Solved

DNS, Active Directory

Posted on 2014-12-30
20
99 Views
Last Modified: 2015-06-25
I have domain controllar and DNS configured in the same server.
I have two NIC cards.
Is it possible to bind both NIC card IP address in DNS
Pls help.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +4
20 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 168 total points
ID: 40523281
Multihomed (Dual NIC/IP) configurations on a DC are a non supported configuration.  You will have more problems with this kind of setup than it will ever resolve for you.

A DC Should ONLY ever have a single installed NIC.  Even an unconfigured but installed NIC can cause problems.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523385
Understand but the solution were asked to implement two NIC with different subnet.

When I checked the DNS configuration I found that both the IPs listed in the listen list for client resolution.

I checked the network binding order and changed in the below order.

NIC 1 --> Top 1
NIC 2 --> Top 2

When I do ipconfig I can see the binding order too..
But in the DNS listener list I see management IP in the first sequence.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523386
Can I ask why you need two NICS on a windows Domain controller?

IF you have Two NICS and two IP's on different subnets registered in DNS for the same name, how is a client going to talk to the server on a guaranteed IP for its subnet?

I have yet to hear anybody answer the question "WHY do you need two NICS?"  with a valid answer yet.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40523528
Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues and if you need access to the DC from a different subnet, why don't you just implement a router and use routes.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523561
"Not supported but have seen it working where one NIC has no IP addresses assigned for DNS server.  It can still cause issues "

But the question was about having BOTH register in DNS and yes, it can STILL cause problems.
There should NEVER be a reason to have DUAL cards in a DC.  a DC has a purpose and that purpose does not require or indeed work correctly, with Dual NIC's.
0
 

Author Comment

by:Skumar_CCSA
ID: 40523664
There are two type of traffic flow in the network.

All infra related monitoring software, antivirus and backup must go through management network NIC 2, All production date go through NIC 1.

DNS servers will have original host created while joining hosts in the domain, and manually create one host with management IP for all hosts.
Example
DNS Records:
experts.domain.ca (this have production IP)
experts-it.domain.ca (this have management IP)

DNS both NIC cards it will have resolve names accordingly when traffic flow over NICs

Will it work without causing
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523778
Easiest problem to describe is this.

What happens to ALL your clients on the "Management" network when they issue DNS requests? Where do they go? Where do they look? Are you going to give every machine in your org that needs 2 nics, 2 DNS names? Or do you intend configuring everything on the management network to use static IP Addresses and no DNS services?

The management overhead of using two NICS for a management network is massive.  And the benefits? Has somebody read a book/blog/overheard a conversation in the pub?   The theory is good but in practice....

Unless you FULLY understand ALL of the network discovery protocols in use and how everything ties into nics, you can cause one hell of a mess very quickly.

There are far better ways to manage you network traffic that to have two nics in every device on the network.

Quick question...
Are all of these NIC's going to have a different set of switches to the main infra switches? Or are you going to switch everything through a single set of switches?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 40523875
DNS and Duel NIC's (interfaces) on a machine does not route traffic, its not a router. This is where you run into issues like the others have already pointed out.

When you have 2 NIC's you should only ever register 1 in DNS. If you register both you will get both entries in DNS and it then becomes a freefrall when clients try to do name resolution. The client will pick up whatever host name is bound to the IP and it could be the IP from the management network. In that case it would not properly communicate and if you are using something like Exchange (for example) it will break due to not pointing to the correct IP address.

I have seen in some environments where they want to do a complete image/snapshot of a DC (for recovery purposes, this is the case if all DC's are compromised they can restore the individual image and promote additional DC's as needed) and they setup a management network to connect to. Now there are a few things that need to be done especially when it is a DC.
- Management NIC CANNOT be registered in DNS (also disable Netbios over TCP/IP network adapter properties)
- Binding Order Management NIC needs to be the last one in the list
- DNS Listeners you need to manaully set DNS not to listen on management network (as is automatically listens on all interfaces)

Aside from that you should not be Duel NIC a DC and if you do you need to ensure the steps above are in place or it will cause issues.

Will.
0
 
LVL 2

Assisted Solution

by:Adam Resnick
Adam Resnick earned 166 total points
ID: 40523930
Have we established that this is a DC? The original question was regarding DNS, lest we become Microsoft-centric in the solution. That said, if the goal is isolation of datatype streams and the two networks are pre-existing, you'd be better off splitting the DNS function across two systems. If cost is an issue, virtualize using VMWare's standalone freeware server and run both instances on the same hardware, tying each instance to a NIC. If you aren't opposed to a greater spend to get a centralized DNS system, you could consider this:

http://www.alcatel-lucent.com/products/vitalqip-ip-management
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40523984
@Adam Resnick

Did you read the question?  "I have domain controllar and DNS configured in the same server."
0
 
LVL 2

Expert Comment

by:Adam Resnick
ID: 40523993
@Neilsr - you are correct, my apologies. Went back and re-read the question.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40525149
Since clients queries and AD management tools use the same ports and protocols, for example LDAP you can not separate out management traffic easily. If any of your management tools need to do AD authentication then these ports will need to be bound to both NICs and you will have problems.
0
 
LVL 12

Expert Comment

by:Dave
ID: 40612084
It appears to me that what this person wants isn't supported by normal DNS protocols. He wants a DIFFERENT reply to be given to the same DNS query depending on which network interface the DNS query arrives on. This would allow clients on the management subnet to connect to the server on its management IP, and clients on the user network to connect on the "normal" IP.

DNS doesn't work in this way. It can return a list of addresses, or it can round robin. The only way to achieve what the original question asks is to have two separate DNS servers and point the management clients at this other server. However this would break other things...

SO my answer would be "its not possible"....
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40612701
As already stated by all the experts, what you are asking for is not possible.  You can not have multiple nics in servers and have a single DNS system respond with the "Correct" one for a particular task.

As I stated in the first reply to your post, it will only cause issues and not resolve any problems.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40849794
I've requested that this question be closed as follows:

Accepted answer: 500 points for Neilsr's comment #a40523281

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40849795
Seth, not sure why you are only accepting one answer for this. There are obviously several comments that provide valuable info. Also as EEnookami has also stated that points should be distributed as well.

Will.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question