Fabrussio said:
XP sp2 clients, win2000 sp4 server.
The server has 2 NICs in IP 10.4.x.x and 10.224.x.x
The clients have static 10.224.x.x IP addresses and have 2 DNS entried in
TCP/IP (10.224 server address and 62.171 address of ISP)..is any of this a
bad idea?
I am getting event id 1054 usenv and group policy is not being applied
intermittently on some workstations.
NSlookup is OK, flushed and registered DNS.
DNS server looks OK, restarted server.
Tried changing group policy timout time but no change.
Please any ideas?
If the "server" is a DC, yes, multihomed DCs are a bad idea and are very
problematic due to the DNS entries each NIC creates. What can also be
confusing for me and the machine, is that 10.4.x.x and 10.224.x.x can appear
to be on the same subnet.
Same with the DNs adddress. You must only use your internal DNS address
only. Otherwise, how can AD find itself? The ISP's DNS does not have that
info. This can be, and in most cases, a major cause of Userenv errors.
I would suggest not to multihome a DC/DNS server and use a member server for
this purpose and make life alot easier. If you really want to keep the dual
NICs, here's are some steps to help you out for this DC, that is, if it is a
DC:
++++++++++++++++++++++++
1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want in DNS for
the server.
2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, point to New, and then click REG_MULTI_SZ as the data
type:
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
(and in the box, you would type in the following to stop their
registration):
LdapIpAddress
GcIpAddress
3. Then you will need to manually create the LdapIpAddress and GcIpAddress
records in DNS.
To manually create the LdapIpAddress, create a new host but leave the name
field blank,
give it the IP of the internal interface. Windows 2k barks at you saying
(same as parent folder) is not a valid host name,click OK to create the
record anyway.
Windows 2003 won't bark.
To manually create the GcIpAddress, navigate to the _msdcs folder, under it
click the gc
folder, then rt-click, create new host, leave the name field blank, give it
the IP of the
internal interface. Windows 2k barks at you saying (same as parent folder)
is not a valid
host name,click OK to create the record anyway. Windows 2003 won't bark.
4. To stop registration of both NICs, add (if it exists) or alter this reg
entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, point to New, and then click DWORD Value to add the
following registry value:
Value name: RegisterDnsARecords
Data type: REG_DWORD
Value data: 0
Then manually create a new host record for the server name in DNS and give
it the IP of the internal interface
5. Right click on Network places, choose properties, in the Advanced menu
item
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.
6. And in addition to the (same as parent folder) record in the domain zone
for
the domain name, expand _msdcs, open gc and create new host with name field
blank and give it the IP of the internal interface. This resolves as
gc._msdcs.forestroot.com.
7. On the outer NIC, disable File and Print Services, Microsoft Client
Service,
then go into IP properties, click on Advanced, choose the WINS tab and
disable NetBIOS.
8. On the outer NIC, only put in the internal IP address of the DNS server
(this machine).
9. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if not
sure which
DNS to forward to until you've got the DNS address of your ISP. How to set a
forwarder?
Depending on your operating system,choose one of the following articles:
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1
323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
(How to configure a forwarder):
http://support.microsoft.com/d/id?=323380
*** Some additional reading:
246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
Server 2003
http://support.microsoft.com/?id=246804
295328 - Private Network Interfaces on a Domain Controller Are Registered in
DNS
[also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg sameasparent
private IP]:
http://support.microsoft.com/?id=295328
306602 - How to Optimize the Location of a DC or GC That Resides Outside of
a Client's
Site [Includes info LdapIpAddress and GcIpAddress information and the SRV
mnemonic values]:
http://support.microsoft.com/?id=306602
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003 (including how-to configure a forwarder):
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379
292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
unwanted IPs registering]:
http://support.microsoft.com/?id=292822
_________________________
++++++++++++++++++++
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
