Strange problem with multihomed DNS server

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

It seems to be strange problem with Windows 2000 Advance Server DNS (with Service Pack 2). I’m running an Active Directory integrated multihomed DNS server (with only one Ethernet Interface having additional IP addresses). The machine on which the DNS server is running is also a domain controller (root). This is required, because my network is divided into layer 2 switched VPN groups with different subnets (beginning from 172.16.0.0/24 to 172.16.10.0/24). Now, in order to make the DNS server member of each subnet I assigned additional IPs to the Ethernet Interface (starting from 172.16.0.1/24 to 172.16.10.1/24).

The host in the network receives IPs from the DHCP server (which is also running on the same machine as the DNS server). The hosts are assigned their respective DNS server IPs (say host in subnet 172.16.1.0/24 are assigned DNS server IPs as 172.16.1.1/24). The DHCP server is made to register the host name in the DNS server. There is no problem with the DHCP server, since everything is seems to be working fine.

The DNS server is listening on all the assigned IP addresses. I can even ping using the additional IPs (from the same machine), but hosts are unable to connect to the domain, because the additional IPs are not pointing to the DNS server. Moreover, if I reload the zone data, the additional IPs are registered (pointing to the DNS server - to itself), but they disappears when the DNS updates its records after 20 min. I tried putting TTL = 365 days for additional IPs - for each host record, but it did not work.

ipconfig/all (at any instance) displays the following listing (it is static, additional IPs are always listed).
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : dc-root
Primary DNS Suffix . . . . . . . : inet.kec
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : inet.kec
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82540EM Based Network Connection
Physical Address. . . . . . . . . : 00-C0-9F-24-1D-3B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.9.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.8.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.7.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.6.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.5.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.4.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.3.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.2.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.21
DNS Servers . . . . . . . . . . . : 172.16.0.1

After I reload the DNS zone (or soon after I add the additional IPs pointing to the DNS server), nslookup displays the following result:

C:\>nslookup
Default Server: dc-root.inet.kec
Address: 172.16.0.1
dc-root
Click to expand...
Server: dc-root.inet.kec
Address: 172.16.0.1
Name: dc-root.inet.kec
Addresses: 172.16.0.1, 172.16.1.1, 172.16.2.1, 172.16.3.1
172.16.4.1, 172.16.5.1, 172.16.6.1, 172.16.7.1, 172.16.8.1
172.16.9.1, 172.16.10.1
_
Click to expand...

After approx 20 min, nslookup on dc-root lists the following result (note that additional IPs disappeared):

C:\>nslookup
Default Server: dc-root.inet.kec
Address: 172.16.0.1
dc-root
Click to expand...
Server: dc-root.inet.kec
Address: 172.16.0.1
Name: dc-root.inet.kec
Address: 172.16.0.1
_
Click to expand...

I,m wondering, what may be the problem. It seems the DNS server does not want to include the additional IPs. I even tried adding the IPs to the NS record also manually entered each IP pointing to the DNS server, it work for around 20 min. But soon after DNS updates its records, the additional IPs disappears.
Please help.
regards,
Rajesh
 
In Alerteye(removethis)
<PleaseAdd_MyDisplayNameHereRemoving_The_bracket_And_Its_Content@hotmail.com
posted their thoughts, then I offered mine
It seems to be strange problem with Windows 2000 Advance Server DNS
(with Service Pack 2). I'm running an Active Directory integrated
multihomed DNS server (with only one Ethernet Interface having
additional IP addresses). The machine on which the DNS server is
running is also a domain controller (root). This is required, because
my network is divided into layer 2 switched VPN groups with different
subnets (beginning from 172.16.0.0/24 to 172.16.10.0/24). Now, in
order to make the DNS server member of each subnet I assigned
additional IPs to the Ethernet Interface (starting from 172.16.0.1/24
to 172.16.10.1/24).

The host in the network receives IPs from the DHCP server (which is
also running on the same machine as the DNS server). The hosts are
assigned their respective DNS server IPs (say host in subnet
172.16.1.0/24 are assigned DNS server IPs as 172.16.1.1/24). The DHCP
server is made to register the host name in the DNS server. There is
no problem with the DHCP server, since everything is seems to be
working fine.

