adding a second nic

  • Thread starter Thread starter James W. Long
  • Start date Start date
J

James W. Long

Hi all,

I installed a win 2000 Domain Controller using Active Directory and one nic
card.
everything went fine.

I can ping localhost, machinename, domainname.machinename and the 10.x.x.x
address the card is on.
I am pinging (checking) on the same console as the DC we are discussing.
They all resolve to the 10.x.x.x subnet.

Then I added a second nic card also configured static but in the 192.168.x.x
subnet. To my amazement,
pinging machinename and domainname.machinename now take on the 192.168.x.x
address,
which is emphatically _NOT_ wanted. I have tried to correct this in DNS but
it seems that DNS is ignored.

I configured DNS to only run on the 10.x.x.x subnet (card), which made
absolutely no difference.

I configured DNS with different Domains for each card (SOA, NS and A and PTR
recs - this should have worked),
but it made no difference.

I even went so far as to stop the DNS server and I STILL get the same
result. I feel that Active Directory
is running things on blind autopilot from the registry, and its very wrong
about what I want.

What I need is for localhost, machinname and domain.machinename to resolve
to the 10.x.x.x subnet,
and I would be happy to supply an entirely different set of Mickey Mouse
names for the card on 192,
If I knew how.

How do I fix it?

Thanks,
 
In
James W. Long said:
Hi all,

I installed a win 2000 Domain Controller using Active Directory and
one nic card.
everything went fine.

I can ping localhost, machinename, domainname.machinename and the
10.x.x.x address the card is on.
I am pinging (checking) on the same console as the DC we are
discussing. They all resolve to the 10.x.x.x subnet.

Then I added a second nic card also configured static but in the
192.168.x.x subnet. To my amazement,
pinging machinename and domainname.machinename now take on the
192.168.x.x address,
which is emphatically _NOT_ wanted. I have tried to correct this in
DNS but it seems that DNS is ignored.

I configured DNS to only run on the 10.x.x.x subnet (card), which made
absolutely no difference.

I configured DNS with different Domains for each card (SOA, NS and A
and PTR recs - this should have worked),
but it made no difference.

I even went so far as to stop the DNS server and I STILL get the same
result. I feel that Active Directory
is running things on blind autopilot from the registry, and its very
wrong about what I want.

What I need is for localhost, machinname and domain.machinename to
resolve to the 10.x.x.x subnet,
and I would be happy to supply an entirely different set of Mickey
Mouse names for the card on 192,
If I knew how.

How do I fix it?

Thanks,
Click to expand...

Dns doesn't care about the IPaddresses it is listening on when it gives out
IP addresses for records. If DNS is resolving names to 192.168.x.x IP
addresses it is because the records for those names have those IP addresses.
Once those records are cached in the system cache they are there until TTL
runs out, even if the DNS server is stopped.

That being said, is there a WINS server?
Is dynamic updates enabled on the zone?
 
Dear Kevin:

Thank you very much for your reply.

OK I will clear the cache and make a smaller TTL
to experiment with until I get this resolved.

No, there is no WINS server. This is the only DC and its only
running DNS server, DNS client, DHCP client,
and will ultimately run DHCP server. I was not
running dhcp client or server for these tests.

later, when I reconfigured my 192.168 card for
dhcp client and a dynamic address,
I saw DHCP client send my inside domain.machinename
right out the dynamic address along with my DC status,
and that is not what we want at all.
That information is supposed to stay on the inside
10.x.x.x subnet only. I don't need internet dhcp servers
asking if I am authority for my inside domain. So, as you can see,
win2000 Server has transmuted my inside netbios machinename
and inside domain name onto the dhcp enabled/also 192.168..x.x card.
I don't know how it does this, but I never told it so.
Perhaps I have not told it not to?
I am ready to blow this out as a failed install
and start over if I knew the right way to set it up so the names
to stay on 10.x.x.x, and we don't want any inside names showing up on 192,
or a dynamic address on that nic.

