Multihomed DNS Server Mailserver Webserver Fileserver

[Darrel]

I'm having a huge problem with my DNS server setup. I have a
multihomed Win2K server using Active Directory (1 public IP address
and 1 internal IP Address).
The problem is that my local IP address keeps getting registered with
DNS so when someone from the outside world tries pinging my website,
it resolves it as my local ip address instead of the public one. I've
tried everything that I can think of. I've unchecked the "Register
this with DNS" checkbox on the internal IP address. I've changed
registry settings to only deal with the public one, but it doesn't
matter - that internal IP address still shows up. I'm at a loss and
losing my mind. I've had this problem for over 2 years now, and still
cannot find a solution. Basically, I might have to go back to square
1 and setup the network adapters again, and then re-setup DNS again.
If I have to do that, that's fine. This server houses our website,
ftp site, email, as well as our local fileserver. It is connected to
southwestern bell DSL. Please, somebody help me out. This might take
some time to accomplish, but I would like to go through everything to
figure out what the problem is. I will be happy to post screenshots
of my network adapters setup and my dns setup and anything else you
might need. Thank you!

 

[Kevin D. Goodknecht [MVP]]

In

I'm having a huge problem with my DNS server setup. I have a
multihomed Win2K server using Active Directory (1 public IP address
and 1 internal IP Address).
The problem is that my local IP address keeps getting registered with
DNS so when someone from the outside world tries pinging my website,
it resolves it as my local ip address instead of the public one. I've
tried everything that I can think of. I've unchecked the "Register
this with DNS" checkbox on the internal IP address. I've changed
registry settings to only deal with the public one, but it doesn't
matter - that internal IP address still shows up. I'm at a loss and
losing my mind. I've had this problem for over 2 years now, and still
cannot find a solution. Basically, I might have to go back to square
1 and setup the network adapters again, and then re-setup DNS again.
If I have to do that, that's fine. This server houses our website,
ftp site, email, as well as our local fileserver. It is connected to
southwestern bell DSL. Please, somebody help me out. This might take
some time to accomplish, but I would like to go through everything to
figure out what the problem is. I will be happy to post screenshots
of my network adapters setup and my dns setup and anything else you
might need. Thank you!

This problem is common if you are trying to host your public zone and your
Active Directory Domain zone on the same server with the same domain name.
You have choices to make.
1. Set up another server with DNS to move one of these zones to.
2. Domote the AD domain and repromote with a name different than your AD
name.
3. Get someone else to host your public name, you can get SBC to do this but
you may not want to pay them $100 setup for a Primary zone.

Myself, knowing option 1 and 3 are going to come out of your pocket you may
opt for option 2. I understand exactly what is happening and why, I've been
there and done that.

 

[Ace Fekay [MVP]]

In

In

This problem is common if you are trying to host your public zone and
your Active Directory Domain zone on the same server with the same
domain name. You have choices to make.
1. Set up another server with DNS to move one of these zones to.
2. Domote the AD domain and repromote with a name different than your
AD name.
3. Get someone else to host your public name, you can get SBC to do
this but you may not want to pay them $100 setup for a Primary zone.

Myself, knowing option 1 and 3 are going to come out of your pocket
you may opt for option 2. I understand exactly what is happening and
why, I've been there and done that.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

(x-posted to microsoft.public.win2000.dns &
microsoft.public.windows.server.dns)

Darrel, your post was correctly answered by Kevin in the win2000.dns
newsgroup, but you multiposted it.

With all due respect, you should have cross-posted this (by clicking the
"newsgroups name in OE that you're sending to, and selecting multiple
newsgroups to send to with your one message) instead of mutliposting as you
did. When someone replies, it automatically goes to all the groups you
cross-posted to. It makes it easier for you to find all the answers, (not
sure how many others you posted to) and for us as to not duplicate our
efforts to help out and is also considerate for folks who are on dialup as
to not having to download the same message multiple times.

If your're not sure how to for future reference, here's a couple links on
it:

Newsgroup Etiquette [ASP FAQ]:
http://www.aspfaq.com/etiquette.asp?id=5003

Multiposting vs Crossposting:
http://www.blakjak.demon.co.uk/mul_crss.htm

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Darrel]

Terribly sorry about multiposting. I didn't know you could do a cross
post in newsgroups - I don't use them much. I was searching in all
newsgroups for my problem and came across the other newsgroup first
(microsoft.public.windows.server.dns, then I was searching more and
came across the win2000 group and thought that was the better place to
put it. You've set me straight.

 

[Ace Fekay [MVP]]

In

Terribly sorry about multiposting. I didn't know you could do a cross
post in newsgroups - I don't use them much. I was searching in all
newsgroups for my problem and came across the other newsgroup first
(microsoft.public.windows.server.dns, then I was searching more and
came across the win2000 group and thought that was the better place to
put it. You've set me straight.

Just wanted to let you know to make it easier on yourself.

Hope the answer Kevin gave you helped you out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Darrel]

Thanks for the reply

I'll try to go with option 2 first, but some quick questions.

You're telling me to demote the active directory - you mean to demote
the domain controller right?

Then use dcpromo again with a different name? Do I use something like
localnet or localnet.com?

Then, how to setup the network adapters DNS settings (basically, what
should the DNS tab look like on each adapter?):
1. Which adapter points to what DNS server.
2. Which do I say not to register in DNS (if any)
3. What DNS suffix do I put on both (if any)

Then, how do I setup my DNS server - the properties of it.
Such as, do I setup forwarders, zone transfers, only listen on 1
adapter?

Thanks again.

 

[Ace Fekay [MVP]]

In

Thanks for the reply

I'll try to go with option 2 first, but some quick questions.

You're telling me to demote the active directory - you mean to demote
the domain controller right?

Then use dcpromo again with a different name? Do I use something like
localnet or localnet.com?

Then, how to setup the network adapters DNS settings (basically, what
should the DNS tab look like on each adapter?):
1. Which adapter points to what DNS server.
2. Which do I say not to register in DNS (if any)
3. What DNS suffix do I put on both (if any)

Then, how do I setup my DNS server - the properties of it.
Such as, do I setup forwarders, zone transfers, only listen on 1
adapter?

Thanks again.

On the external NIC:
1. Disable Netbios
2. Uncheck:
a. F&P Services
b. MS Client Service
c. Register this connection in DNS
3. Move the internal NIC to the top of the Binding order

In the registry, perform these steps: (This is necessary since you are
mutlihoming a DNS/DC/GC server, which is not recommended because of the
mutliple entries that get registered into DNS which can cause AD
misfunctionality, and they still register even if you unchecked the
'register this connection in DNS' checkbox because it's a DNS server, trying
to identify itself).

To disable only the registration of the local IP addresses, set the
following registry value, then reboot the machine for it to take effect:

1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress
GcIpAddress

If this machine is not a GC, don't do the GcIPAddress value.

Then manually create the LdapIpAddress by rt-clicking your zone name, new,
Host, leave the hostname blank, then enter the IP address of your domain
controller.

Then navigate to _msdcs._gc, and create a GC entry for that machne (if it's
a GC).





--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht [MVP]]

In

Thanks for the reply

I'll try to go with option 2 first, but some quick questions.

You're telling me to demote the active directory - you mean to demote
the domain controller right?

Yes, but doing this means that you will lose all domain accounts you have
already created. You will have to recreate the accounts after you promote it
to a DC with the new name.

Then use dcpromo again with a different name? Do I use something like
localnet or localnet.com?

You can use a name like "domain.local" or even "lan.publicname.com". IF you
use "lan.publicname.com" you will need to delegate that name "lan" in the
public zone, that delegated name will be to the local name of the DC,
something like "dc.lan.publicname.com" This name will only resolve to a
local address so you don't have to worry about someone getting into the
domain without a VPN connection.

Then, how to setup the network adapters DNS settings (basically, what
should the DNS tab look like on each adapter?):
1. Which adapter points to what DNS server.

DNS will listen on the internal address, you will have to install NAT to
port forward incoming connections on port 53 from the public address to the
private address. Do not use ICS on a DC use only NAT in RRAS.

2. Which do I say not to register in DNS (if any)

Follow Ace's instructions so that the proper addresses are registered in the
local domain zone.

3. What DNS suffix do I put on both (if any)

The primary DNS suffix on both adapter must be the AD domain name

Then, how do I setup my DNS server - the properties of it.
Such as, do I setup forwarders, zone transfers, only listen on 1
adapter?

Use a Forwarder to SBC's public DNS resolvers, do _not_ use their
Authoritative DNS servers (NS1 & NS2.swbell.net), they do not support
recursion. SBC has a list of about 20 or 30 public resolvers geographically
located, I don't know where you are located so I can't tell you which you
need to use.
If you are like me, and have SBC hosting secondary zones for you allow zone
transfers to the SBC DNS servers that have your secondary zone.

 

[Darrel]

One more thing - how do I know if this is a GC server? Or since I
asked that question, it's probably not?
And, you said to enter the IP address for the Ldap, that would be my
public IP address, right?

 

[Darrel]

In

Yes, but doing this means that you will lose all domain accounts you have
already created. You will have to recreate the accounts after you promote it
to a DC with the new name.

Ok, do you mean that I'll lose all the DNS settings I have? Is this
the only thing that I'll have to recreate? If so, that shouldn't be a
big deal.

