Solved

dns in a multihomed, 2000 server

Posted on 2003-10-25
27
478 Views
Last Modified: 2010-04-13
ok will explain have a 2000 server with 4 nics in with ip address of
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
with dns and wins running
now on each of the nics is a vpn router which over adsl connects all the time to diffrent offices
with these ip address ranges
192.168.5.1-10
192.168.6.1-10
192.168.7.1-10
192.168.8.1-10

now on the remote sites the machines there get there ip address from the local router ie 192.168.5.x
so all that working fine
so there settings would be
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

so when i do a nslookup up on the server from the external machines it brings back no errors and show that the server has four ip addreess and list them
ie
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
 so no problem here
when i ping the server via the ip address ie for instance this time
192.168.1.1 returns quickly no drop outs and works fine
now if i ping the "server name" it comes back and trys to ping the wrong ip address this time try 192.168.3.1 which of course it cannot do as that not on the same (as it goes through the vpn )(now this is one of the servers ip's but has not returned the correct on for that pc on that subnet)
so returns the wrong ip address for the query then is unable to ping the server
but i check and ping the correct ip address for which connects and works fine
have a list of how the ip releate.
have also put routes in which tell it where to send traffic
ie
192.168.5.1 gateway

internal ip                      gateway to other          remote gateway            ip address
address of server             range(going                                               of remote site
                                          through router  
192.168.1.1 --------------------192.168.1.4--------192.168.5.4------------->192.168.5.1
192.168.2.1 --------------------192.168.2.1------->192.168.6.4------------>192.168.6.4
192.168.3.1 -------------------192.168.3.1------->192.168.7.4------------->192.168.7.4
192.168.4.1 -------------------192.168.4.1------->192.168.8.4------------->192.168.8.4



need any more get back to me
probley something simple just cannot see it
thanks


0
Comment
Question by:mbu10
  • 13
  • 11
  • 3
27 Comments
 
LVL 2

Expert Comment

by:dankennedy
ID: 9620650
Sounds like the DNS server is returning the IPs using round robin. The DNS server won't return IPs based on subnet the request comes from (as far as I know). You could try using a different server name for each subnet like ServerA, ServerB, ServerC. That way each subnet will always get the correct IP address for the server.

Read the following Microsoft Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;168321
0
 

Author Comment

by:mbu10
ID: 9620867
yes thats what i had thought of to start with and i had turned off round robin.
problem is could be solved by adding other names to ip address for the server
but since the system is up and running and has been for quite a while
the map drives which they use would be harder to inplement as would need seperate scripts etc
there has to be another way of making sure the ip address ie 192.168.4.1  returns itself for lookups and does not return one of the other 3 it has
0
 
LVL 2

Expert Comment

by:dankennedy
ID: 9620968
Sounds simple, but DNS is a fairly strict standard and as far as I know, you can't make it change which A record it uses based on the interface the request comes in on.

Is there any way you can change your IP scheme, so that the server only has one NIC card. It would solve all your problems and make your configuration a lot easier if you added another router so that the server only had one IP addresss.

Server --> Router --> |---->VPN Router 1 ---> Client 1
                                 |---->VPN Router 2 ---> Client 2
                                 |---->VPN Router 3 ---> Client 3
                                 |---->VPN Router 4 ---> Client 4

0
 

Author Comment

by:mbu10
ID: 9621041
unfotunatley i can not
as we are using 4 cable modems whic each router uses one for it self
basically a cheap way of getting more bandwidth by using 4 cable modems
as the mangers are cheap and have to have it set up like it is
just a idea if i joined all the vpn's into a switch then the switch in to each of the nics in the pc
so if a client does get a ip address that is not on the correct ie gets  192.168.1.1 instead of 192.168.4.1 for example
it could still get to 1.1 thorugh the switch and return is just a matter of it getting regular route though the switch
0
 
LVL 2

Expert Comment

by:dankennedy
ID: 9621159
Yah, that's the idea I was getting at, except that you'd need a router to route the packets to the correct location.

If you did just plug all the VPN routers into a switch, you'd have to change the subnet mask on the server to something like 255.255.0.0. Then I think it should work without the extra router.