Dynamic update was enable to in order to create the AD Domain controller,
subsequently, I disabled that, along with zone transfers since
there is no Backup Domain controller. Does dynamic update have to
be enabled for the AD DNS manager snapin to modify DNS properly?

(I disabled it because I thought that this would help prevent any outside
sources from
messin with my dns records.)

Thank you again

James W. Long.
 
In
James W. Long said:
No, there is no WINS server. This is the only DC and its only
running DNS server, DNS client, DHCP client,
and will ultimately run DHCP server. I was not
running dhcp client or server for these tests.
Click to expand...

Thanks for the reply, here is what you do.
Set binding order so that the internal NIC that will have file sharing is at
the top of the bindings. Right click on Network places, choose properties,
thne in the Advanced Menu select Advanced Settings. Move the internal NIC to
the top of the connections list.

In DNS server properties on the interfaces tab Select listen only on these
addresses. For each address it listens on it will create a host record with
the machinename and the IP it is listening on.

To stop the creation of the Blank (same as parent folder) host for all IPs
on the DC you have to make this registry entry and manully create the blank
host record for the IP you want published as the LDAP record. ____
NOTICE!___ This IP must be on the interface that has File sharing enabled
on. This is for the DFS SYSVOL Share that group policies are published from
\\domain.com\SYSVOL\domain.com\policies

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
 
Dear Kevin:
Thank you for the reply. I almost follow you. see below.
Thank you,
James W. Long.


Kevin D. Goodknecht said:
In

Thanks for the reply, here is what you do.
Set binding order so that the internal NIC that will have file sharing is at
the top of the bindings. Right click on Network places, choose properties,
thne in the Advanced Menu select Advanced Settings. Move the internal NIC to
the top of the connections list.
Click to expand...


Ok, the internal nic was already at the top.
it is bound to file & print sharing and client for microsoft networks, and
tcpip.
the outside nic is below and is only bound to tcpip.

In DNS server properties on the interfaces tab Select listen only on these
addresses. For each address it listens on it will create a host record with
the machinename and the IP it is listening on.
Click to expand...

The checkbox "only the following IP addresses" is checked.
the two addresses are 10.0.0.200 (my inside) and 192.168.1.200 (my
outside).
I figured I had to check that, so I did that a while back.

To stop the creation of the Blank (same as parent folder) host for all IPs
on the DC you have to make this registry entry and manully create the blank
host record for the IP you want published as the LDAP record. ____
NOTICE!___ This IP must be on the interface that has File sharing enabled
on. This is for the DFS SYSVOL Share that group policies are published from
\\domain.com\SYSVOL\domain.com\policies

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
Click to expand...

I used regedt32 to add a REG_MULTI_SZ DnsAvoidRegisterRecords entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
I set its value to "LdapIpAddress" (no quotes).

I am not understanding the part where you say to manually create a blank
host record I want
published as ldap record, and how to do the ldap part of it.
???


The machine name is ihostname and the domain is inside.

In DNS I defined two domains, inside and outside.
machinename = ihostname, domain = inside.
ihostname.inside is on 10.0.0.200. static.

the other domain =outside (not recognized by netbios) dns server (name
server) = ohostname.
ohostname.outside is on 192.168.1.200. static for now.

I repeatedly deleted A recs for the opposing NS in my two zones (the
opposite one which does not belong with it)
ihostname A 192.168.0.200 always comes back on forward domain inside after
reboot.
that is NOT correct, ihostname is 10.0.0.200.

(same as parent) SOA ihostname.inside always returns in forward domain
outside after reboot.
(same as Parent) NS ihostname.inside always returns in forward domain
outside after reboot.

(same as parent) SOA ihostname.inside always returns in reverse domain
192.168.1 after reboot.
(same as parent NS ihostname.inside always returns in reverse domain
192.168.1 after reboot.

I am not used to this AD thing, I also see a grey inside zone and a grey
ouside zone
under "." and have tried to correct those as well.

no mattter how sweet it looks before I reboot, it gets messed up again after
I reboot.
ad just hoses me.

1. cant inside and outside stay independent? It keeps putting references to
inside
in my outside domain.
2. I can fortell that its going to send a dhcp request containing
ihostname.inside again.
3. is there a way to get it to send ohostname.outside as the internet
connection name?
that would be what Iam trying to get it to do.

Sorry about the amount of detail, just stop me where I messed up.
Thank you,
James W. Long
 
In
James W. Long said:
The checkbox "only the following IP addresses" is checked.
the two addresses are 10.0.0.200 (my inside) and 192.168.1.200 (my
outside).
I figured I had to check that, so I did that a while back.
Click to expand...

You should only have DNS listening on the internal address 10.0.0.200 That
will create a host record with the macine name with the internal IP in the
internal Active Directory domain zone. If you put 192.168.1.200 in the
listener IP it will create a host for the machine name in the AD zone, which
you stated you do not want.

I used regedt32 to add a REG_MULTI_SZ DnsAvoidRegisterRecords entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
I set its value to "LdapIpAddress" (no quotes).

I am not understanding the part where you say to manually create a
blank host record I want
published as ldap record, and how to do the ldap part of it.
???
Click to expand...

To create this record open the Forward lookup zone for your Active Directory
domain, create a new host, leave the name field blank, give it the internal
IP 10.0.0.200, cleck 'Create' then click OK to create the record anyway when
it barks at you saying (same as parent folder) is not a valid host name.
This record will cause you domain name to resolve to 10.0.0.200.

The machine name is ihostname and the domain is inside.

In DNS I defined two domains, inside and outside.
machinename = ihostname, domain = inside.
ihostname.inside is on 10.0.0.200. static.

the other domain =outside (not recognized by netbios) dns server (name
server) = ohostname.
ohostname.outside is on 192.168.1.200. static for now.

I repeatedly deleted A recs for the opposing NS in my two zones (the
opposite one which does not belong with it)
ihostname A 192.168.0.200 always comes back on forward domain inside
after reboot.
that is NOT correct, ihostname is 10.0.0.200.

(same as parent) SOA ihostname.inside always returns in forward
domain outside after reboot.
(same as Parent) NS ihostname.inside always returns in forward
domain outside after reboot.

(same as parent) SOA ihostname.inside always returns in reverse
domain 192.168.1 after reboot.
(same as parent NS ihostname.inside always returns in reverse
domain 192.168.1 after reboot.
Click to expand...

You cannot change the SOA of the AD Domain zone, it will always return to
the machines hostname when the zone refreshes.
But you can stop it from resolving to the 192.168.1.200 by removing that
address from the listenter address on the Interfaces tab.

I am not used to this AD thing, I also see a grey inside zone and a
grey ouside zone
under "." and have tried to correct those as well.
Click to expand...

You have a "." (root) in Forward Lookup Zones?
You should remove that zone by deleting it, as described in this KB:
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202
no mattter how sweet it looks before I reboot, it gets messed up
again after I reboot.
ad just hoses me.

1. cant inside and outside stay independent? It keeps putting
references to inside
in my outside domain.
Click to expand...

They are two differnet names in different zones, correct?

2. I can fortell that its going to send a dhcp request containing
ihostname.inside again.
Click to expand...

You lost me here?

3. is there a way to get it to send ohostname.outside as the internet
connection name?
that would be what Iam trying to get it to do.
Click to expand...

So are you hosting the public domain zone on this DNS server, too?
This is really not recommended but it can be done as long as the zone only
contains Publically routable IP addresses for the records. It cannot give
out any private addresses to the public.
 
Dear Kevin:
Thank you for your reply!
More follows, see below,
Thanks,
James Long.