You can use a name like "domain.local" or even "lan.publicname.com". IF you
use "lan.publicname.com" you will need to delegate that name "lan" in the
public zone, that delegated name will be to the local name of the DC,
something like "dc.lan.publicname.com" This name will only resolve to a
local address so you don't have to worry about someone getting into the
domain without a VPN connection.

Ok, so basically, I'll rename the active directory domain to
lan.publicname.com. Then I'll make a zone in DNS that is
publicname.com and fill in all my stuff for that. I don't under stand
the delegated part. What exactly do I do there?

DNS will listen on the internal address, you will have to install NAT to
port forward incoming connections on port 53 from the public address to the
private address. Do not use ICS on a DC use only NAT in RRAS.


Follow Ace's instructions so that the proper addresses are registered in the
local domain zone.


The primary DNS suffix on both adapter must be the AD domain name

Use a Forwarder to SBC's public DNS resolvers, do _not_ use their
Authoritative DNS servers (NS1 & NS2.swbell.net), they do not support
recursion. SBC has a list of about 20 or 30 public resolvers geographically
located, I don't know where you are located so I can't tell you which you
need to use.
If you are like me, and have SBC hosting secondary zones for you allow zone
transfers to the SBC DNS servers that have your secondary zone.

And finally, I'm in Amarillo, TX, so could you help me out as to which
DNS server to use? Right now, I've been using ns1 and ns2. And one
more question to denote how dumb I am: what do you mean by SBC hosting
secondary zones for me? Do I have to do zone transfers in order for
my domain names to get out to the rest of the world?

One last question I didn't cover, in my domain registration (with
netsol.com), what DNS servers do I enter with them? SBC and mine or ?

Thanks for helping me out. I just want to try and ask all I can
before I shut down my server.

 

[Kevin D. Goodknecht [MVP]]

In

Ok, do you mean that I'll lose all the DNS settings I have? Is this
the only thing that I'll have to recreate? If so, that shouldn't be a
big deal.

The AD DNS records will be automatically registered by the DC that isn't a
problem, what I was referring to was the user and computer accounts will
have to be recreated. These are domain accounts and the AD Domain will no
longer exist.

Ok, so basically, I'll rename the active directory domain to
lan.publicname.com. Then I'll make a zone in DNS that is
publicname.com and fill in all my stuff for that. I don't under stand
the delegated part. What exactly do I do there?

Your current AD domain is publicname.com and the records for that domain are
in that zone, the new zone will be named lan.publicname.com, you will still
have a zone named publicname.com and unless you delegate the name "lan" in
that zone, you will have the same problem you have now.
After you demote the DC and kill the current AD domain, you will still need
the zone "publicname.com" in that zone you will need to create a delegation
named "lan" and point the delegation to the DC's internal AD name
"dc.lan.publicname.com"
In the publicname.com zone you will use the public name of your DNS server
like "NS.publicname.com"

And finally, I'm in Amarillo, TX, so could you help me out as to which
DNS server to use? Right now, I've been using ns1 and ns2.

You can't use ns1 and ns2.swbell.net as forwarders, they have recursion
disabled on them. Use these in Amarillo:
Amarillo-TX
151.164.1.8
151.164.11.201


http://dialup.swbell.net/help/tech_faq.html

And one

more question to denote how dumb I am: what do you mean by SBC hosting
secondary zones for me?

If you have a business or enhanced DSL account (static) SBC wil host
secondary zones for you, that is one of the advantages of paying $64.95 a
month for service. Info is on this page:
http://dialup.swbell.net/customer/dn_worksheet.html
You will need to nmake the request by email to (e-mail address removed).

Do I have to do zone transfers in order for
my domain names to get out to the rest of the world?

You will only have to make zone transfers to secondary DNS servers.

One last question I didn't cover, in my domain registration (with
netsol.com), what DNS servers do I enter with them? SBC and mine or ?

Yes SBC's and yours, after yours is registered in Netsol's system. You can
do that on you account administration site, there is a link on the left side
of the page that says "Manage host servers"

Thanks for helping me out. I just want to try and ask all I can
before I shut down my server.

You really don't have to shut it down other than the normal restarts in
dcpromo, your DNS server will continue to operate and resolve names.

 

[Kevin D. Goodknecht [MVP]]

In

One more thing - how do I know if this is a GC server? Or since I
asked that question, it's probably not?

It probably is, the first DC in the forest will always be a Global Catalog.

And, you said to enter the IP address for the Ldap, that would be my
public IP address, right?

Use the private address in the AD zone, this IP address must have file
sharing enabled on it. In the public zone use the public address.

 

[Ace Fekay [MVP]]

In

One more thing - how do I know if this is a GC server? Or since I
asked that question, it's probably not?

