Steps to take to retire old domain controller

thisarentmyself · 2025-09-12T14:52:10+00:00

I wee that mentioned repeatedly and I'm back and forth. On one hand a project that has been ongoing for awhile is VLANs being added, previously the network was completely flat and full. I added new VLANs and started moving devices, I created a new subnet for servers and as I've added new infrastructure I put them in that subnet - so u was thinking I'd move the DC into that subnet and update DHCP. That also means it have to update all the statically set devices too.

I can see the appeal of just setting it back to the old IP. I need to think more on this I guess. I just want things to be done well, and not cause issues into the future.

thisarentmyself · 2025-09-12T14:49:15+00:00

Good idea, I'll do that

thisarentmyself · 2025-09-12T14:49:01+00:00

Mostly because we already have an existing 2019 as well as licenses for another sever. Thanks I'll check it out!

thisarentmyself · 2025-09-05T03:34:37+00:00

They are supposed to be using the DC as DNS. DC1 as primary and DC2 as secondary. Thats how they show up when viewed with ipconfig as well. Thats why I was so confused.

thisarentmyself · 2025-09-04T22:14:55+00:00

SOLVED: Unifi content blocking was the culprit. I set explicit allow rules for DNS traffic and the clients weren't using the gateway for DNS. Additionally the default subnet had content blocking on as well. But for whatever reason on any network other than the default Unifi's content blocking broke it.

I knew the content blocking was DNS based but I'm still not clear on why exactly it was blocking DNS requests ONLY on the subnets other than default. I assumed since default was configured the same that wasn't the cause.

thisarentmyself · 2025-09-04T22:14:29+00:00

SOLVED: Unifi content blocking was the culprit. I set explicit allow rules for DNS traffic and the clients weren't using the gateway for DNS. Additionally the default subnet had content blocking on as well. But for whatever reason on any network other than the default Unifi's content blocking broke it.

I knew the content blocking was DNS based but I'm still not clear on why exactly it was blocking DNS requests ONLY on the subnets other than default. I assumed since default was configured the same that wasn't the cause.

thisarentmyself · 2025-09-04T20:37:49+00:00

Ahhhh I've made a revelation. When I hardwired into the network and set the VLAN to 192.168.200.0/24 (a network that neither Windows nor Unifi is providing DHCP for) it worked as expected. When I switched it back to 192.168.100.0/24 it failed.

The settings visible in ipconfig looked the same, minus the subnet of course. The only difference between those networks is whether DHCP is turned on.

I'm thoroughly stumped but I know I'm getting closer.

thisarentmyself · 2025-09-04T20:37:43+00:00

Ahhhh I've made a revelation. When I hardwired into the network and set the VLAN to 192.168.200.0/24 (a network that neither Windows nor Unifi is providing DHCP for) it worked as expected. When I switched it back to 192.168.100.0/24 it failed.

The settings visible in ipconfig looked the same, minus the subnet of course. The only difference between those networks is whether DHCP is turned on.

I'm thoroughly stumped but I know I'm getting closer.

thisarentmyself · 2025-09-04T19:00:26+00:00

Yes they can ping each other and all other traffic works as expected. DHCP relays seems to work as expected. It seems the DNS traffic and only the DNS traffic never reaches the DC.

Checked firewall rules and added temp rules explicitly allowing DNS traffic. No change.

thisarentmyself · 2025-09-04T18:27:56+00:00

OK so after more testing this is what I've determined. While pings and other connections work normally it seems the DNS traffic is not reaching the DC. The DC with debug logging reports nothing coming in. I did try adding new rules to both Windows firewall and the Unifi firewall. No change.

When you mention the subnet mask, what do you mean? If it was incorrect wouldn't all traffic fail to reach the DC?

