Solved

DNS, Active Directory

Posted on 2014-12-30
20
92 Views
Last Modified: 2015-06-25
I have domain controllar and DNS configured in the same server.
I have two NIC cards.
Is it possible to bind both NIC card IP address in DNS
Pls help.
0
Comment
Question by:Skumar_CCSA
  • 6
  • 2
  • 2
  • +4
20 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 168 total points
ID: 40523281
Multihomed (Dual NIC/IP) configurations on a DC are a non supported configuration.  You will have more problems with this kind of setup than it will ever resolve for you.

A DC Should ONLY ever have a single installed NIC.  Even an unconfigured but installed NIC can cause problems.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523385
Understand but the solution were asked to implement two NIC with different subnet.

When I checked the DNS configuration I found that both the IPs listed in the listen list for client resolution.

I checked the network binding order and changed in the below order.

NIC 1 --> Top 1
NIC 2 --> Top 2

When I do ipconfig I can see the binding order too..
But in the DNS listener list I see management IP in the first sequence.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523386
Can I ask why you need two NICS on a windows Domain controller?

IF you have Two NICS and two IP's on different subnets registered in DNS for the same name, how is a client going to talk to the server on a guaranteed IP for its subnet?

I have yet to hear anybody answer the question "WHY do you need two NICS?"  with a valid answer yet.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40523528
Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues and if you need access to the DC from a different subnet, why don't you just implement a router and use routes.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523561
"Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues "

But the question was about having BOTH register in DNS and yes, it can STILL cause problems.
There should NEVER be a reason to have DUAL cards in a DC.  a DC has a purpose and that purpose does not require or indeed work correctly, with Dual NIC's.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523664
There are two type of traffic flow in the network.

All infra related monitoring software, antivirus and backup must go through management network NIC 2, All production date go through NIC 1.

DNS servers will have original host created while joining hosts in the domain, and manually create one host with management IP for all hosts.
Example
DNS Records:
experts.domain.ca (this have production IP)
experts-it.domain.ca (this have management IP)

DNS both NIC cards it will have resolve names accordingly when traffic flow over NICs

Will it work without causing
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523778
Easiest problem to describe is this.

What happens to ALL your clients on the "Management" network when they issue DNS requests? Where do they go? Where do they look? Are you going to give every machine in your org that needs 2 nics, 2 DNS names? Or do you intend configuring everything on the management network to use static IP Addresses and no DNS services?

The management overhead of using two NICS for a management network is massive.  And the benefits? Has somebody read a book/blog/overheard a conversation in the pub?   The theory is good but in practice....

Unless you FULLY understand ALL of the network discovery protocols in use and how everything ties into nics, you can cause one hell of a mess very quickly.

There are far better ways to manage you network traffic that to have two nics in every device on the network.

Quick question...
Are all of these NIC's going to have a different set of switches to the main infra switches? Or are you going to switch everything through a single set of switches?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 40523875
DNS and Duel NIC's (interfaces) on a machine does not route traffic, its not a router. This is where you run into issues like the others have already pointed out.

When you have 2 NIC's you should only ever register 1 in DNS. If you register both you will get both entries in DNS and it then becomes a freefrall when clients try to do name resolution. The client will pick up whatever host name is bound to the IP and it could be the IP from the management network. In that case it would not properly communicate and if you are using something like Exchange (for example) it will break due to not pointing to the correct IP address.

I have seen in some environments where they want to do a complete image/snapshot of a DC (for recovery purposes, this is the case if all DC's are compromised they can restore the individual image and promote additional DC's as needed) and they setup a management network to connect to. Now there are a few things that need to be done especially when it is a DC.
- Management NIC CANNOT be registered in DNS (also disable Netbios over TCP/IP network adapter properties)
- Binding Order Management NIC needs to be the last one in the list
- DNS Listeners you need to manaully set DNS not to listen on management network (as is automatically listens on all interfaces)

Aside from that you should not be Duel NIC a DC and if you do you need to ensure the steps above are in place or it will cause issues.

Will.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Assisted Solution

by:Adam Resnick
Adam Resnick earned 166 total points
ID: 40523930
Have we established that this is a DC? The original question was regarding DNS, lest we become Microsoft-centric in the solution. That said, if the goal is isolation of datatype streams and the two networks are pre-existing, you'd be better off splitting the DNS function across two systems. If cost is an issue, virtualize using VMWare's standalone freeware server and run both instances on the same hardware, tying each instance to a NIC. If you aren't opposed to a greater spend to get a centralized DNS system, you could consider this:

http://www.alcatel-lucent.com/products/vitalqip-ip-management
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523984
@Adam Resnick

Did you read the question?  "I have domain controllar and DNS configured in the same server."
0
 
LVL 2

Expert Comment

by:Adam Resnick
ID: 40523993
@Neilsr - you are correct, my apologies. Went back and re-read the question.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40525149
Since clients queries and AD management tools use the same ports and protocols, for example LDAP you can not separate out management traffic easily. If any of your management tools need to do AD authentication then these ports will need to be bound to both NICs and you will have problems.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40612084
It appears to me that what this person wants isn't supported by normal DNS protocols. He wants a DIFFERENT reply to be given to the same DNS query depending on which network interface the DNS query arrives on. This would allow clients on the management subnet to connect to the server on its management IP, and clients on the user network to connect on the "normal" IP.

DNS doesn't work in this way. It can return a list of addresses, or it can round robin. The only way to achieve what the original question asks is to have two separate DNS servers and point the management clients at this other server. However this would break other things...

SO my answer would be "its not possible"....
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40612701
As already stated by all the experts, what you are asking for is not possible.  You can not have multiple nics in servers and have a single DNS system respond with the "Correct" one for a particular task.

As I stated in the first reply to your post, it will only cause issues and not resolve any problems.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40849794
I've requested that this question be closed as follows:

Accepted answer: 500 points for Neilsr's comment #a40523281

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40849795
Seth, not sure why you are only accepting one answer for this. There are obviously several comments that provide valuable info. Also as EEnookami has also stated that points should be distributed as well.

Will.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now