To find out if it's a GC, goto Sites, drill down until you see the ntds
settings on the right side, properties, there;s a checkbox in there.

And, you said to enter the IP address for the Ldap, that would be my
public IP address, right?

What Kevin said.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Darrel]

In

It probably is, the first DC in the forest will always be a Global Catalog.


Use the private address in the AD zone, this IP address must have file
sharing enabled on it. In the public zone use the public address.

Sorry, I'm back. I'm trying to create a step-by-step list of things
to do and came up with more questions:
In the above statement, you said to use the private address in the AD
zone and the public in the public zone. Does this mean I'll have 2
zones in DNS? One that is publicname.com and one that is
lan.publicname.com? Or am I confused even more than before?

 

[Darrel]

In

It probably is, the first DC in the forest will always be a Global Catalog.


Use the private address in the AD zone, this IP address must have file
sharing enabled on it. In the public zone use the public address.

Nevermind about my asking about 2 zones. You had answered that earlier.

 

[Darrel]

Hello again. For EACH NIC properties on my server: what do I put for
the DNS Preferred and Alternate Servers?

 

[Darrel]

A few more questions, then I swear I'm done:

On both NICs, on the DNS tab properties:
I'm not sure if these are the right settings for BOTH adapters, so
please let me know if that's wrong.
The "Append primary and connection specific DNS suffixes" option
must be selected.
The "Append parent suffixes of the primary DNS suffix" checkbox must
be checked.
The "DNS suffix for this connection" box must have
lan.publicname.com filled in it.
Does the "Use this connection's DNS suffix in DNS registration"
checkbox need to be checked on either adapter?

In the public zone name publicname.com, I will setup the NameServers
by using ns.publicname.com or do I need to add a delegated name
ns.publicname.com?????

What do the nameservers Tabs for EACH zone's properties need to look
like?
In my domain registration setup (netsol.com), I will use SBC's AND my
name servers. For the SBC nameservers here, do I use the 151.164.1.8
and 151.164.11.201 or do I use 151.164.1.1 and 151.164.1.7 ?


thanks again guys! If I'm ever in your neck of the woods I'll buy you
a drink or 2 or 3 or however many you want. But where are y'all
located?

 

[Kevin D. Goodknecht [MVP]]

In

Hello again. For EACH NIC properties on my server: what do I put for
the DNS Preferred and Alternate Servers?

Use the IP of the private NIC only for DNS, don't use an Alternate unless
you add a DC with DNS.

 

[Kevin D. Goodknecht [MVP]]

In Darrel <[email protected]> posted a question
Then Kevin replied below:

Sorry I'm getting around so late this morning we had a storm this morning
and I took a close hit by lightning that took out a NIC and one node on my
switch.

A few more questions, then I swear I'm done:

On both NICs, on the DNS tab properties:
I'm not sure if these are the right settings for BOTH adapters, so
please let me know if that's wrong.
The "Append primary and connection specific DNS suffixes" option
must be selected.
The "Append parent suffixes of the primary DNS suffix" checkbox must
be checked.
The "DNS suffix for this connection" box must have
lan.publicname.com filled in it.
Does the "Use this connection's DNS suffix in DNS registration"
checkbox need to be checked on either adapter?

In the public zone name publicname.com, I will setup the NameServers
by using ns.publicname.com or do I need to add a delegated name
ns.publicname.com?????

In your public zone create a host record named "ns" and give it one of the
public IPs on your public NIC. I'm assuming here that you have business DSL
and you have 5 IP addresses.

What do the nameservers Tabs for EACH zone's properties need to look
like?
In my domain registration setup (netsol.com), I will use SBC's AND my
name servers. For the SBC nameservers here, do I use the 151.164.1.8
and 151.164.11.201 or do I use 151.164.1.1 and 151.164.1.7 ?

For the Netsol record use ns1.swbell.net 151.164.1.1 and ns2.swbell.net
151.164.11.218 (NS2.swbell.net had an IP change about a month ago) and yours
for both the registration and NS records on your public zone. Do not use
SBCs name servers on your internal zone.

thanks again guys! If I'm ever in your neck of the woods I'll buy you
a drink or 2 or 3 or however many you want. But where are y'all
located?

I'm in Wichita Falls and I'll take you up on that.

 

[Darrel]

so are the following settings correct?
On both NICs, on the DNS tab properties:
1. The "Append primary and connection specific DNS suffixes" option
must be selected.

2. The "Append parent suffixes of the primary DNS suffix" checkbox must
be checked.

3. The "DNS suffix for this connection" box must have
lan.publicname.com filled in it.


4. Does the "Use this connection's DNS suffix in DNS registration"
checkbox need to be checked on either adapter?