Win2k DNS and multihomed DC's

  • Thread starter Thread starter Todd
  • Start date Start date
T

Todd

I have two separate forests each with two DC/GC's and each of the four
servers is multihomed to a backup network that is non-routed. Each DC has
NetBIOS disabled on the backup NIC and each has its DNS properties set to
not register in DNS and yet I keep getting A records for the servers and
"(same as parent folder)" A records in their respective DNS zones for the
backup IP's. Why is this? Obviously I have intermittent LDAP failures as the
DNS servers hand out the backup network IP's to clients.

Anyway I can permanently tell these servers to stop registering their backup
network IP's and still maintain dynamic zones? This is aggravating.
 
In
Todd said:
I have two separate forests each with two DC/GC's and each of the four
servers is multihomed to a backup network that is non-routed. Each DC
has NetBIOS disabled on the backup NIC and each has its DNS
properties set to not register in DNS and yet I keep getting A
records for the servers and "(same as parent folder)" A records in
their respective DNS zones for the backup IP's. Why is this?
Obviously I have intermittent LDAP failures as the DNS servers hand
out the backup network IP's to clients.
Anyway I can permanently tell these servers to stop registering their
backup network IP's and still maintain dynamic zones? This is
aggravating.

Here's a repost of what I usually give someone to try to fix this. Just read
thru and apply what you need for your scenario.
-Ace

=======================
Honestly, multihomed DCs are not recommended because of the associated
issues that can occur, as you've encountered. We usually recommend
purchasing an inexpensive Linksys, DLink, etc, Cable/DSL router to perform
NAT for you, take out the extra NIC off the DC, but still let the DC handle
DHCP (and not the router).

Since this DC is multi-homed, it requires additional configuration to
prevent the public interface addresses from being registered in DNS. This
creates a problem for internal clients locating AD to authenticate and find
other services and resources such as the Global Catalog, file sharing and
the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
logged, authenticating to shares and printers, logging on takes forever,
among numerous other issues.

But if you like, there are some registry changes to eliminate the
registration of the external NIC. Here's the whole list of manual steps to
follow (this inculdes some of the stuff I already gave you):

But believe me, it's much easier to just get a separate NAT device or
multihome a non-DC then having to alter the DC. - Good luck!

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want in DNS for
the server.


2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, point to New, and then click REG_MULTI_SZ as the data
type:

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

(and in the box, you would type in the following to stop their
registration):

LdapIpAddress
GcIpAddress


3. Then you will need to manually create the LdapIpAddress and GcIpAddress
records in DNS.

To manually create the LdapIpAddress, create a new host but leave the name
field blank,
give it the IP of the internal interface. Windows 2k barks at you saying
(same as parent folder) is not a valid host name,click OK to create the
record anyway.
Windows 2003 won't bark.

To manually create the GcIpAddress, navigate to the _msdcs folder, under it
click the gc
folder, then rt-click, create new host, leave the name field blank, give it
the IP of the
internal interface. Windows 2k barks at you saying (same as parent folder)
is not a valid
host name,click OK to create the record anyway. Windows 2003 won't bark.


4. To stop registration of both NICs, add (if it exists) or alter this reg
entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

On the Edit menu, point to New, and then click DWORD Value to add the
following registry value:
Value name: RegisterDnsARecords
Data type: REG_DWORD
Value data: 0

Then manually create a new host record for the server name in DNS and give
it the IP of the internal interface


5. Right click on Network places, choose properties, in the Advanced menu
item
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.


6. And in addition to the (same as parent folder) record in the domain zone
for
the domain name, expand _msdcs, open gc and create new host with name field
blank and give it the IP of the internal interface. This resolves as
gc._msdcs.forestroot.com.


7. On the outer NIC, disable File and Print Services, Microsoft Client
Service,
then go into IP properties, click on Advanced, choose the WINS tab and
disable NetBIOS.


8. On the outer NIC, only put in the internal IP address of the DNS server
(this machine).


9. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if not
sure which
DNS to forward to until you've got the DNS address of your ISP.

