DNS problem while multihoming

  • Thread starter Thread starter Michel B.
  • Start date Start date
M

Michel B.

Hi,
I've been asked to do something kinda unusual. To make it short, i need
to switch from one IP range to another and this has to be done "gradually".

The problem here is that i don't think Win2k DNS like to be multihomed (2 IP
on 1 nic for all servers, including DCs). I did some tests in a lab messing
around with DNS and i've been able to make many things work. There is one
thing that doesnt work tho, I can't join a station in the domain using the
new IP range. I get an error that the DCs couln't be contacted. In the same
message it list my 2 DCs (recognized as DCs). There seem to be a problem in
the DNS name resolution (looks like it gets the other IP from the "old"
range).

I know it's something not recommended but i have to make it work ;/
(My manager likes to do things the way they aren't designed for)


Anyone has ideas on how I can fix this issue or a better way to achieve my
goal? I'm in the dark actually.

Thanks!

M.Bruyere
 
In
Michel B. said:
Hi,
I've been asked to do something kinda unusual. To make it short,
i need to switch from one IP range to another and this has to be done
"gradually".

The problem here is that i don't think Win2k DNS like to be
multihomed (2 IP on 1 nic for all servers, including DCs). I did some
tests in a lab messing around with DNS and i've been able to make
many things work. There is one thing that doesnt work tho, I can't
join a station in the domain using the new IP range. I get an error
that the DCs couln't be contacted. In the same message it list my 2
DCs (recognized as DCs). There seem to be a problem in the DNS name
resolution (looks like it gets the other IP from the "old" range).

I know it's something not recommended but i have to make it work ;/
(My manager likes to do things the way they aren't designed for)


Anyone has ideas on how I can fix this issue or a better way to
achieve my goal? I'm in the dark actually.

Thanks!

M.Bruyere

And I bet your boss wants you to work for it and alter default DC
functionality, including registry changes, etc? Just to point out,
mutlihoming a DCs is NOT recommended, as you;ve pointed out. Also, once you
do this, you have to decide WHICH network it will be part of, since it
CANNOT be part of both segments because of the way Sites work and how the
IPs are returned to a client querying service locations. Keep in mind that a
client can get to a DC in another network anyway as long as its routed. As
for IP changes, its pretty difficult to do it 'gradually', where it would be
better off doing one subnet at a time over the weekend or during
non-production hours.

Anyway, here you go, below is a re-print of one of my posts for someone else
with the same thing a few months ago....

Have fun and Good luck!

+=========================
Actually most of these are strewn about in this newsgroup between myself and
others posting responses. Steps include to kill the registration of your NIC
cards thru the registry. You first identify the GUID for each NIC. Then you
would publish (thru reg) what IPs you want in DNS, then you need to adjust
the binding order to insure the NIC you want to respond on. Then another reg
entry to kill the GcIpAddress and the LdapIpAddress. Then you publish once
again thru the reg which IP you want for those two values. But need to
insure that the SRVs get registered properly., Then if RRAS is on it, it
complicates it a bit. Then if this is also a NAT server, then there can be
problems with routing between subnets because of the PDU size. LDAP requires
a PDU or 300kb, but once enabled as a NAT, and you have multiple private
interfaces, AD communication gets thwarted and requires another change. This
can cause client logon trouble as well as GPOs to fail because of mutliple
GC addresses come up, as they do on a multi homed DC/GC, then with round
robin, you never know which one will answer and if it;s one on another
subnet, then the system may not route it properly so therefore it can't get
to it, even though the machine is on the same subnet.