This is what I'd recommend if you don't have the budget for another router. Change all the subnet masks on all the server NICS and all the VPN router interfaces to 255.255.0.0, then plug all the NICS and all the VPN routers into one switch, then turn round robin DNS back on (otherwise all the traffic will go through one VPN router).

I think that should work, if I understand your situation correctly.
0
 

Author Comment

by:mbu10
ID: 9621165
ok that much i have figured out and guess in a way would work but by putting a hub in stead of a switch the broadcast when the hub transffers data would be picked up by the correct VPN and would move the right information across
which i had a feeling is one way of doing it.
would like a server way of doing it though
so the server always returns the correct ip address's for the right subnet from which it has been asked
i know is a tall one but hey nothing that easy
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9621311
I run a multi homed DNS server using DDNS and intergrated with WIN (abeit only two Interfaces and no VPN), but it does complicate the issue, or at lease uniquely twist the enviroment.  DNS is assumed to be simple, however, I disagree DNS can be complex depending on the requirements.

This is your problem, at least with the macro view I have.

With round robin (see RFC 1794) it will return all address for the HOST, but the client will always use the first one.  By default (with "SubNet when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response.  Based on this...

IP Config:
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

will not work, because the DNS server will order the DNS response per the the subnet that the query was recieved on (i.e. the subnet that the routers internal interface is on).
So that is why it is failing...

You are going to either need to change your subnetting (maybe the safest option) or hack at your DNS server (if it working fine, I prefer not to touch DNS, but that is just me).  This will help.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_LocalSubnetPriority.asp

Hope this helps and keep us posted!  

-Eric
0
 

Author Comment

by:mbu10
ID: 9621343
ok i see where you are coming from the
as the guy above said change the whole subnets to a 255.255.0.0 which is easy enough to do as can access everything and all on dhcp
but
when doing a nslookup would still return the 4 dns server ip address
and would use the first one availble as they all on the same subnet
but could cut the 3 oclet in to diffrent subnets which might work
just wondering the option of fastening a hub to all ports then all vpn's to that hub
so that say come in via say 192.168.5.10 machine which gets routed thought 192.168.5.4 (across net here) to the router at  192.168.1.4 which then moves it on the  network now if i pout a hub in here so all the nics are tied into one hub and the vpn are all tied
so a 192.168.2.1 ping request could be got to
might need to add a route to all the remote routers that if 192.168.X.X is always sent down the vpn
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9621378
Errr....
With round robin (see RFC 1794) it will return all address for the HOST, but the client will always use the first one.  By default (with "SubNet when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response.  Based on this...
---CORRECTION---
With round robin (see RFC 1794) it will return all addresses for the HOST, but the client will always use the first one.  By default (with "SubNet Ordering" enabled) when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response, making the subnet that recieved query the first in the list.  Based on this...

IP Config:
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

will not work, because the DNS server will order the DNS response per the the subnet that the query was recieved on (i.e. the subnet that the routers internal interface is on).  But this also depends on how it is subnetted.  
Either DNS recieves the queries as from 192.168.0.0/16 source network, then decides no network prioritization is needed OR sees them from a remote network (i.e. 192.168.5.x/24)and again, no prioritization is done.  I believe in your case, it is the second.  Therefor all will querys are handled via round robin ordering.
So that is why it is failing...

you can try running this:
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>

This will test round robin, as long this is the only query being made on that interface.  One of them should resolve to the correct interface and return.

-Eric
0
 

Author Comment

by:mbu10
ID: 9621446
ok just done this
left round robin off
now done a ping server  came back with 192.168.1.1
now flushed dns and did again and came back with the same ip address
did again same answer
now did at another site and did exactly the same thing again
via the length of time to login (60 sec about)
i presume when it does not get a answer it trys the other ones, one by one  and then goes in and maps drives via server name correctly when it get a response from the one of the ip address
0
 

Author Comment

by:mbu10
ID: 9621453
so it not doing any sort of prioritization its just giving the first dns servers ip address everytime
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9621777
With round robin disabled it will return the list as is in that order.  It will not rotate first to last with the order.  With round robin disabled, with netmask ordering enabled, it should return the address on interface it was recieved IF the source address is within THAT subnet.  Since the source is x.x.5.x it is just returning the address in the default order.  