Kevin D. Goodknecht said:
In

You should only have DNS listening on the internal address 10.0.0.200 That
will create a host record with the macine name with the internal IP in the
internal Active Directory domain zone. If you put 192.168.1.200 in the
listener IP it will create a host for the machine name in the AD zone, which
you stated you do not want.
Click to expand...

ok I took out the 192.168.1.200 listen.
BUT. my original intent was to run a second nic on 192.168.1.200
with a gateway of 192.168.1.1 and assign it in DNS as a domain name
of outside. with a host name of ohostname,
and use that as my internet connection (ohostname.outside)
then use internet connection sharing or wingate to route
it to the 10.0.0.200 card, thus firewalling me to a degree.
BUT. DNS still thinks 192.168 card has some affinity with my inside domain
name.
and that does not satisfy us.

so.
I switch over the 192.168.1.200 card to dhcp and everything goes away.
(meaning that it gets a NEW address and nothin in DNS applies anymore)
so that doesnt work either, plus it STILL puts our inside hostname
and domainname in the DHCP request.

(if you have never seen this happen, try using netmon with its built in
protocol analyser)


So, the plan NOW is to put a hardware firewall box upstream of the
server. this box runs DHCP client ONLY on its outside address,
and its INSIDE address is 192.168.1.200, same as my new OUTSIDE nic.

this lets me go back to the idea I had before where I define a domain
on 192.168.1.200 called outside, with hostname ohostname.

unfortunately, it doesnt work that way. DHCP one way or another
will ultimately get my internal domain and hostname, which
we dont want sent outside our network in any fashion whatsoever.
unless I can specify a hostname and domain name in the firewall box
that does not match mine, and it know how to route between.


we do not care for anything else from our inside network to get out,
or from outside to get in, other than http port 80, Bootp,DHCP
to get our address.

no java no axtivex no ldap nada,
nothing from ntoskernl, no ports or protcols that arent
http 80.

we only ran DNS on 192.168.1.200 in hopes that our
external hostname and domain name (ohostname.outside)
would be seen rather than our inside hostname and domain.
but we just gave that idea up because it doesnt work.


incedentally,
why cant I add a 27.in-addr.arpa file ?
why cant I add a 255.in-addr.arpa file?
I think I may go to a non AD integrated DNS server and run from files.
then I can put anything I want in in those and that is how I will be seen
from
the outside.
maybe I will go back to NT and do it with that.

we used 192.168 because it is "supposed to be private".
I dont believe that for a second and that is why my lan is on 10.


To create this record open the Forward lookup zone for your Active Directory
domain, create a new host, leave the name field blank, give it the internal
IP 10.0.0.200, cleck 'Create' then click OK to create the record anyway when
it barks at you saying (same as parent folder) is not a valid host name.
This record will cause you domain name to resolve to 10.0.0.200.
Click to expand...
well, ok I did, but. if I need it for ldap on the inside ok. I added it.

BUT.
hostname, ie machinename, already resolves via netbios over tcpip and ping
sees it.
hostname.domainname already resolves via DNS (I think this is the only
mechanism but
I would not be surprised if netbios also does this)

The only two ways to cause domainname ( by itself) to resolve are:
1. place a domainname CNAME insidehostname.domainname. in the forward
lookup zone for the domain.
or
2. place domainname in HOSTS as 10.0.0.200, and on other inside lan
machines.


You cannot change the SOA of the AD Domain zone, it will always return to
the machines hostname when the zone refreshes.
But you can stop it from resolving to the 192.168.1.200 by removing that
address from the listenter address on the Interfaces tab.
Click to expand...

I can tell you two ways you can.
a. change domain and nv_domain, hostname and nv_hostname in
hklm\system\currentcontrolset\services\tcpip\parameters.
b. put in 127.in-addr.arpa and 255.in-addr.arpa files that say what you
want.

You have a "." (root) in Forward Lookup Zones?
You should remove that zone by deleting it, as described in this KB:
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202


They are two differnet names in different zones, correct?
Click to expand...

apparently not. this DNS server cannot distinguish them as being
separate. it necessitates that the inside domain name is always
associated with the second nic no matter what.

maybe I just need two DNS server machines to do what I want.


You lost me here?
Click to expand...

check out a netmon trace of a machine issuing a dhcp request from
command with ipconfig/renew. you will see your internal
hostname go out onto the internet. and, your internal domain name.
and, your DC status.
and, ldap will then try to send a whole lot of other stuff.
if you dont stop it.



So are you hosting the public domain zone on this DNS server, too?
This is really not recommended but it can be done as long as the zone only
contains Publically routable IP addresses for the records. It cannot give
out any private addresses to the public.
Click to expand...

dhcp will not hesitate one iota to give out your private domain name and
hostname or machinname.

if a zone is named "outside" and its dns server is ohostname,
and it runs on 192.168.1.200, is that public? I hope not. but thats the
closest
this DC comes to running anyhing public, and it was a temporary idea to
isolate
the outside from the inside.



out of ideas.

James W. Long.
 
In James W. Long <[email protected]> posted a question
Then Kevin replied below:


I am beginning to get really confused here on what you are trying to
accomplish with this setup.
If there will be no name resolution to the outside and all you are going to
have coming in from the outside is HTTP why are you having so many problems
with DNS.
DNS only needs to listen on the internal interface, I understand the in
order to access the websites on this server you are going to need a zone for
the domain the website is in.
ok I took out the 192.168.1.200 listen.
BUT. my original intent was to run a second nic on 192.168.1.200
with a gateway of 192.168.1.1 and assign it in DNS as a domain name
of outside. with a host name of ohostname,
and use that as my internet connection (ohostname.outside)
then use internet connection sharing or wingate to route
it to the 10.0.0.200 card, thus firewalling me to a degree.
BUT. DNS still thinks 192.168 card has some affinity with my inside
domain name.
and that does not satisfy us.

so.
I switch over the 192.168.1.200 card to dhcp and everything goes away.
(meaning that it gets a NEW address and nothin in DNS applies anymore)
so that doesnt work either, plus it STILL puts our inside hostname
and domainname in the DHCP request.

(if you have never seen this happen, try using netmon with its built
in protocol analyser)


So, the plan NOW is to put a hardware firewall box upstream of the
server. this box runs DHCP client ONLY on its outside address,
and its INSIDE address is 192.168.1.200, same as my new OUTSIDE nic.

this lets me go back to the idea I had before where I define a domain
on 192.168.1.200 called outside, with hostname ohostname.

unfortunately, it doesnt work that way. DHCP one way or another
will ultimately get my internal domain and hostname, which
we dont want sent outside our network in any fashion whatsoever.
unless I can specify a hostname and domain name in the firewall box
that does not match mine, and it know how to route between.


we do not care for anything else from our inside network to get out,
or from outside to get in, other than http port 80, Bootp,DHCP
to get our address.

no java no axtivex no ldap nada,
nothing from ntoskernl, no ports or protcols that arent
http 80.

we only ran DNS on 192.168.1.200 in hopes that our
external hostname and domain name (ohostname.outside)
would be seen rather than our inside hostname and domain.
but we just gave that idea up because it doesnt work.


incedentally,
why cant I add a 27.in-addr.arpa file ?
why cant I add a 255.in-addr.arpa file?
Click to expand...

These zones are already in DNS, if you click on the View menu and select
Advanced you will see these zones.

I think I may go to a non AD integrated DNS server and run from files.
then I can put anything I want in in those and that is how I will be
seen from
the outside.
maybe I will go back to NT and do it with that.
Click to expand...

I don't get where you are coming from, AD integrated means that it is stored
in AD it resolves the same the difference is AD integrated zones are more
secure.
we used 192.168 because it is "supposed to be private".
I dont believe that for a second and that is why my lan is on 10.
Click to expand...

