Bind specific ip address to PDC emulator

Ok this is my scenario
I have 4 DC's in a mixed single forest domain. Two win 2003 servers and two win 2008 servers. let's call them...


dc3-2008 has all the FSMO roles. This server also has multiple nics (3 nics) connected to different networks. where one of them is connected to a subnet where actually a fifth dc resides (a lab network). So this DC has three ip addresses..

The problem is with the ntp server. Several times a day it looses connection with the external ntp server.
I notice this when things start to get slow like initiating an RDP session.

When I run w32tm / monitor on the prompt, it shows that all DC's get their time from the PDC server which is correct but it also shows that the PDC itself could not connect to the external ntp server. When this happen the PDC server list itself with the ip address of the nic interface to the lab network which doesn't have any internet connection so it makes sense.
When it do work, the PDC list itself with either of the other two ip addresses that does have internet access.

So the question, is it possible to bind the PDC to only use one specific ip address?
I know that having a multihomed DC is not best practice but this is how the AD looks like.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

larry urbanDevOps EngineerCommented:
Assuming you have multiple default gateways... When you assign multiple gateways, Windows Server 2008 uses the gateway metric to determine which gateway is used and at what time. The gateway metric indicates the routing cost of using a gateway. The gateway with the lowest routing cost, or metric, is used first. If the computer can't communicate with this gateway, Windows Server 2008 tries to use the gateway with the next lowest metric.

1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections.
3. In Network Connections, right-click the connection you want to work with and then select Properties.
4. Double-click Internet Protocol Version 6 (TCP/IPv6) or internet protocol version 4 (TCP/IPv4) as appropriate for the type of IP address you are configuring.
5. Click Advanced to open the Advanced TCP/IP Settings dialog box.
6. Uncheck automatic metric
7. Set metric according to desired gateway order as listed above.
Also remember that multi-homed doman controllers will cause other problems with Active Directory, specifically relating to the DNS entries that it will create for all the interfaces that exist on the Domain Controller that other computers in the forest use to communicate with that DC. The problem lies in the fact that those other interfaces may be addresses which the other hosts are unable to reach.

There are also rammifcations with a PDC specifically being multihomed and Browers. Please see The solution here is to either disable NetBIOS over TCP/IP (a wise choice, but needs consideration and investigation to ensure compatibility), or remove the other interfaces from the DC.

Silly copy/paste. I forgot to include the KB link for how to configure a domain controller in a multi-homed environment to help solve some of the problems relating to AD and DNS.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

SandeshdubeySenior Server EngineerCommented:
If PDC has multiple NIC then the NIC with private IP address which is acting DNS as used as dns setting on client PC should be in the first order in NIC binding.Also you need to disable the registration of other NIC.

Remove the host records of the NIC from DNS whose registration is disabled.Restart the netlogn and dns service.Ran ipconfig /flushdns and ipconfig /registerdns for the registartion to take place.

Configure the PDC server as authorative time server.
As Sommerblink said, multihomed DC (in short multiple NICs) is not recommended, disable other NICs and assign static IP to DC that should solve your problem.

Make sure that:
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
2. Each DC has just one IP address
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.

Abhijit Waikar.
I'll never understand the desire to multihome Domain controllers.. It really causes more problems than it's worth. You have clustered servers for ensuring your domain get's AD, DNS, DHCP without taxing the servers. Then, you are putting on multiple nics and jacking up those very same domain services by multihoming the servers...

NTP is a UDP broadcast protocol on port 123 and it's difficult to get it to work well without defining a proper internet time server. You see, many ISPs and your enterprise firewall will often block UDP port 123 packets for security reasons. So, what ends up happening is exactly what you state, the PDCe throws an error.

The easiest and most secure solution to time services is to download a third party application that sets your system clock for you. This third party solution uses port 80 (the internet port) to set your PDCe's time. You can pick from a MASS amount of internet time servers including the NIST time servers that are often highly sought after.

Symetricom designs and creates time servers and software to help your domain keep good time. There is ONE program that Symetricom offers that already has listed mass amounts of internet time servers that support time on port 80. Download this program "symmtime" to pick a time server and set your PDCe's time for you. Symetricom will ask you for a little information. They will not sell it. Instead they only point you to time server solutions and advertise their new time server hardware/software... Get symmtime ONLY FROM symetricom's website. There are some fakes out there posing as symmtime that are actual viruses.
Bes4dminAuthor Commented:
I went for changing the NIC binding as it was the only thing I didn't check/applied.
Now the DC in question has stopped "finding" itself. All clients can browse and logon to it but not the dc itself giving me errors related to just that.. the dc not having connection to itself.

Sandeshdubey, what did you mean with "Also you need to disable the registration of other NIC"
The software firewall on the DC may be blocking netbios. "file and print sharing".
SandeshdubeySenior Server EngineerCommented:
You need to remove the the check mark of Register this connection's address in DNS of offline NIC and other NIC except the NIC IP address which is acting as DNS.
I have attached the file for you reference.
Also make sure that udp port 123 is open on the firewall.
Bes4dminAuthor Commented:
I ended up disconnecting the interface to the fifth DC and the issue disappear. Regarding the DC not finding itself it was my mistake. I happen to untick the file and print sharing service along with windows networking.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bes4dminAuthor Commented:
Found my own answer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.