DNS server problems with dual homed DHCP

[Art O'Malley]

We are experiencing problems with a DNS server (AD integrated) that is also
a dual homed DHCP server.

System was operating fine for several months without problem until recent
virus storms forced our network engineering dept. to lock down ICMP on the
internal network and change out some hardware, too.

DHCP continues to operate okay, but repeated queries using Nslookup shows
slow response for local lookups and very limited response fowarding Internet
queries to bastion host in DMZ.

Dual homing is causing both addresses to appear in DNS for the DNS/DHCP
server in a round robin fashion.

After disabling the NIC servicing DHCP clients and shutting down the DHCP
service (& reregistered DNS), DNS performance picked right up and things
also returned to normal for Internet name resolution. But now we've lost
redundancy for DHCP.

Is there a way to configure the DNS server or resolver or NIC TCP/IP
settings to properly support the dual homed architecture that we'd like to
use?

Hope the DNS forum is the correct place for this inquiry.

Thanks in advance,

Art

 

[Ace Fekay [MVP]]

You are saying the two NICs are on the same subnet? If so, I would suggest
to use NIC Teaming. Check the NIC docs on how to do that.

If not, are the two NICs designed for NAT?

Dual home DCs, especially if it's a DNS server, are not recommended, as you
are experiencing. The dual entries in DNS cause lookup problems for domain
enumeration. IF a client gets the outside IP address of the DC, (due to
Round Robin), they won't be able to communicate with the DC.

I'm not sure also how you are offering redundant DHCP on one server? Because
of the dual NICs? Unless this is one of your DHCP servers? Or maybe I'm
missing something.

Suggestion is to not make the DC dual homed.

If you need it to be, then there are several steps to stop it. If this is
offering NAT (outside and inside NIC), then on the outside NIC, disable F&P
Services, MS CLient service, disable NetBIOS, uncheck Register this
connection. Then in the registry, follow these steps below to kill the
LdapIpAddress registration (the blank domain FQDN that gets registered that
looks like this:
(same as parent) A 192.168.5.200
Then create a manual entry for just the internal NIC.

==========================================
Disabling the Same As Parent LdapIpAddress blank FQDN and auto Publishing a
Blank Domain FQDN IP:
[Taken from http://support.microsoft.com/?id=295328]

To disable only the registration of the local IP addresses, set the
following registry value, then reboot the machine for it to take effect:

1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress

2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.

After you set this value, you must manually create your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP"

TO do so, rt-click your domain name, new Host, leave the name field blank,
enter the actual external IP address.
====================================

To kill the specific external NIC from registering the A record, (or any
interface, external or not), follow this article:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations
[including RRAS]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;246804

Just make sure you pick the correct interface.

Or just make the DC a single NIC and use a member server as a dual homed
machine.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Art O'Malley]

Thanks, Ace -

Actually, the second NIC is used to support DHCP on separate network not
supported by IP Helper. And yes, this is the 2nd of 2 DHCP servers on that
other network.

I appreciate your comments and esp. reference to the Microsoft articles.

Art

---------------------------------------------

"Ace Fekay [MVP]"

You are saying the two NICs are on the same subnet? If so, I would suggest
to use NIC Teaming. Check the NIC docs on how to do that.

If not, are the two NICs designed for NAT?

Dual home DCs, especially if it's a DNS server, are not recommended, as you
are experiencing. The dual entries in DNS cause lookup problems for domain
enumeration. IF a client gets the outside IP address of the DC, (due to
Round Robin), they won't be able to communicate with the DC.

I'm not sure also how you are offering redundant DHCP on one server? Because
of the dual NICs? Unless this is one of your DHCP servers? Or maybe I'm
missing something.

Suggestion is to not make the DC dual homed.

If you need it to be, then there are several steps to stop it. If this is
offering NAT (outside and inside NIC), then on the outside NIC, disable F&P
Services, MS CLient service, disable NetBIOS, uncheck Register this
connection. Then in the registry, follow these steps below to kill the
LdapIpAddress registration (the blank domain FQDN that gets registered that
looks like this:
(same as parent) A 192.168.5.200
Then create a manual entry for just the internal NIC.

==========================================
Disabling the Same As Parent LdapIpAddress blank FQDN and auto Publishing a
Blank Domain FQDN IP:
[Taken from http://support.microsoft.com/?id=295328]

To disable only the registration of the local IP addresses, set the
following registry value, then reboot the machine for it to take effect:

1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress

2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.

After you set this value, you must manually create your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP"

TO do so, rt-click your domain name, new Host, leave the name field blank,
enter the actual external IP address.
====================================

To kill the specific external NIC from registering the A record, (or any
interface, external or not), follow this article:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations
[including RRAS]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;246804

Just make sure you pick the correct interface.

Or just make the DC a single NIC and use a member server as a dual homed
machine.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

We are experiencing problems with a DNS server (AD integrated) that is also
a dual homed DHCP server.

System was operating fine for several months without problem until recent
virus storms forced our network engineering dept. to lock down ICMP on the
internal network and change out some hardware, too.

DHCP continues to operate okay, but repeated queries using Nslookup shows
slow response for local lookups and very limited response fowarding
Internetqueries to bastion host in DMZ.

Dual homing is causing both addresses to appear in DNS for the DNS/DHCP
server in a round robin fashion.

After disabling the NIC servicing DHCP clients and shutting down the DHCP
service (& reregistered DNS), DNS performance picked right up and things
also returned to normal for Internet name resolution. But now we've lost
redundancy for DHCP.

Is there a way to configure the DNS server or resolver or NIC TCP/IP
settings to properly support the dual homed architecture that we'd like to
use?

Hope the DNS forum is the correct place for this inquiry.

Thanks in advance,

Art

 

[Ace Fekay [MVP]]

In

Thanks, Ace -

Actually, the second NIC is used to support DHCP on separate network
not supported by IP Helper. And yes, this is the 2nd of 2 DHCP
servers on that other network.

I appreciate your comments and esp. reference to the Microsoft
articles.

Art

Hi Art,

I see now. I would really suggest to use a member server for this function.
Makes life alot easier.

As for the nslookup issues, if the firewall admins locked down access, then
I can see why nslookup may not work, among other things. While using
nslookup, try this option:
set type=vc
That will force a TCP 53 connection (no UDP), which more than likely will be
allowed back in to the network. Without it, nslookup (and MS DNS in
general), will use a random UDP 1024 + higher port for the response, and am
guessing is what's probably getting blocked.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory