Re: TSM network entry being pulled into DNS entry
From: John (John_at_discussions.microsoft.com)
Date: 11/11/04
- Next message: Saira: "DMZ advertiser and caching server question"
- Previous message: Todd J Heron: "Re: Trusts and DNS"
- Maybe in reply to: John: "TSM network entry being pulled into DNS entry"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Nov 2004 08:41:12 -0800
Hi Ace,
Thanks for the reply, this was really a very helpful article which I got and
it helped me to prove that my DNS setting was not wrong and its obvious that
this happens. I thank you. But, now have a question. I would like to do the
changes on the registry on the domain controllers, but first I would like to
get this done on the fault tolerant domain controller and then once I ensure
that it is working fine with the fault tolerant domain controller then I can
go ahead and do the registry changes on the main domain controller. What
would u suggest? Or should I do the changes on a test box and then proceed.
thanks,
John
"Ace Fekay [MVP]" wrote:
> In news:CC254D99-B7C4-4502-A212-1F7B0CF8DC20@microsoft.com,
> John <John@discussions.microsoft.com> made a post then I commented below
> > Hi,
> >
> > The Domain Controllers have NIC cards for TSM backup. And this is on a
> > separate network. netlogon.dns shows this entry. Also in several other
> > locations in that file it shows
> >
> > TAPI3Directory.xyz.domain.local. 600 IN A 10.1.171.97
> > DomainDnsZones.xyz.domain.local. 600 IN A 10.1.171.97
> > ForestDnsZones.xyz.domain.local. 600 IN A 10.1.171.97
> >
> > How can we rectify that DNS does not pull the TSM network card.
> >
> > Also, I went and removed this entry in DNS
>
> If you are saying there are multiple NICs on a DC that is also a DNS server,
> that is normally not advised, due to the implications, such as what you are
> experiencing. If need be, registry modfications can force this to work. HOw?
> Here is a re-post from a few previous posts that this has been discussed at
> length. Ignore the stuff about NAT and a router, and just apply the reg
> entries that will stop the DNS registration behaviors. If you can get away
> with a single NIC, that would be more advisable.
>
> /begin re-post
> ==============================
> This is a touchy and debated subject about multihomed DCs, expecially if
> they are a DNS server and/or a RAS server, as well. And as you well know,
> we would rather avoid a multihomed DC because of what happens to AD due to
> the external IP that gets registered for the LdapIpAddress, which is that
> "(same as parent) A IpAddressOfDc", record, and the GcIpAddress (under the
> _msdcs.gc zone). Otherwise, if they need a multihomed DC, it's recommended
> to alter this default behavior with a couple of reg entries.
>
> So, if we were to have a multihomed DC, and can't get around it, such as a
> NAT server, or even as an SBS server that you want to utilize ISA Server on
> it (otherwise, dish out $40.00 and get a Linksys router if one needs a NAT
> box, or a standalone server), here are some steps to follow that I've posted
> previously about this, and just refined it a bit tonite.
>
> Well, you asked for it, and here it is!!
>
>
> ***
> Part of the issue you're seeing is with mutli NICs, when opening ADUC, logon
> issues, or any other domain requests, it maybe getting the wrong IP that is
> registered for the SRV resource. BTW- we always suggest to NEVER mutlihome a
> DC, DNS and especially never to put RRAS on it either. For such a server,
> it's highly suggested to use a member server or a standalone, for that. Or
> just acquire an inexpensive ($40.00) Linksys router to handle NAT.
>
> But in many cases, I can understand that many companies may not have the
> budget for such an inexpensive router, or be possible, for whatever
> technical reasons one may come up withy, in their environement.
>
> That said, here are the steps to insure a fully functional multihomed DC/DNS
> and/or RAS server:
>
>
> 1. In Network & Dialup connections, Advanced menu, Advanced Settings, in the
> top window, make sure the internal interface is at the top of the binding
> order. If not, move it to the top. This insures all network requests will
> default to the internal interface.
>
> 2. Insure that all the NICS only point to your internal DNS server(s) only
> and none others. Reason, is we don't want to use the external interface,
> especially if the internal interface fails, it will seek the external
> interface properties.
>
> 3. Disable NetBIOS on the other NICs (i know you did that thru the reg with
> that article, but insure that it's disabled in NIC properties too). May want
> to take a look at this to stop NetBIOS on teh RRAS interfaces:
> 296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
> Entry]:
> http://support.microsoft.com/?id=296379
>
> Otherwise, RRAS or not, it will cause duplicate name errors because Windows
> sees itself with multi names thru the Browser service but with different
> IPs.
>
> 4. Disable File and Print services and disable MS Client on the outer NIC.
> Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
> need these for whatever reason for resource access from clients, then you
> would probably have to keep them on.
>
> 5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
> domain FQDN - that looks like (same as parent). If this is a GC, you need
> to
> also stop the GC record as well.
>
> To stop these from registering that info, I used these two articles. The
> first article shows the reg entries to use to stop registering, and the
> other article to determine how to stop the GC (Global Catalog) record. If
> both of these records contain the external IP, it may cause problems with
> client logon, GPOs applying (client side extensions), Exchange issues, and
> the DC Locator functions.
>
> Private Network Interfaces on a Domain Controller Are Registered in DNS:
> http://support.microsoft.com/?id=295328
>
> Restrict the DNS SRV resource records updated by the Net Logon service
> [including GC]:
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_dns_pro_no_rr_in_ad.asp
>
>
> Therefore, to start off, let's disable the SRV record registration process
> in the reg. If this Value does not exist, create it.
>
> Key:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
>
> Registry value: DnsAvoidRegisterRecords
> Data type: REG_MULTI_SZ
> Values: LdapIpAddress
> GcIpAddress
>
> After you set this value, you must manually create the internal IP address
> for your DC, (which is the LdapIpAddress, and this reg entry needs to be
> done on each DC, and a record created for each DC), to appear as:
>
> (same as parent) A "TheInternalIpAddress"
>
> To perform this, just rt-click your zone, new host,
> leave the hostname blank, and enter the IP of the internal NIC.
>
> You'll need to also manually create the GcIpAddress as well, if this is a
> GC. This is crucial as well as the above record, because an internal client
> cannot communicate with the external IP and can be a major concern with
> numerous processes, including the logon process, Exchange DS Access errors,
> etc:
>
> The GC record is located under the _msdcs._gc SRV record under the zone. So
> all you
> need to do, is rt-click the 'gc' folder under the '_msdcs' folder, new host,
> and leave the hostname blank, and enter the IP of the internal NIC.
>
>
> 6 Since this is also a DNS server, the IPs from both NICs will register,
> even if you tell it not to in the NIC properties. This is because DNS
> registers all known IPs of itself, as the SOA record. This article explains
> this:
>
> 275554 - The Host's A Record Is Registered in DNS After You Choose Not to
> Register the Connection's Address:
> http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&
>
> Basically it says to disable Dynamic Updates on all interfaces. This way it
> will not register both the internal and external IP as a Host Record.
> Otherwise this can cause issues too, due to the multiple registered IPs for
> the same name. But this depends on whether the client is on the same subnet
> or not. If the client is on the same subnet, subnet prioritization will
> ensure the client gets the internal IP. If the client is on another subnet,
> Round Robin will kick in, and if so, then we won't know which IP the DC will
> resolve to. To disable DnsDynamicUpdates of the DHCP Client service (an
> imporant *required* service, whether the machine is static or DHCP, that is
> tied into the dynamic update service, as well as the resolver service) see
> below. Keep in mind, this will kill the 'A' and PTR record registration of
> the DC:
>
> The registry key to disable dynamic update of the DHCP client service is:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate
>
> Data type: REG_DWORD
> Range: 0 - 1
> Default value: 0
>
> The above is explained here:
> 246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
> NIC too):
> http://support.microsoft.com/?id=246804
>
>
> 7. Also, since this is a DNS server that is only being used for AD internal
> functionality, we will need to instruct DNS to not to listen to DNS queries
> on the external interface. To do that, we need to remove the interface from
> the list of interfaces that the DNS server listens on. To do so, follow
> these steps:
>
> 1. Start the DNS Management Microsoft Management Console (MMC).
> 2. Right-click the DNS server, and then click Properties.
> 3. Click the Interfaces tab.
> 4. Under Listen on, click to select the Only the following IP
> addresses check box.
> 5. Type the IP addresses that you want the server to listen on.
> Include only the IP addresses of the interfaces for which you want a host A
> record registered in DNS.
> 6. Click OK, and then quit the DNS Management MMC.
>
>
>
>
>
> Hope that helps!
> Ace
> ==========================
> /end re-post
>
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
- Next message: Saira: "DMZ advertiser and caching server question"
- Previous message: Todd J Heron: "Re: Trusts and DNS"
- Maybe in reply to: John: "TSM network entry being pulled into DNS entry"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