The resolution is subnetting.
Force the address range to that of a B and subnet the class B into C's or subnet the class C's.  Assuming the capabilities on your switch/router, this will provide network isolation, maintaining broadcast domains and DNSsubnet prioritization should reorder correctly.  

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9621830
You may want to convert to a 172.16.x.x - 172.31.x.x design.  This gives more flexibility and more freedom in regards to making your DHCP redundant and is less limiting with host ranges when subnetting.  This will also resolve the issue.

Remember DNS WITH round robin and subnet prioritization enabled piortizes RR's in this order, once a method is chosen it does not recurse to other methods for THAT query:
<default preferance> Subnet Prioritization
Source address's network ID is compared to the RR's network ID, if it is the same, the order of RR's is subnet prioritized
-IF multiple RRs have the same network ID and the query source network ID is the same, the order is subnet prioritizes, however the order of all qualifiying RR's are then ordered by round robin
-IF the source network ID is a remote network, order method is defaulted to round robin and all RR's are rotated in a first to last succession
-IF Round Robin is disabled, the above behavior will return the order as they are listed within DNS
-IF subnet prioritization is disabled, all ordering will default to the round robin method
-IF both are disabled, ordering will always default to the listing order in DNS.  (i.e. the first A record for the host will ALWAYS be at the top of the order)

-Eric
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:mbu10
ID: 9622279
ok yeah i agree then to split the 255.255.255.0 class c in to 4 seperate parts
so providing i have max only 10 hosts in any one subnet and need a minimum of 4 subnet what would be the subnet masks then
sorry hate subnetting always get lost even though i can do it just want to make sure i agoing to get it right
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9627182
Well....you always want to give your self some room.  So for an even 4 way: 255.255.255.192
gives you 62 hosts.

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9629067
Class C IP range: 192.168.x.x/26
Subnet: 255.255.255.192
                              Hosts
Network ID          From  To          Broadcast
192.168.x.0          .1     - .62         .63
192.168.x.64        .65   - .126       .127
192.168.x.128      .129  - .190       .191
192.168.x.192      .193  - .254       .255

Larger Networks are more forgiving.  The larger number, look more menacing than they are.  Thanks to Pthyagoras, we eventually learned exponetial notation to deal with these numbers.  A larger mask (the private class B for example) is more flexible and from there you can subnet all the way down to a /30 of you wish.

just my opinions...  Hope this helps.

-Eric
0
 

Author Comment

by:mbu10
ID: 9630658
ok sorry for the late reply as been so dam busy today racing after other things
ok just to summurize this is correct
all gateways are the first ip address in any range
(1)
192.168.1.(1-62)
255.255.192.0

(2)
192.168.2.(65-126)
255.255.192.0

(3)
192.168.3.(129-190)
255.255.192.0

(4)
192.168.4.(193-254)
255.255.192.0

with gateways set accordingly
now with remote sites which there is 5 of them i do not need to count these as there is a routing table anyway and there getting routed to the correct ie 192.168.5.1-->192.168.1.1
is this correct in my assuption
thanks
p.s Eric the point are yours or will be shortly as you have helped the most


0
 

Author Comment

by:mbu10
ID: 9631256
yeah yeah i know worked that out wrong there the 1,2,3,4 are all 0 ok
i think
now with this configeration with every say on the say 192.168.2.x(accroding to the subnet host bit 1,65,129,193 for instance for the router address
when doing a dns query it will return using the correct ip address info
is that what i have just confirmed there
thanks again
martin
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9631320
OK...
You are now subnetting a class "B".  You can force a class B, using class C "ranges".  It is actually good that you thought that as you are mentally playing with bits in the right way.  If you want to switch to a class B I would suggest using the established class B ranges (172.16.0.0 - 172.31.0.0)

Ohh my bad...I just looked at what I typed....was in a hurry...

192.168.x.0          .1     - .62         .63
192.168.x.64        .65   - .126       .127
192.168.x.128      .129  - .190       .191
192.168.x.192      .193  - .254       .255

x=Class C/24 (in this case you are only using 1 class C address space,

Here is an example of a subnetting a class C:
192.168.100.0/26 (i.e. a mask of 255.255.255.192)

192.168.100.0          .1-.62         .63
192.168.100.64         .65-.126     .127
192.168.100.128       .129-.190    .191
192.168.100.192       .193-.254    .255

So what is going on in the above example is a Class C/24 (i.e. 192.168.100.0-192.168.100.255), masked to create 4 separate networks with 62 avail. hosts per net.
These are your four networks:
192.168.100.0/26
192.168.100.64/26
192.168.100.128/26
192.168.100.192/26

Each subnet within a class reduces the availiable hosts by 2.  One for the network ID and one for the broadcast.  

See what I am sayin?

-Eric
0
 

Author Comment

by:mbu10
ID: 9631410
ok late and mind is messed up from today and tored but been tearing hair out as subnet just always have done my head in ok figured this
based on 27 bit
MAXIMUM AMOUNT OF SUBNETS IS 8
Subnet           Mask                    Subnet Size                          Host Range               Broadcast
192.168.0.0     255.255.255.224          30      192.168.0.1  to  192.168.0.30         192.168.0.31
192.168.0.32   255.255.255.224          30      192.168.0.33  to  192.168.0.62         192.168.0.63
192.168.0.64    255.255.255.224          30      192.168.0.65  to  192.168.0.94         192.168.0.95
192.168.0.96    255.255.255.224          30      192.168.0.97  to  192.168.0.126        192.168.0.127
192.168.0.128  255.255.255.224          30      192.168.0.129  to  192.168.0.158        192.168.0.159
192.168.0.160  255.255.255.224          30      192.168.0.161  to  192.168.0.190        192.168.0.191
192.168.0.192  255.255.255.224           30      192.168.0.193  to  192.168.0.222        192.168.0.223
192.168.0.224  255.255.255.224          30      192.168.0.225  to  192.168.0.254        192.168.0.255

so on the nic card the setting would be as follows(correct me if i am wrong here)
NIC1
ip   192.168.0.1
netmask255.255.224.0
gateway192.168.0.4 (THE VPN  CONNECTION)

NIC2  
ip    192.168.1.33
netmask  255.255.224.0
gateway  192.168.0.37  (THE VPN CONNECTION)

NIC3
ip  192.168.0.65
netmask 255.255.224.0
gateway 192.168.0.68 (THE VPN CONNECTION)

NIC4
ip  192.168.0.97
netmask 255.255.224.0
gateway 192.168.0.100 (THE VPN  CONNECTION)

Now the remote sites i am not taking in to account here, as the remote address can stay the same i guess as 192.168.(5,6,7,8,9,10,11).(X this provided by the remote dhcp)
in the settings for the vpn it says
Remote IP Network   ...  x.x.x.x
Remote IP Netmask   ...  x.x.x.x

so i presume it will just move it so can be accessed by the appropite nic card
now when the card responds it the dns query from then remote site
so say 192.168.0.1 --VPN HERE--> 192.168.5.1
when 102.168.5.x querys dns at 192.168.0.1 the dns will respond with it own address only for it own name on that sub net 192.168.0.1

is this correct
please tell me if i have this all right
as need to make sure
thanks for all your help

sorry just got a e-mail saying some one replyed
so if this is wasted i hope not



0
 

Author Comment

by:mbu10
ID: 9631448
sorry small mistake there none of them have gateways on bar one
which is the way to the internet
all i have to do is add routes according to the existing ip/subnet
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9637636
Again....the mask of 255.255.224.0 is for a class B.  So based on that mask the network is 192.168.0.0/19

CIDR Notation (x.x.x.x/n) in the above example:
255.255.224.0
11111111.11111111.11100000.00000000
Again....class B.  This is wrong, however as any any good math professor would do, your logic and methods are correct.  Just an incorrect metal point of start...and "GI-GO" the equalizer overrides the solution.