===============================


--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
Thanks, I'll give it a go.

"Ace Fekay [MVP]"
In

Here's a repost of what I usually give someone to try to fix this. Just
read thru and apply what you need for your scenario.
-Ace

=======================
Honestly, multihomed DCs are not recommended because of the associated
issues that can occur, as you've encountered. We usually recommend
purchasing an inexpensive Linksys, DLink, etc, Cable/DSL router to perform
NAT for you, take out the extra NIC off the DC, but still let the DC
handle DHCP (and not the router).

Since this DC is multi-homed, it requires additional configuration to
prevent the public interface addresses from being registered in DNS. This
creates a problem for internal clients locating AD to authenticate and
find other services and resources such as the Global Catalog, file sharing
and the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events
to be logged, authenticating to shares and printers, logging on takes
forever, among numerous other issues.

But if you like, there are some registry changes to eliminate the
registration of the external NIC. Here's the whole list of manual steps to
follow (this inculdes some of the stuff I already gave you):

But believe me, it's much easier to just get a separate NAT device or
multihome a non-DC then having to alter the DC. - Good luck!

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want in DNS
for
the server.


2. Add this registry entry with regedt32 to stop the (same as parent
folder)
records.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, point to New, and then click REG_MULTI_SZ as the data
type:

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

(and in the box, you would type in the following to stop their
registration):

LdapIpAddress
GcIpAddress


3. Then you will need to manually create the LdapIpAddress and GcIpAddress
records in DNS.

To manually create the LdapIpAddress, create a new host but leave the name
field blank,
give it the IP of the internal interface. Windows 2k barks at you saying
(same as parent folder) is not a valid host name,click OK to create the
record anyway.
Windows 2003 won't bark.

To manually create the GcIpAddress, navigate to the _msdcs folder, under
it click the gc
folder, then rt-click, create new host, leave the name field blank, give
it the IP of the
internal interface. Windows 2k barks at you saying (same as parent folder)
is not a valid
host name,click OK to create the record anyway. Windows 2003 won't bark.


4. To stop registration of both NICs, add (if it exists) or alter this reg
entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

On the Edit menu, point to New, and then click DWORD Value to add the
following registry value:
Value name: RegisterDnsARecords
Data type: REG_DWORD
Value data: 0

Then manually create a new host record for the server name in DNS and give
it the IP of the internal interface


5. Right click on Network places, choose properties, in the Advanced menu
item
select Advanced settings. Make sure the internal interface is at the top
of
the connections pane and File sharing is enabled on the internal
interface.


6. And in addition to the (same as parent folder) record in the domain
zone for
the domain name, expand _msdcs, open gc and create new host with name
field
blank and give it the IP of the internal interface. This resolves as
gc._msdcs.forestroot.com.


7. On the outer NIC, disable File and Print Services, Microsoft Client
Service,
then go into IP properties, click on Advanced, choose the WINS tab and
disable NetBIOS.


8. On the outer NIC, only put in the internal IP address of the DNS server
(this machine).


9. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if
not sure which
DNS to forward to until you've got the DNS address of your ISP.

===============================


--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were
to respond to it through that community's website, I may not see your
reply. Therefore, please direct all replies ONLY to the Microsoft public
newsgroup this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
I have two separate forests each with two DC/GC's and each of
the four
servers is multihomed to a backup network that is non-routed.
Each DC has
NetBIOS disabled on the backup NIC and each has its DNS
properties set to
not register in DNS and yet I keep getting A records for the
servers and
"(same as parent folder)" A records in their respective DNS
zones for the
backup IP's. Why is this? Obviously I have intermittent LDAP
failures as the
DNS servers hand out the backup network IP's to clients.

Anyway I can permanently tell these servers to stop
registering their backup
network IP's and still maintain dynamic zones? This is
aggravating.

look at the following: MS-KBQ246804_How to enable or disable dynamic
DNS registrations in Windows 2000 and in Windows Server 2003


this will help you!
 
Back
Top