Here's a repost of past posts I sent to explain some of it to others. They
maybe mixed a bit, but you can see the jest of it. ALl the instructions are
here to make it work. But it;s something you have to monitor to make sure it
doesn;t cause any other issues. I've setup a couple machines thru this
method, but it's a pain. If you had a member server doing this, (doesn't
have to be an expensive box, just a cheapo desktop will do the trick), you
would be better off.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Not saying it doesn't work with W2k3, but those articles are based on W2k.
The
registries are similar, but I know some of the registration entries on W2k
have been changed on W2k3. Part of the issue you're seeing is with mutli
NICs, when opening ADUC or any other domain requests, it maybe getting the
wrong IP that is registered for the SRV resource. BTW- we always suggest to
NEVER mutlihome a DC and especially never to put RRAS on it either. Suggest
a member server for that. But in many cases, I can understand that may not
be possible in your environement.

Suggestions, and keep in mind, when mentioning "other NICs", they are the
subnets that the NICs are on that your AD infrastructure is not on.

1. Insure that all the NICS only point to your internal DNS server(s) only
and none others.

2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).

3. Disable NetBIOS on the other NICs (i know you did that thru the reg with
that article, but insure that it's disabled in NIC properties too). May want
to take a look at this to stop NetBIOS on teh RRAS interfaces:
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
Entry]:
http://support.microsoft.com/?id=296379
Otherwise, RRAS or not, it will cause duplicate name errors because Windows
sees itself with multi names thru the Browser service but with different
IPs.

4. Disable File and Print services and disable MS Client on the other NICs.
Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
need these for whatever reason for resource access from clients, then you
would probably have to keep them on.

5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
domain FQDN - that looks like (same as parent). If this is a GC, you need
to
also stop the GC record as well.
To stop these from registering that info, use this method (this was taken
from):
http://support.microsoft.com/?id=295328)

==========================
To disable only the registration of the local IP addresses, set the
following registry value:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress

After you set this value, you must manually register your publicly available
IP addresses for your domain to appear as:
(Same as parent) folder Host "publicIP" DO that by just rt-clicking, new
host,
leave the hostname blank, and enter the IP of the internal NIC.

You need to also manually create the GcIpAddress as well, if this is a GC.
That would be under the _msdcs._gc SRV record under the zone.
==========================

6. In DNS, _msdcs.gc, delete the IP addresses referencing the other NICs. I
would follow this article to stop the GC records from the other NICs
registering sine this is a major cause of concern for logons. You would need
to manually create the GC entry of the internal NIC.
Restrict the DNS SRV resource records updated by the Net Logon service
[including GC]:
http://www.microsoft.com/technet/tr...proddocs/standard/sag_dns_pro_no_rr_in_ad.asp

7. Since this is a DNS server (if it is), the IPs from all NICs will
register, even if
you tell it not to in the NIC properties. See this to show you how to stop
that behavior (for W2K, but may work):
275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In circumstances in which the list of IP addresses the DNS server listens to
and serves is different from the list of IP addresses published (registered
by the DNS Server service), use the following registry key:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also, how to kill registration (per NIC) prior to setting the above
publishing records:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
NIC too):
http://support.microsoft.com/?id=246804
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address [It still registers]:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Hi,
So if I understand you correctly it is really NOT recommended to do that
IP change his way. It is either a 1 shot deal or using a router to make the
transfered stations "talk" to the old IP range. When all the stations moved
to the new range, then we can switch the servers to the new range, right?

Is there any other way that come to your mind as to how I can achieve my
range switch?

Thanks!
 
In
Michel B. said:
Hi,
So if I understand you correctly it is really NOT recommended to
do that IP change his way. It is either a 1 shot deal or using a
router to make the transfered stations "talk" to the old IP range.
When all the stations moved to the new range, then we can switch the
servers to the new range, right?

Is there any other way that come to your mind as to how I can achieve
my range switch?

Thanks!

That's the way I've always done it. One shot deal. During off prod hours,
preferably a weekend, change DHCP (prior to that, shorten the lease to 1
day), delete all the WINS references, do the DCs and DNS first, etc. Make
sure EVERYONE shuts their machines down (assuming using DHCP) prior to your
planned day. With AD, its not that simple having dual IP ranges, things will
just not work.

Ace
 
Back
Top