The DNS server is listening on all the assigned IP addresses. I can
even ping using the additional IPs (from the same machine), but hosts
are unable to connect to the domain, because the additional IPs are
not pointing to the DNS server. Moreover, if I reload the zone data,
the additional IPs are registered (pointing to the DNS server - to
itself), but they disappears when the DNS updates its records after
20 min. I tried putting TTL = 365 days for additional IPs - for each
host record, but it did not work.

ipconfig/all (at any instance) displays the following listing (it is
static, additional IPs are always listed).
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : dc-root
Primary DNS Suffix . . . . . . . : inet.kec
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : inet.kec
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82540EM Based
Network Connection Physical Address. . . . . . . . . :
00-C0-9F-24-1D-3B DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.9.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.8.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.7.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.6.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.5.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.4.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.3.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.2.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 172.16.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.21
DNS Servers . . . . . . . . . . . : 172.16.0.1

After I reload the DNS zone (or soon after I add the additional IPs
pointing to the DNS server), nslookup displays the following result:

C:\>nslookup
Default Server: dc-root.inet.kec
Address: 172.16.0.1
Server: dc-root.inet.kec
Address: 172.16.0.1
Name: dc-root.inet.kec
Addresses: 172.16.0.1, 172.16.1.1, 172.16.2.1, 172.16.3.1
172.16.4.1, 172.16.5.1, 172.16.6.1, 172.16.7.1, 172.16.8.1
172.16.9.1, 172.16.10.1

After approx 20 min, nslookup on dc-root lists the following result
(note that additional IPs disappeared):

C:\>nslookup
Default Server: dc-root.inet.kec
Address: 172.16.0.1
Server: dc-root.inet.kec
Address: 172.16.0.1
Name: dc-root.inet.kec
Address: 172.16.0.1

I,m wondering, what may be the problem. It seems the DNS server does
not want to include the additional IPs. I even tried adding the IPs
to the NS record also manually entered each IP pointing to the DNS
server, it work for around 20 min. But soon after DNS updates its
records, the additional IPs disappears.
Please help.
regards,
Rajesh
Click to expand...

This post looks familiar because with all these IP addresses. Did you
recently post in this forum or another?

It is highly recommended NOT to mutlihome a DC/DNS servers due to many
errors/issues evolving from it.

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294&FR=1

If you need it mutli homed, it's recommended to have the DNS server listen
to only one of the interfaces and to also disable F & P Services and NetBIOS
on the outside NIC. If possible, it's recommended to use a member server or
a stand alone to be used as a router or NAT machine.

Also keep in mind, if you go beyond 15 IP addresses on a DC, other things
will go wrong.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I know that Microsoft DNS server releases the additional IPs since they do not belong to the same subnet as the default IP (172.16.0.1/24) – I wonder why it should do that!. This behavior may be by design (BIND in Linux do not have this problem, I'm also using BIND with the same configuration, without any side effect at all).

The configuration required by me is necessary. Ours is a small organization, we are one of the Dept. with 350 hosts (there are six more Dept. like us). We are using Layer 2 Switched VLAN to separate the broadcast domain, therefore multiple subnets are required, further, currently we do not need inter subnet communication (routing is not essential). Only requirement is that the client should be able to connect to the DC (additional DC of the root). Each Dept. is connected to each other by router (only the servers). Clients are using roaming user profile with folder redirection.

Well, to begin with I know some solutions (have tested myself) that can make my configuration work – of course with some side effect. (But I still wonder why Microsoft Operating Systems does not have the flexibility of LINUX). We are still in the testing phase, so please help me to decide the best solution.

[Solution 1:]
Leave the additional IPs assigned to the NIC as it is (starting from 172.16.0.1/24 to 172.16.10.1/24). Make the DNS server listen to only 172.16.0.1. Configure the client belonging to different subnet – with:
DNS = 172.16.0.1
Gateway = 172.16.x.1 (where x = the subnet to which the client belongs)

For example, a client belonging to subnet 172.16.8.0/24 will have its gateway pointing to 172.16.8.1 (which is one of the additional IP of the DNS server).

Now since, Windows creates the routes to the additional IPs automatically, all request destined for 172.16.0.1 will get through 172.16.x.1, so clients belonging to any subnet (within 172.16.x.y) will be able to connect to any of the additional 172.16.x.y IPs (within the same machine). This I achieved through creating separate DHCP scopes for each subnet (have used client’s MAC address to group them into separate subnets).

Side effect: If you use a NAT server for Internet sharing, it will be difficult to route the request to the server. However, I achieved this by configuring Routing & Remote Access in the DNS server and using ICMP router discovery to redirect client’s request to the NAT server.