So you are correct that this will give you 8 subnets, with 8190 hosts addresses each:
192.168.0.0          192.168.0.1-192.168.31.254         192.168.31.255
192.168.32.0         192.168.32.1-192.168.63.254       192.168.63.255
192.168.64.0         192.168.64.1-192.168.95.254       192.168.95.255
192.168.96.0         192.168.96.1-192.168.127.254     192.168.127.255
192.168.128.0       192.168.128.1-192.168.159.254    192.168.159.255
192.168.160.0       192.168.160.1-192.168.191.254    192.168.191.255
192.168.192.0       192.168.192.1-192.168.223.254    192.168.223.255
192.168.224.0       192.168.224.1-192.168.255.254    192.168.255.255


So you see the relationship between the mask and the network ID?

-Eric

 
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9637675
DO you use any IM software?...I gotta run, but I should be back in a couple hours.  
MSNIM: tNoOtSePnAtManz@hotmail.com (use only the lowercase letters) and do not email that address it is largely unmonitored and frequently the inbox gets dumped

-Eric
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 500 total points
ID: 9638273
Gateways are important.  You could hardcode it in the routing table of the clients, but there are orders of preferance (metric) that you need to pay attention to and should things change, all hosts need to be updated.  That could be scripted however, I do not think that is the optimum configuration.  I think that DHCP would solve the administration overhead.  In this case you would use superscopes for this multinet.  Help and the ResKit have a decent amount of information for this.  Check Help and the ResKit befor you install and configure within the DHCP admin tool.  How this relates to gateways, depends on the requirements of the VPN clients.  In most cases, you will WANT a gateway for the clients, pointing to multinet RAR server, specifically the interface on that specific subnet.

With the routing it is a bit more complex...you should never a gateway or route to a clients, UNLESS the server needs access to resources through the client.  But...lets take it back a step.

This all depends on a lot of "if's" such as; required and desired resolutions.  What do you want to accomplish.  What is the topology for the VPN dedicated subnets?  And what is the topology that the server's "internal" subnet?  Routers, gateways, switches, and access points/pop(point-of-presence) are the players.  And the multinet VPN server, of course.  Do clients requires northbound/outgoing internet or resource access, in the DMZ perhaps, through the corpnet gateway?

-Eric

0
 

Author Comment

by:mbu10
ID: 9640879
yeah i use msn messenger
with my mail as
m.underdown@ntlworld.com
just thinking through now so
now ll thi is so users login quicker at the moment they login but takes alittle time 1.3 min but with this sorted should take very much less, the internet is provided by there remote router


so on the nic card the setting would be as follows(correct me if i am wrong here)

local NIC1
ip   192.168.1.xx
netmask255.255.224.0
gateway192.168.0.4 internet cconnection for the main office

remote office  1
ip   192.168.2.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)




local NIC2  
ip    192.168.33.xx
netmask  255.255.224.0

remote office  2
ip   192.168.34.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)




local NIC3
ip  192.168.65.xx
netmask 255.255.224.0

remote office  3
ip   192.168.66.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)



Local NIC4
ip  192.168.97.xx
netmask 255.255.224.0

remote office  4
ip   192.168.98.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)



this would be it i think that all the remote office are on the same subnet as the local subnet to which it phsicaly connects to via the vpn
also if i am right it would be possible to add further subnets
ie if wanted to add another vpn at local 4 could just add 192.168.99.xx
is that correct

sorry dropped my laptop yesterday so took longer to answer you
thanks

 
 
0
 

Author Comment

by:mbu10
ID: 9647048
WOW
net merk gets the lot
so much help unbelivable
even let me phone him and had agood old natter about the problem and other things
good bloke
all points awarded to him
eric great one man
thanks so much
martin
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9849954
Too kind mate!  Been MIA, for a while but I'm back!!!  With a striped vol of 3 18GB Ultrastar drives :D   and a loaded poweredge 2300 that I got for 140 bucks...Well...hope so see everyone around and help out where I can.

-Eric
Security and Virus forum moderator:
www.computerrepair.com
http://members.cox.net/eapelton/index.html
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now