0

I have an Active Directory domain (we'll call OLD.TLD) in production and need to change the name (for reasons I won't elaborate on).

There are many, many files with links to a DFS namespace in this domain. They mostly use the NetBIOS Name, so a referral would be something like \\OLD\DFS\FOLDER which refers to \\SERVER\FOLDER.

At the end of the process, everything will be in the new domain (NEW.TLD) and the server will be SERVER.NEW.TLD. But it's necessary for \\OLD\DFS to work even after the old domain is gone.

I've considered the one-shot domain rename, changing just the FQDN but leaving the NetBIOS name intact. But this will cause a lot of havoc for people working from home. (plus it will keep NetBIOS as a requirement).

So instead, I thought about migrating to a new domain with ADMT.

In order to investigate this, I:

  • created a test domain TEST.TLD in a new forest
  • created a two-way forest trust between OLD.TLD and TEST.TLD
  • created a DNS stub zone in OLD.TLD to point to TEST.TLD
  • created DNS CNAME records in TEST.TLD to refer SERVER to SERVER.OLD.TLD and OLD to OLD.TLD. Also there are CNAMEs to point the old domain controllers to the old domain.

So now, accounts in TEST.TLD can access \\OLD\DFS without any problems. Next I tried to see if I could fool the test domain into thinking that \\OLD\DFS was in the new domain. This is a process I envision happening as the final step of migration before removing the trust, and taking the old domain controllers down.

  • Created a domain DFS namespace for TEMP.TLD and added a couple of folder referrals to it, so that I can tell the two apart.
  • Disabled NetBIOS over TCP/IP in TEMP.TLD
  • Changed the CNAME record for OLD to point to TEST.TLD.
  • cleared all three DFS caches, as well as DNS server and local caches.

However when I try to access \\OLD\DFS, I get all of the \\OLD.TLD\DFS folders. Is there another setting I need to change? Is it even possible to 'alias' a domain DFS namespace this way?

Spencer
  • 187
  • 1
  • 8

1 Answers1

1

I suspect your two-way trust might be the problem here. I can't think of a way to "hide" a trusted domain name even with the jiggery-pokery with CNAMEs.

You may notice a different result if you use FQDNs. What happens when you try "OLD.TEST.TLD"? I'd expect that to hit the new location. Perhaps.

Here's something to try: set up your CNAMEs with a completely different alias - does that still work? If so, cool, that's one thing.

Next, get rid of the trust from both sides, and get rid of any DNS records that point to your OLD.TLD destinations or names. Give it all a good scrub and allow plenty of time to replicate.

In the TEST environment, try connecting to the paths that belonged to the OLD namespace and ensure you get nothing/name not found. If it all tests clean, then try setting up your OLD CNAME again.

If that works, then you know it was the trust interfering there.

So then you'll need an outage to break the trust to finalise migrating over your DFS at the very last, with nice short TTLs on all your DNS.

LeeM
  • 1,218
  • 9
  • 13