AD DNS Zone from Secondary to Primary

Convert secondary DNS zones to primary, AD integrated zones
 02/04/2021 20:28:24
 Varga Gábor

This article is about how you can convert any existing secondary DNS zones to a primary, AD integrated zone in an Active Directory environment. Sometimes this or similar action is required if some significant infrastructure change is happening within the company. For all conversion we will use powershell because it is easiest way to perform the conversion.

If you have more DNS servers, which are parallel running the same secondary zone, please perform the following tasks before you start the conversion:

  1. Backup the secondary zone
  2. Keep the secondary zone only on one DNS server, and you need to perform the conversion on that server only.
  3. Perform the conversion steps 1-3 as described below
  4. Do the following cleanup activities (perform only on one DNS server!):
    1. Remove all old name servers from the zones
    2. Change the hostmaster value
  5. Wait for the replication and check the zones on all DNS servers

Step 1: Converting the secondary zone to a file-backed primary zone

This step is required, because it is not possible to convert the secondary zone to a primary zone with one single step. If you try doing it, you will face the following error message:

ConvertTo-DnsServerPrimaryZone : The action to convert input zone <zone name> on server <domain controller> failed.
At line:1 char:1
+ ConvertTo-DnsServerPrimaryZone -ComputerName <domain controller> -Name $zone -Rep ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (<zone name>:root/Microsoft/...rverPrimaryZone) [ConvertTo-DnsSer
verPrimaryZone], CimException
+ FullyQualifiedErrorId : WIN32 9611,ConvertTo-DnsServerPrimaryZone

Unfortunately, this error message does not give you so much information what was the root cause. So, the reason is that you cannot convert a secondary DNS zone to a primary AD integrated without a middle step.

This step is that you must convert the zone to normal, file-backed primary zone using the following command:

 ConvertTo-DnsServerPrimaryZone -Name "<zone_name>" -PassThru -Force -ZoneFile "<zone_name>" -Verbose

Now the conversion is finished, and zone is primary zone:

Step 2: Converting the zone to AD integrated

The final conversion (making the zone AD integrated), use the following powershell command:

ConvertTo-DnsServerPrimaryZone -Name "<zone name>" -PassThru -Force -ReplicationScope Domain

If this is step is done, you must wait for the replication. When the replication is done, you can perform the cleanup activities.

Step 3: Configure the Secure dynamic update on the converted zone

You can perform this activity using the following powershell command:

Set-DnsServerPrimaryZone -Name <zone name> -DynamicUpdate Secure

This command does not have any output if the configuration was success.

Step 4: Cleanup activities

Remove old DNS servers

The old DNS servers where the zone was stored previously must be removed. This is required because after the conversion, the Windows DNS server kept these entries and because the current AD instance does not have any influence on the old DNS servers, therefore it cannot be ensured that the two zones (old primary and new primary) contain the same records.

If you have just a few DNS servers, you can simply remove them from the DNS console. In my case the zones had approx. 45 old DNS server entries, therefore I did not try any manual cleanup in this case.

For listing the old DNS servers perform the following command:

$oldDns = Get-DnsServerResourceRecord -ZoneName <zone_name> | Where-Object {$_.Recordtype -eq "NS" -and $_.RecordData.NameServer -like "<some_old_DNS_name>*"}

Important in this case you need to have some specific name convention to could use the filter at the end of the command properly. E.g.: if all DNS servers' name starts with "DC" - DC001, DC002 etc. -, then you can use use the filter like this: $_.RecordData.NameServer -like "DC*"

For removing the unnecessary DNS servers, just perform the following powershell script:

$oldDns | ForEach-Object { Remove-DnsServerResourceRecord -ZoneName <zone_name> -RRType NS -RecordData $_.RecordData.NameServer  -Name "@" -Force}

Complete powershell function for the cleanup:

function RemoveOldDnsServers {
	param (
		[Parameter(Mandatory=$true)]
		[string] $Zone,
		[string] $NameServerComparator
	)

	$oldDns = Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object {$_.Recordtype -eq "NS" -and $_.RecordData.NameServer -like "$($NameServerComparator)*"}
	$oldDns | ForEach-Object { Remove-DnsServerResourceRecord -ZoneName $Zone -RRType NS -RecordData $_.RecordData.NameServer -Name "@" -Force}
}

Changing the hostmaster (in SOA) value

SOA values of a domain can be changed via WMI at the moment With powershell, the following script can help you to change any value within SOA (including resposible person).

function UpdateSOAData
{
	param(
		[Parameter(Mandatory=$true)]
		[string] $ZoneName,
		[Parameter(Mandatory=$true)]
		[ValidateSet("ResponsibleParty","TTL","SerialNumber","PrimaryServer","RefreshInterval","RetryDelay","ExpireLimit","MinimumTTL")]
		[string] $DataField,
		[Parameter(Mandatory=$true)]
		[string] $Value,
		[string] $DNSServer
	)
	if ($null -eq $DNSServer -or $DNSServer -eq "") {
		$DNSServer = "localhost"
	}
	try
	{
		$Zone = get-wmiObject -class "MicrosoftDNS_SOAType" -namespace "root\MicrosoftDNS" -comp $DNSServer | where-object {$_.ContainerName -LIKE $ZoneName}
		$Zone.$DataField = $value
		$Zone.modify($Zone.TTL, $Zone.SerialNumber, $Zone.PrimaryServer, $Zone.ResponsibleParty, $Zone.RefreshInterval, $Zone.RetryDelay, $Zone.ExpireLimit, $Zone.MinimumTTL)
	}
	catch [system.exception] #If there was a problem, fail gracefully
	{
		write-host "Failed to Set to the DNS SOA, check your parameters"
		write-host "Exception String:"+$($_.Exception.Message)
		exit
	}
}

Usage of this function is very easy:

1. Copy the whole function into powershell

2. Use: UpdateSOAData -ZoneName <zonename> -DataField <select the allowed fields> -Value <new_value> [-DNSServer <servername_or_ip>]

Complete powershell script for the whole conversion process: ConvertSecondaryDNSZoneToPrimaryADIntegrated.ps1