-a5d2-0d8eac3100ad/dnssec-in-windows-server-2012-signature-refresh-on-secondary?forum=winserver8gen#52fac5a4-d8c7-4ecb-8b07-672657eb6e00

    One of the reasons why we decided to migrate to Windows 2012 was because in our case DNSSEC updates from the primary DNS are not replicated to the secondary DNS (no matter whether the serial number is incremented). So we're using custom made scripts to manually copy DNSSEC zones to the secondary DNS and restart the service (every time zones are signed on the primary). Do you by chance know whether the replication of DNNSEC zones works on Windows 2012?

    Thank you for your time.

    Tuesday, May 13, 2014 7:12 AM
  • Hi,

    It worked for me with a test zone but my example only had a single A record. You should test this first by adding the zone and testing resolution on the 2012 server before deleting it from the 2003 server.

    The bug for secondary zones that you describe in Server 2008 is news to me. However, 2012 and 2012 R2 has many advantages over 2008 R2 for DNSSEC signed zones so I would recommend you migrate even if you weren't having problems on 2008 R2.

    If you've been following the thread you mentioned above, you know that I've been doing a lot of testing with signed zones being updated on secondary servers. The signed zone is *always* updated on a secondary server but if the change on the primary was only a signature refresh then as of right now there is still a bug where the newest RRSIGs are not transferred to the secondary server. This happens because the zone transfer occurs just before the new RRSIG is generated on the primary. This causes it to be left behind on the primary server unless there is another zone transfer afterward. Note that a zone transfer still happens, it just happens too soon. The zone transfer that happens is an incremental zone transfer.

    If the previous RRSIG expires before another zone transfer occurs then the zone can have validation problems on the secondary. There is a hotfix for this that will be distributed soon. I am checking now on the date.

    If you increment the serial # on the primary, the secondary should get a full zone transfer.

    -Greg


    Tuesday, May 13, 2014 9:56 PM
    Owner
  • Also - remember to update the SOA and NS records in the zone to point to the new DNS servers and not the old ones.
    Wednesday, May 14, 2014 4:06 PM
    Owner