Solved

Limit DNS registration to 1 adapter on Windows Server 2008

Posted on 2009-07-09
8
618 Views
Last Modified: 2012-05-07
I have a Windows 2008 DC that has 3 NICs in it. 1 is for normal DC traffic and needs to be registered in DNS. The other 2 are for admin and managment, and do not need to be registered in DNS, as they are on different networks. The normal DC traffic NIC is registering in DNS properly.

The problem is, on Windows Server 2008, it sees the DC's DNS service and puts the DNS server as 127.0.0.1 on the 2 management interfaces (automatically and cannot be removed other than through the registry), and then registers them in DNS along with the normal DC traffic one. This causes issues. I have been trying to turn off dynamic registration on these other 2 NICs, even tried adding "MaxNumberOfAddressesToRegister" registry entry to the Adapters GUID key, just to find out it is not supported anymore in Server 2008.

Any ideas how I can make these other 2 management adapters not register in DNS other than disable them or pull them out of the machine?
0
Comment
Question by:Artemedes
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Expert Comment

by:peter41
ID: 24820402
I understand what you want to do but not why do you need to change this.
Generally there is sufficient only one DNS server on one interface on the machine (if it is DC or not)
and if machine needs to translate name -> IP then it uses this one DNS server (in your case you want to have only one 127.0.0.1 on first NIC).
If you add another different DNS servers into NIC->TCP properties then it tries all DNS in the list till it have successfuly translated DNS name -> IP address.
So I dont see reason why to remove 127.0.0.1 from other two NICs because if it should be possible, your DC should still use 127.0.0.1 included in first NIC.

What you need exactly this change for ?
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24820521
In properties of the other two NIC's TCP/IP use their own addresses as the DNS server for each.  MS tech did this to my SAN NICs when I called complaining that there was no way (including documented ways in the MS knowledgebase) to stop NICs from registering in DNS.  Works great. :)

Oh just make sure the DNS server isn't listening on that address. :)
0
 

Author Comment

by:Artemedes
ID: 24824108
I don't want the management interfaces to use DNS at all to resolve anything. I don't want them polluting
my DNS servers with A records with non correct ip addresses.  

Microsoft has no fix for this?

As long as the SRV records are right, I guess it will have to do.
0
 
LVL 6

Expert Comment

by:peter41
ID: 24824288
Artemedes, this is misunderstanding.
Interface does not resolve DNS names but host resolves DNS names.
Like I said above, even you move away your DNS 127.0.0.1 from second and third interface,
your operating system TCP stack will still resolve names even TCP communicates through second or third interface, because you have DNS server in first interface already.
DNS servers which are in TCP properties of one interface are valid in scope of all interfaces,
so it has no sense for you to remove it from second and third interface.

Maybe if you if you tell why do you want to this, I can find some solution for you.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 10

Expert Comment

by:Datedman
ID: 24824404
Just point the DNS at the adapter itself.  Trust me, it works and it's efficient.  The adapters will ALWAYS try to register their DNS, don't ask me why...but if the DNS points to an address that is (1) resolvable and (2) not a DNS server then nothing happens.  They don't keep trying but I think they try once per boot, NBD.
0
 

Author Comment

by:Artemedes
ID: 24842228
This is what has been setup by a third party. They use network A (interface 1) for DC traffic, network B (Interface 2) for management, and network C (Interface 3) for NetBackup. They are all different subnets and theoretically disjointed.
I tried Datedman suggestion, but they still register in DNS.
Any other suggestions?
0
 
LVL 10

Accepted Solution

by:
Datedman earned 500 total points
ID: 24842286
You're not doing it quite right then.

You will have to remove records from DNS that are there, may have to do it from all DNS servers manually.  But if you have the NICs using themselves (only) for DNS and if you have the DNS server on that machine NOT listening on those IPs, then they will not be able to register in DNS because there's no server listening on that address. :)

It's a pain to get it straight once it's wrong but this method *does work.*
0
 

Author Closing Comment

by:Artemedes
ID: 31601934
DNS Servers were listening on all interfaces. Thanks for pointing that out.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Usually shares are where we want them for our users and we tend to take them for granted. There are times, however, when those shares may disappear causing difficulty for your users. One of the first things to try is searching for files that shou…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now