Bind specific ip address to PDC emulator
Ok this is my scenario
I have 4 DC's in a mixed single forest domain. Two win 2003 servers and two win 2008 servers. let's call them...
dc1-2003
dc2-2003
dc3-2008
dc4-2008
dc3-2008 has all the FSMO roles. This server also has multiple nics (3 nics) connected to different networks. where one of them is connected to a subnet where actually a fifth dc resides (a lab network). So this DC has three ip addresses..
The problem is with the ntp server. Several times a day it looses connection with the external ntp server.
I notice this when things start to get slow like initiating an RDP session.
When I run w32tm / monitor on the prompt, it shows that all DC's get their time from the PDC server which is correct but it also shows that the PDC itself could not connect to the external ntp server. When this happen the PDC server list itself with the ip address of the nic interface to the lab network which doesn't have any internet connection so it makes sense.
When it do work, the PDC list itself with either of the other two ip addresses that does have internet access.
So the question, is it possible to bind the PDC to only use one specific ip address?
I know that having a multihomed DC is not best practice but this is how the AD looks like.
I have 4 DC's in a mixed single forest domain. Two win 2003 servers and two win 2008 servers. let's call them...
dc1-2003
dc2-2003
dc3-2008
dc4-2008
dc3-2008 has all the FSMO roles. This server also has multiple nics (3 nics) connected to different networks. where one of them is connected to a subnet where actually a fifth dc resides (a lab network). So this DC has three ip addresses..
The problem is with the ntp server. Several times a day it looses connection with the external ntp server.
I notice this when things start to get slow like initiating an RDP session.
When I run w32tm / monitor on the prompt, it shows that all DC's get their time from the PDC server which is correct but it also shows that the PDC itself could not connect to the external ntp server. When this happen the PDC server list itself with the ip address of the nic interface to the lab network which doesn't have any internet connection so it makes sense.
When it do work, the PDC list itself with either of the other two ip addresses that does have internet access.
So the question, is it possible to bind the PDC to only use one specific ip address?
I know that having a multihomed DC is not best practice but this is how the AD looks like.
Also remember that multi-homed doman controllers will cause other problems with Active Directory, specifically relating to the DNS entries that it will create for all the interfaces that exist on the Domain Controller that other computers in the forest use to communicate with that DC. The problem lies in the fact that those other interfaces may be addresses which the other hosts are unable to reach.
There are also rammifcations with a PDC specifically being multihomed and Browers. Please see http://support.microsoft.com/kb/191611. The solution here is to either disable NetBIOS over TCP/IP (a wise choice, but needs consideration and investigation to ensure compatibility), or remove the other interfaces from the DC.
There are also rammifcations with a PDC specifically being multihomed and Browers. Please see http://support.microsoft.com/kb/191611. The solution here is to either disable NetBIOS over TCP/IP (a wise choice, but needs consideration and investigation to ensure compatibility), or remove the other interfaces from the DC.
Silly copy/paste. I forgot to include the KB link for how to configure a domain controller in a multi-homed environment to help solve some of the problems relating to AD and DNS.
http://support.microsoft.com/kb/272294
http://support.microsoft.com/kb/272294
If PDC has multiple NIC then the NIC with private IP address which is acting DNS as used as dns setting on client PC should be in the first order in NIC binding.Also you need to disable the registration of other NIC.
Reference:http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
Remove the host records of the NIC from DNS whose registration is disabled.Restart the netlogn and dns service.Ran ipconfig /flushdns and ipconfig /registerdns for the registartion to take place.
Configure the PDC server as authorative time server.http://support.microsoft.com/kb/816042
Reference:http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
Remove the host records of the NIC from DNS whose registration is disabled.Restart the netlogn and dns service.Ran ipconfig /flushdns and ipconfig /registerdns for the registartion to take place.