192.168.x.x is private, just as private as 10.x.x.x is anyway, neither are
routable accross the internet. The difference is the total number of IP
addresses available 10.x.x.x with a 255.0.0.0 Netmask has 16777214 IP
addresses. Where 192.168.0.0 with a netmask of 255.255.0.0 has 65534 IP
addresses

..
I can tell you two ways you can.
a. change domain and nv_domain, hostname and nv_hostname in
Click to expand...

If you change these it will cause a disjointed namespace, unless your
namespace is already disjointed there is a script for fixing that.
hklm\system\currentcontrolset\services\tcpip\parameters.
b. put in 127.in-addr.arpa and 255.in-addr.arpa files that say what
you want.
Click to expand...

I guess Iam still not getting the picture of what you are trying to
accomplish.

if a zone is named "outside" and its dns server is ohostname,
and it runs on 192.168.1.200, is that public? I hope not. but thats
the closest
this DC comes to running anyhing public, and it was a temporary idea
to isolate
the outside from the inside.
Click to expand...

If you are not allowing incoming DNS connections what are you trying to
isolate?
 
Dear Kevin:

Thanks for all the great info. It has been a huge help.

whoops I misspoke,
yes I would also allow incoming DNS if only to resolve our hostname
If our hostname suddenly became disjointed again.
I would be interested in looking at that script you mentioned
for that problem. do you have the url for it?

Thanks,
James W. Long.


Kevin D. Goodknecht said:
In James W. Long <[email protected]> posted a question
Then Kevin replied below:


I am beginning to get really confused here on what you are trying to
accomplish with this setup.
If there will be no name resolution to the outside and all you are going to
have coming in from the outside is HTTP why are you having so many problems
with DNS.
DNS only needs to listen on the internal interface, I understand the in
order to access the websites on this server you are going to need a zone for
the domain the website is in.


These zones are already in DNS, if you click on the View menu and select
Advanced you will see these zones.
Click to expand...

Oh! Thanks!

I don't get where you are coming from, AD integrated means that it is stored
in AD it resolves the same the difference is AD integrated zones are more
secure.


192.168.x.x is private, just as private as 10.x.x.x is anyway, neither are
routable accross the internet. The difference is the total number of IP
addresses available 10.x.x.x with a 255.0.0.0 Netmask has 16777214 IP
addresses. Where 192.168.0.0 with a netmask of 255.255.0.0 has 65534 IP
addresses
Click to expand...

plus 1 for the broadcast address.
.

If you change these it will cause a disjointed namespace, unless your
namespace is already disjointed there is a script for fixing that.


I guess Iam still not getting the picture of what you are trying to
accomplish.



If you are not allowing incoming DNS connections what are you trying to
isolate?
Click to expand...

The entire business side lan which is not of this DC.
 
In
James W. Long said:
Dear Kevin:

Thanks for all the great info. It has been a huge help.

whoops I misspoke,
yes I would also allow incoming DNS if only to resolve our hostname
If our hostname suddenly became disjointed again.
I would be interested in looking at that script you mentioned
for that problem. do you have the url for it?
Click to expand...

I will include the link below, the internal domain MUST NOT have a
disjointed namespace. these three things MUST match exactly. The Primary DNS
suffix, the Active Directory domain name and the Forward Lookup Zone in DNS.
Also if your AD domain name is a single-label name (domain vs. domain.com)
it can cause a critical problem since single-label domains will not follow
the DNS hierarchy. If a single-label domain is your problem you will have to
make registry entries before you can go any further, even then you need to
build a new domain that will follow the DNS hierarchy by either demoting
this one or build a new domain in parallel and using ADMT to migrate the
accounts. If you still have an NT4 BDC it is much easier because then you
can promote the NT4 BDC to a PDC and upgrade it with a good DNS name.
300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

247681 - Microsoft DNS Server Cannot Resolve Some Domain Names
http://support.microsoft.com/default.aspx?scid=kb;en-us;247681

257623 Domain Controller's Domain Name System Suffix Does Not Match Domain
Name
http://support.microsoft.com/?id=257623

292541 - How to Rename the DNS Name of a Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;292541&Product=win2000
 
Back
Top