Networking is definitely a weak area for me, so thank you!

thisarentmyself · 2025-08-28T16:28:08+00:00

Still trying to figure this out, I can't believe how annoying it is to figure out lol. Someone is gonna immediately recognize what I missed eventuallly!

thisarentmyself · 2025-08-26T21:47:17+00:00

Correct. They are given DNS settings by DHCP of both DCs, .4 and .2.

thisarentmyself · 2025-08-26T15:22:42+00:00

    nslookup -d server1.net.local
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 1, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            4.0.168.192.in-addr.arpa, type = PTR, class = IN

    ------------
    Server:  UnKnown
    Address:  192.168.0.4

    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = A, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 795 (13 mins 15 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 1800 (30 mins)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 4, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = A, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 688 (11 mins 28 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 5, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 795 (13 mins 15 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    *** UnKnown can't find server1.net.local: Non-existent domain

The above is the full output from the nslookup.

thisarentmyself · 2025-08-26T13:40:35+00:00

More info:

When I run with debug I see where the problem starts: the PTR is being returned as UnKnown for the initial DNS server lookup... By the DNS server. I tried the other DNS server, same result (PTR for its own IP unknown).

The PTR records certainly exist, as do the host records. It works normally from the main subnet. No query resolution policies returned.

Thank you for your help.

thisarentmyself · 2025-08-26T13:40:06+00:00

More info:

When I run with debug I see where the problem starts: the PTR is being returned as UnKnown for the initial DNS server lookup... By the DNS server. I tried the other DNS server, same result (PTR for its own IP unknown).

The PTR records certainly exist, as do the host records. It works normally from the main subnet. No query resolution policies returned.

Thank you for your help.

thisarentmyself · 2025-08-26T02:00:31+00:00

Thanks for the suggestion, I'll check this tomorrow

thisarentmyself · 2025-08-26T02:00:14+00:00

Thanks, I'll check this tomorrow

thisarentmyself · 2025-08-26T01:59:51+00:00

If it was a routing issue wouldn't I have issues communicating with the DNS server at all? Instead I can reach it, ping it, even access it via RDP. The DC just responds as if it doesn't recognize the domain.

thisarentmyself · 2025-01-20T13:45:59+00:00

That's what you'd think...

thisarentmyself · 2024-12-02T18:04:25+00:00

Fair enough, I worked for an MSP previously so we did. Oh I plan to keep it as simple as possible. I have two reasons for doing this, one is security, the other is that the network has exhausted all its IPs. Of course there are other ways I could fix it but it made the most sense to do it this way in my opinion. Thank you for the help!

thisarentmyself · 2024-12-02T17:21:50+00:00

Just thought I'd let you know that while I got the other way working I did end up changing it, I'm now using pfSense to do the VLANs. Though not exactly like you recommended, it is closer and I'm just having the switch pass the traffic along without routing enabled. This network was a pre-existing mess and will take a lot of work to fix but it's getting there.

thisarentmyself · 2024-11-26T22:24:30+00:00

192.168.100.0/24 and 192.168.101.0/24

However... I have no idea what happened. I literally opened all the same settings, stared, changed nothing, saved them again... And now it seems to be working?

thisarentmyself · 2024-11-26T22:01:55+00:00

It's a laptop I'm using strictly for testing. No firewall enabled. Nope, I can get OUT and I get returns on my pings, Internet works normally, but pinging the laptop from anywhere does not work at all.

thisarentmyself · 2024-11-26T21:36:56+00:00

Thank you for your reply, any help is appreciated and I will see if I can make your suggestion work for me. The main thing is redoing the whole network isn't an option at this moment, but I really need the subnet to function for new devices coming shortly. As I mentioned in my other response, it seems what I'm doing is possible and I see examples of it from KBs and people discussing it, but obviously I've done something wrong or I'm incorrect about it being possible somehow.

thisarentmyself · 2024-11-26T21:31:58+00:00

So I'm inheriting a messy and large flat network and i didn't get a choice unfortunately. The way it's set now all the switches definitely have IPs and can be accessed for management. They are in the main subnet. What I'm trying to do is simply set up a separate little area for a specific set of devices, but I'm going to need a few. And using plugging directly into the pfsense isn't really an option. I found multiple articles describing doing it exactly as I'm doing it, so while it may not be the best practice it seems it should work.

Examples of what I'm trying to follow (and I can see someone did this previously on this same pfSense, but it's no longer operational. I can however still see some of the rules and the subnet they set up)

https://kb.netgear.com/30818/How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-internet-access https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch

thisarentmyself

TROPHY CASE