Configure the PDC server as authorative time server.http://support.microsoft.com/kb/816042
As Sommerblink said, multihomed DC (in short multiple NICs) is not recommended, disable other NICs and assign static IP to DC that should solve your problem.
Make sure that:
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
2. Each DC has just one IP address
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Regards,
Abhijit Waikar.
Make sure that:
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
2. Each DC has just one IP address
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Regards,
Abhijit Waikar.
I'll never understand the desire to multihome Domain controllers.. It really causes more problems than it's worth. You have clustered servers for ensuring your domain get's AD, DNS, DHCP without taxing the servers. Then, you are putting on multiple nics and jacking up those very same domain services by multihoming the servers...
NTP is a UDP broadcast protocol on port 123 and it's difficult to get it to work well without defining a proper internet time server. You see, many ISPs and your enterprise firewall will often block UDP port 123 packets for security reasons. So, what ends up happening is exactly what you state, the PDCe throws an error.
The easiest and most secure solution to time services is to download a third party application that sets your system clock for you. This third party solution uses port 80 (the internet port) to set your PDCe's time. You can pick from a MASS amount of internet time servers including the NIST time servers that are often highly sought after.
Symetricom designs and creates time servers and software to help your domain keep good time. There is ONE program that Symetricom offers that already has listed mass amounts of internet time servers that support time on port 80. Download this program "symmtime" to pick a time server and set your PDCe's time for you. Symetricom will ask you for a little information. They will not sell it. Instead they only point you to time server solutions and advertise their new time server hardware/software... Get symmtime ONLY FROM symetricom's website. There are some fakes out there posing as symmtime that are actual viruses.
NTP is a UDP broadcast protocol on port 123 and it's difficult to get it to work well without defining a proper internet time server. You see, many ISPs and your enterprise firewall will often block UDP port 123 packets for security reasons. So, what ends up happening is exactly what you state, the PDCe throws an error.
The easiest and most secure solution to time services is to download a third party application that sets your system clock for you. This third party solution uses port 80 (the internet port) to set your PDCe's time. You can pick from a MASS amount of internet time servers including the NIST time servers that are often highly sought after.
Symetricom designs and creates time servers and software to help your domain keep good time. There is ONE program that Symetricom offers that already has listed mass amounts of internet time servers that support time on port 80. Download this program "symmtime" to pick a time server and set your PDCe's time for you. Symetricom will ask you for a little information. They will not sell it. Instead they only point you to time server solutions and advertise their new time server hardware/software... Get symmtime ONLY FROM symetricom's website. There are some fakes out there posing as symmtime that are actual viruses.
ASKER
I went for changing the NIC binding as it was the only thing I didn't check/applied.
Now the DC in question has stopped "finding" itself. All clients can browse and logon to it but not the dc itself giving me errors related to just that.. the dc not having connection to itself.
Sandeshdubey, what did you mean with "Also you need to disable the registration of other NIC"
Now the DC in question has stopped "finding" itself. All clients can browse and logon to it but not the dc itself giving me errors related to just that.. the dc not having connection to itself.
Sandeshdubey, what did you mean with "Also you need to disable the registration of other NIC"
The software firewall on the DC may be blocking netbios. "file and print sharing".
You need to remove the the check mark of Register this connection's address in DNS of offline NIC and other NIC except the NIC IP address which is acting as DNS.
I have attached the file for you reference.
Also make sure that udp port 123 is open on the firewall.
IP.bmp
I have attached the file for you reference.
Also make sure that udp port 123 is open on the firewall.
IP.bmp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found my own answer
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections.
3. In Network Connections, right-click the connection you want to work with and then select Properties.
4. Double-click Internet Protocol Version 6 (TCP/IPv6) or internet protocol version 4 (TCP/IPv4) as appropriate for the type of IP address you are configuring.
5. Click Advanced to open the Advanced TCP/IP Settings dialog box.
6. Uncheck automatic metric
7. Set metric according to desired gateway order as listed above.