?
Solved

DNS, Active Directory

Posted on 2014-12-30
20
Medium Priority
?
100 Views
Last Modified: 2015-06-25
I have domain controllar and DNS configured in the same server.
I have two NIC cards.
Is it possible to bind both NIC card IP address in DNS
Pls help.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +4
20 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 672 total points
ID: 40523281
Multihomed (Dual NIC/IP) configurations on a DC are a non supported configuration.  You will have more problems with this kind of setup than it will ever resolve for you.

A DC Should ONLY ever have a single installed NIC.  Even an unconfigured but installed NIC can cause problems.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523385
Understand but the solution were asked to implement two NIC with different subnet.

When I checked the DNS configuration I found that both the IPs listed in the listen list for client resolution.

I checked the network binding order and changed in the below order.

NIC 1 --> Top 1
NIC 2 --> Top 2

When I do ipconfig I can see the binding order too..
But in the DNS listener list I see management IP in the first sequence.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523386
Can I ask why you need two NICS on a windows Domain controller?

IF you have Two NICS and two IP's on different subnets registered in DNS for the same name, how is a client going to talk to the server on a guaranteed IP for its subnet?

I have yet to hear anybody answer the question "WHY do you need two NICS?"  with a valid answer yet.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40523528
Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues and if you need access to the DC from a different subnet, why don't you just implement a router and use routes.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523561
"Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues "

But the question was about having BOTH register in DNS and yes, it can STILL cause problems.
There should NEVER be a reason to have DUAL cards in a DC.  a DC has a purpose and that purpose does not require or indeed work correctly, with Dual NIC's.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523664
There are two type of traffic flow in the network.

All infra related monitoring software, antivirus and backup must go through management network NIC 2, All production date go through NIC 1.

DNS servers will have original host created while joining hosts in the domain, and manually create one host with management IP for all hosts.
Example
DNS Records:
experts.domain.ca (this have production IP)
experts-it.domain.ca (this have management IP)

DNS both NIC cards it will have resolve names accordingly when traffic flow over NICs

Will it work without causing
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523778
Easiest problem to describe is this.

What happens to ALL your clients on the "Management" network when they issue DNS requests? Where do they go? Where do they look? Are you going to give every machine in your org that needs 2 nics, 2 DNS names? Or do you intend configuring everything on the management network to use static IP Addresses and no DNS services?

The management overhead of using two NICS for a management network is massive.  And the benefits? Has somebody read a book/blog/overheard a conversation in the pub?   The theory is good but in practice....

Unless you FULLY understand ALL of the network discovery protocols in use and how everything ties into nics, you can cause one hell of a mess very quickly.

There are far better ways to manage you network traffic that to have two nics in every device on the network.

Quick question...
Are all of these NIC's going to have a different set of switches to the main infra switches? Or are you going to switch everything through a single set of switches?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 664 total points
ID: 40523875
DNS and Duel NIC's (interfaces) on a machine does not route traffic, its not a router. This is where you run into issues like the others have already pointed out.

When you have 2 NIC's you should only ever register 1 in DNS. If you register both you will get both entries in DNS and it then becomes a freefrall when clients try to do name resolution. The client will pick up whatever host name is bound to the IP and it could be the IP from the management network. In that case it would not properly communicate and if you are using something like Exchange (for example) it will break due to not pointing to the correct IP address.

I have seen in some environments where they want to do a complete image/snapshot of a DC (for recovery purposes, this is the case if all DC's are compromised they can restore the individual image and promote additional DC's as needed) and they setup a management network to connect to. Now there are a few things that need to be done especially when it is a DC.
- Management NIC CANNOT be registered in DNS (also disable Netbios over TCP/IP network adapter properties)
- Binding Order Management NIC needs to be the last one in the list
- DNS Listeners you need to manaully set DNS not to listen on management network (as is automatically listens on all interfaces)

Aside from that you should not be Duel NIC a DC and if you do you need to ensure the steps above are in place or it will cause issues.

Will.
0
 
LVL 2

Assisted Solution

by:Adam Resnick
Adam Resnick earned 664 total points
ID: 40523930
Have we established that this is a DC? The original question was regarding DNS, lest we become Microsoft-centric in the solution. That said, if the goal is isolation of datatype streams and the two networks are pre-existing, you'd be better off splitting the DNS function across two systems. If cost is an issue, virtualize using VMWare's standalone freeware server and run both instances on the same hardware, tying each instance to a NIC. If you aren't opposed to a greater spend to get a centralized DNS system, you could consider this:

http://www.alcatel-lucent.com/products/vitalqip-ip-management
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523984
@Adam Resnick

Did you read the question?  "I have domain controllar and DNS configured in the same server."
0
 
LVL 2

Expert Comment

by:Adam Resnick
ID: 40523993
@Neilsr - you are correct, my apologies. Went back and re-read the question.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40525149
Since clients queries and AD management tools use the same ports and protocols, for example LDAP you can not separate out management traffic easily. If any of your management tools need to do AD authentication then these ports will need to be bound to both NICs and you will have problems.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40612084
It appears to me that what this person wants isn't supported by normal DNS protocols. He wants a DIFFERENT reply to be given to the same DNS query depending on which network interface the DNS query arrives on. This would allow clients on the management subnet to connect to the server on its management IP, and clients on the user network to connect on the "normal" IP.

DNS doesn't work in this way. It can return a list of addresses, or it can round robin. The only way to achieve what the original question asks is to have two separate DNS servers and point the management clients at this other server. However this would break other things...

SO my answer would be "its not possible"....
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40612701
As already stated by all the experts, what you are asking for is not possible.  You can not have multiple nics in servers and have a single DNS system respond with the "Correct" one for a particular task.

As I stated in the first reply to your post, it will only cause issues and not resolve any problems.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40849794
I've requested that this question be closed as follows:

Accepted answer: 500 points for Neilsr's comment #a40523281

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40849795
Seth, not sure why you are only accepting one answer for this. There are obviously several comments that provide valuable info. Also as EEnookami has also stated that points should be distributed as well.

Will.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month12 days, 1 hour left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question