[Solutions 2 (not better than Solution 1):]
Use an additional NIC in the same machine where DNS server is running. Assign a separate IP address to the second NIC. Leave the additional IP assigned to the first NIC as it is. Disable Windows Media Sense for TCP/IP by setting DisableDHCPMediaSense = 1 in the registry (to make the Network Interface bound to TCP/IP). Make the DNS & DHCP server listen to the IP assigned to the second NIC (which is actually not connected to anything). Now the First NIC will act as router interface (with multiple IP – certainly possible). Configure Routing & Remote Access to forward all traffic (create static route) from First NIC to the Second NIC, also add DHCP relay agent to forward DHCP request from the First NIC to the Second NIC (DHCP server is listening to the second NIC). Further if you have a NAT server for Internet sharing, configure ICMP router discovery in the Routing & Remote Access. It is like using NAT in the same machine as the DNS server.

I don’t have to use a separate NAT server with Solution 2, also I can get good throughput.

[Solution 3:]
Use a separate NAT server and keep the DNS behind NAT (for those who need an easy deployment). I did not try this (don’t want to use a separate machine). But I think this will create a good Demilitarized Zone (not required in my case).

[Solution 4:]
Use a router – (we don’t want to use one right now, why invest unnecessarily).

Anyway, thanks a lot to all of you for your kind assistance.

Regards,
Rajesh
 
In Alerteye(removethis)
I know that Microsoft DNS server releases the additional IPs since
they do not belong to the same subnet as the default IP
(172.16.0.1/24) - I wonder why it should do that!. This behavior may
be by design (BIND in Linux do not have this problem, I'm also using
BIND with the same configuration, without any side effect at all).

The configuration required by me is necessary. Ours is a small
organization, we are one of the Dept. with 350 hosts (there are six
more Dept. like us). We are using Layer 2 Switched VLAN to separate
the broadcast domain, therefore multiple subnets are required,
further, currently we do not need inter subnet communication (routing
is not essential). Only requirement is that the client should be able
to connect to the DC (additional DC of the root). Each Dept. is
connected to each other by router (only the servers). Clients are
using roaming user profile with folder redirection.

Well, to begin with I know some solutions (have tested myself) that
can make my configuration work - of course with some side effect.
(But I still wonder why Microsoft Operating Systems does not have the
flexibility of LINUX). We are still in the testing phase, so please
help me to decide the best solution.

[Solution 1:]
Leave the additional IPs assigned to the NIC as it is (starting from
172.16.0.1/24 to 172.16.10.1/24). Make the DNS server listen to only
172.16.0.1. Configure the client belonging to different subnet -
with:
DNS = 172.16.0.1
Gateway = 172.16.x.1 (where x = the subnet to which the client
belongs)

For example, a client belonging to subnet 172.16.8.0/24 will have its
gateway pointing to 172.16.8.1 (which is one of the additional IP of
the DNS server).

Now since, Windows creates the routes to the additional IPs
automatically, all request destined for 172.16.0.1 will get through
172.16.x.1, so clients belonging to any subnet (within 172.16.x.y)
will be able to connect to any of the additional 172.16.x.y IPs
(within the same machine). This I achieved through creating separate
DHCP scopes for each subnet (have used client's MAC address to group
them into separate subnets).

Side effect: If you use a NAT server for Internet sharing, it will be
difficult to route the request to the server. However, I achieved
this by configuring Routing & Remote Access in the DNS server and
using ICMP router discovery to redirect client's request to the NAT
server.

[Solutions 2 (not better than Solution 1):]
Use an additional NIC in the same machine where DNS server is
running. Assign a separate IP address to the second NIC. Leave the
additional IP assigned to the first NIC as it is. Disable Windows
Media Sense for TCP/IP by setting DisableDHCPMediaSense = 1 in the
registry (to make the Network Interface bound to TCP/IP). Make the
DNS & DHCP server listen to the IP assigned to the second NIC (which
is actually not connected to anything). Now the First NIC will act as
router interface (with multiple IP - certainly possible). Configure
Routing & Remote Access to forward all traffic (create static route)
from First NIC to the Second NIC, also add DHCP relay agent to
forward DHCP request from the First NIC to the Second NIC (DHCP
server is listening to the second NIC). Further if you have a NAT
server for Internet sharing, configure ICMP router discovery in the
Routing & Remote Access. It is like using NAT in the same machine as
the DNS server.

I don't have to use a separate NAT server with Solution 2, also I can
get good throughput.

[Solution 3:]
Use a separate NAT server and keep the DNS behind NAT (for those who
need an easy deployment). I did not try this (don't want to use a
separate machine). But I think this will create a good Demilitarized
Zone (not required in my case).

[Solution 4:]
Use a router - (we don't want to use one right now, why invest
unnecessarily).

Anyway, thanks a lot to all of you for your kind assistance.

Regards,
Rajesh
Click to expand...

Replied privately to your email.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top