• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 876
  • Last Modified:

Multi-Homed Server and Domain Controllers

Hi All,

I have a Windows 2008 server running our websites that is multi-homed to two private networks. One network is our corporate domain, the other network connects to a router that connects to the internet.

The problem I am having is, periodically the server will lose connectivity to the domain controllers.  When this happens, just as you would expect, logons take a very long time.  I believe I know what the problem is, but I am unsure which settings I should use to correct this.

I believe the problem arises because I have a default gateway specified on both NICs.  

Here is my configuration:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : XXX-WebProd1
   Primary Dns Suffix  . . . . . . . : My.Domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : My.Domain.com
                                       Domain.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller #2
   Physical Address. . . . . . . . . : 00-23-54-0A-AC-5A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2c6a:977b:5f0a:d013%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.187.55(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.187.1
   DNS Servers . . . . . . . . . . . : 208.67.222.222
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : My.Domain.com
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
   Physical Address. . . . . . . . . : 00-23-54-0A-AC-D2
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f4be:13cd:861f:4835%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.xxx.xxx.55(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.xxx.xxx.1
   DNS Servers . . . . . . . . . . . : 192.xxx.xxx.230
                                       192.xxx.xxx.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : My.Domain.com
   Description . . . . . . . . . . . : isatap.My.Domain.com
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{8106EE56-37C4-4A49-9783-5D26667DA7E3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.187.55%11(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 208.67.222.222
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Disabled

In reality, both NICs have access to the internet.  One via the router that it connects directly to the other via the corporate LAN.

My question is, which NIC should I assign the default gateway to?  My guess would be the NIC connected to the LAN, because traffic coming in on the public router should travel out the same way it arrived.  Is that logic correct?

Thanks all
0
ehfrancisco
Asked:
ehfrancisco
  • 6
  • 4
  • 3
1 Solution
 
giltjrCommented:
You can only have 1 default gateway.  Think about it, how can you have two defaults?

You should only have the default gateway coded on the NIC that gets the server to the Inernet.

Traffic does NOT go out the NIC that it comes in on.  It goes out the NIC it should based on the routing table.
0
 
ehfranciscoAuthor Commented:
Well giltjr, you think about it, if both NIC's have access to the internet why would it matter? Regardless of which path the packets take they will make it to the internet. My concern is the affect, if any, having two gatways configured has on the servers access to the domain controllers.
0
 
giltjrCommented:
Because you can only have 1 default.  If you code two defaults, one will never be used and you don't know which one will or will not be used.  Normally the default gateway on the 1st NIC active will be used.  Since there is no guarantee which NIC will be come active first, you will not be sure which one you will use from one boot to another.

Now if both NIC's take you to the same firewall and the firewall NAT's both IP addresses (NIC1 and NIC2) to the same public IP address, it may not matter to you.  However, if the firewall NAT's each address to separate public IP addresses, or there are two firewalls and the addresses are NAT'ed to two different public IP addresses, then you will get unpredictable results when access the Internet, especially if you have inbound Internet traffic access this server.

Since you are multi-homed, depending how your network is setup, you may need static routes to the subnets that are NOT accessible via your default gateway.  Since you have no idea which default gateway you use from boot to boot, you will have unpredictable results on this also.
0
 
BitsBytesandMoreCommented:
Each NIC configured this way can have different Gateways if your are using different routers, one for each NIC.
Think about about it:
If NIC1 has an IP Address of 192.168.0.1 as a Gateway, then all the trafic for 192.168.0.x will be able to talk to Router1 and from there to Router3 to the Internet.
If NIC2 has an IP Address of 192.168.15.1 as a Gateway, non of the traffic for 192.168.0.x will be able to talk to it. Only the 192.168.15.x trafic will be able to talk to it and from there talk to Router3 and go to the Internet.
Otherwise you would have to assign two IP addresses to each of the workstation's only NIC so it can broadcast on both IP addresses...
0
 
ehfranciscoAuthor Commented:
Ok, so we now have differing opinions.

The question still remains, If I set my default gateway to the NIC that does not connect to the LAN with my domain controllers on it with the server still be able to connect with the DCs?
0
 
giltjrCommented:
It depends.  What subnet are they on?

You have two IP V4 subnets:

192.168.187.0/24
192.xxx.xxx.55/24

All hosts on these two subnets will be able to talk to this computer without any problem, as their traffic will not be routed.

If you have one, or more, local subnets then they would need to be routed.  Do you have any other local subnets.

You can have two (or more based on number of NICs) default gateways coded, but you will only ever use one.  What you can't predict is which one you will use after a boot.  Once the computer is booted, it will continue to use the same one until it is re-booted.
0
 
ehfranciscoAuthor Commented:
Ok, the explination makes sense.

I have one other subnet in a remote office. The DC's are on the 192.xxx.xxx.55 NIC, so is the router to the remote subnet.
0
 
BitsBytesandMoreCommented:
giltjr, I guess I'm falling asleep but you lost me.....lol. Can you elaborate?
0
 
giltjrCommented:
For the subnet in the remote office you want to add permanent  route pointing to 192.xxx.xxx.1 or make that NIC have the only default route.  To add a permanent route:

     route add -p aaa.aaa.aaa.aaa mask bbb.bbb.bbb.bbb 192.xxx.xxx.1

The -p makes the route permanent, a entry is added to the registry so that after a re-boot the route will still exist.  Now you really should remove one of the default gateways, of course it is best to remove the one that has the most hops to the Internet.

If they both have equal hops to the Internet, then you just pick one.  If you leave the default gateway on NIC 192.xxx.xxx.55, then you don't have to add a permanent route to the remote office.  If you leave the default gateway on NIC  192.168.187.55, then you will need to add the permanent route.
0
 
BitsBytesandMoreCommented:
Yep..... I'm dozing off.....bummer...this was getting good.... I appreciate your reply.... I'll reread this tomorrow.......
0
 
giltjrCommented:
BitsBytesand&, say you have:

NIC1: 192.168.1.20 mask 255.255.255.0 default gateway 192.168.1.1
NIC2: 192.168.99.20 mask 255.255.255.0 default gateway 192.168.99.1

You have added no other route entries.  So you have two default routes in your routing table.  Now you want to go to say Expert-Exchange which has the IP address 64.156.132.140.

Which router will you use?  You will use the 1st default route in the routing table.  Now which one is that, 192.168.1.1 or 192.168.99.1?  I can't tell you, because I don't know which NIC because active first.

Now say you want to go to www.microsoft.com, which one IP address for that host name is 207.46.192.254.  Which router will you use?  Same as before, the 1st one in the route table.  Which one is that?  Again, I have no clue because I have no idea which NIC1 came active first.

Now, say that NIC1 came active first, so in the two cases above 192.168.1.1 will be used for both, in fact it will always be used as the default gateway because it is first in the list.  Now when will you use 192.168.99.1?  Never, unless by chance the next time you re-boot your PC NIC2 becomes active first.

Understand now?  Again you can only have 1 default, or to be more specific I guess you can only USE one default.
0
 
BitsBytesandMoreCommented:
Thank you giltjr..... I totally understand now what you were talking about. It's amazing how your mind slows down when you are tired...... I really appreciate you taking your time to write down the detailed explanation.
 
Bits.
0
 
giltjrCommented:
No problem.  IP routing is one of those things this is both simple can complex at the same time.  

Some devices actually do support multiple default gateways, but they also don't just use one.  They will rotate which one they use and dynamically create a route to the remote IP address using the old class based subnet masks.  I know that Cicso IOS and PIX/ASA devices do this.  Its a "poor mans" way of doing outbound load balancing.
0
  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now