AD Object DNS-Settings on Windows 2012 Server

spiceuser-tk201 · 2025-07-03T16:13:12.877Z

I am in the process of upgrading our Domain Forest from Windows 2012 servers to Windows 2022 servers. My Company opted into the option of just setting up new 2022 servers and then demoting and decomming the 2012 servers.

I have gotten down to the last of the 2012 servers DC-1. It was the “primary” domain controller and was the FSMO role holder; I have moved the FSMO roles all to one of the new 2022 servers, but when it was demoting one of the older ones I noticed that DC-1 has an AD object associated with it called DNS Settings msDNS-ServerSettings. Doing some research about this it seems that its tied to a role for DNSSEC called KeyMasterServer, but when running the command Get-DNSServerDNSSecZonesetting -zonename “mydomain” I get this returned:

image703×511 24.5 KB

and checking the DNS Manger I don’t see any zones that have the lock beside them which normally denote the DNSSEC option has been signed to them. I have checked replication to make sure that things are working as intended and I don’t see any errors when doing that.

results when running repadmin /replsum * /bysrc /bydest /sort:delta

image630×357 5.13 KB

At this point I am stumped as to why that object would exist and if it would cause any errors if I were to demote the last of the 2012 servers from the forest and delete the server and object from sites and services.

Jay-Updegrove · 2025-07-03T16:18:21.108Z

I believe there is a required step from 12 to 16 to enable FRS to DFRS (I might have the acronym wrong here…) but my point is, there’s a missing step in your post.

spiceuser-tk201 · 2025-07-03T16:54:41.891Z

I ran dfsrmig /getglobalstate and got a return of “Eliminated” and I believe that means its been updated from FRS to DFRS

Jay-Updegrove · 2025-07-03T18:19:47.844Z

dfsrmig /getmigrationstate

Run that instead of getglobalstate

You should only run getglobalstate from the PDC Emulator. Yes, you’re looking for Eliminated across the domain from the getmigrationstate command. Assuming all is well at the end of your getmigraitonstate command you should be in the clear.

Reference material: dfsrmig | Microsoft Learn

spiceuser-tk201 · 2025-07-03T18:29:06.269Z

I ran the dfsrmig /getmigrationstate on the 2022 Server that I migrated the FSMO roles including PDC to. This was the return that I was given when running it.

So is that Domain Object “DNS Settings” just an old piece that was left over from that migration of the FRS to DFRS?

Jay-Updegrove · 2025-07-03T18:32:08.213Z

No, if you read through the documentation I linked the old FRS junk is removed automatically. However, the DNS Settings piece is probably part of an old config that might have been abandoned. DNS Sec is an optional feature, if you’re not using it going forward (and see no sign that it was active before) you’re probably safe.