Re: DNS & NAT

• From: Daniel Olinger <dolinger@xxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 17 May 2005 10:05:35 -0700

Daniel Olinger wrote:

Quick run through on the set up...

This is a Windows 2003 server with 2 NIC cards in it. One of them gets
an IP via DHCP from my ISP and the other one is the static IP set for
my internal network. The servers roles are AD, DNS, VPN & NAT, Remote
Access, DHCP.

The problem is this...

When I have both of the NIC cards active, I get no internet activity
on the server or any of the clients. If I were to disable the LAN NIC,
which is the static address for my internal network, then the server
has access to the internet. If I enable it again, everything gets
shut down again.

I was able to just click and play around with my DNS snap-in and it
finally worked a few times, now it is broken. This happens everytime I
restart and get a new IP from the DHCP server from my ISP. No matter
what I do, I can not get it to work. I do not know if this is a DNS
issue, a NAT issue or what, but this was the only group I can figure
to post in. If this is wrong please tell me a better group to post in.

I am sure you guys will need more information, I am not at home right
now but can probably answer most questions from memory. Thanks guys,
this is something I can not get my head around and it is bothering me.

Normally we do not recommend multihoming a DC/DNS server or expect multiple problems. It would be beneficial to look at a NetGear box to handle your Internet access needs. But here are a couple pointers that may help.
1. Force DNS on the outside NIC properties to be your internal DNS. Leave the IP set as DHCP.This way you are forcing the internal DNS server on this NIC.
2. Set the outside NIC to the bottom of the binding order.
3. In DNS interface tab, tell it to only listen to the internal NIC. Remove the external NIC.
4. On the outer NIC disable NetBIOS, MS File and Print Services, and Client For MS Services.
5. Outer NIC is the only one with a default gateway. Internal NIC has no gateway.

But this won't fix the main issue that AD will register both NICs as a GC and the LdapIpAddress. This is the reason we recommend to not multihome these sort of server. It's your call, a relatively inexpensive NetGear or you can look at the following information that I have provided in the past for such scenarios to clean this up. This is a known issue and these settings are the recommended way to fix it up....

Repost starts here (from 10/6/2004):
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Actually most of these are strewn about in this newsgroup between myself and
others posting responses. Steps include to kill the registration of your NIC
cards thru the registry. You first identify the GUID for each NIC. Then you
would publish (thru reg) what IPs you want in DNS, then you need to adjust
the binding order to insure the NIC you want to respond on. Then another reg
entry to kill the GcIpAddress and the LdapIpAddress. Then you publish once
again thru the reg which IP you want for those two values. But need to
insure that the SRVs get registered properly., Then if RRAS is on it, it
complicates it a bit. Then if this is also a NAT server, and you have multiple
internal private interfaces, then there can be
problems with routing between subnets because of the PDU size. LDAP requires
a PDU or 300kb, but once enabled as a NAT, and you have multiple private
interfaces, AD communication gets thwarted and requires another change. This
can cause client logon trouble as well as GPOs to fail because of mutliple
GC addresses come up, as they do on a multi homed DC/GC, then with round
robin, you never know which one will answer and if it;s one on another
subnet, then the system may not route it properly so therefore it can't get
to it, even though the machine is on the same subnet.

Here's a repost of past posts I sent to explain some of it to others. They
maybe mixed a bit, but you can see the jest of it. ALl the instructions are
here to make it work. But it;s something you have to monitor to make sure it
doesn;t cause any other issues. I've setup a couple machines thru this
method, but it's a pain. If you had a member server doing this, (doesn't
have to be an expensive box, just a cheapo desktop will do the trick), you
would be better off.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Not saying it doesn't work with W2k3, but those articles are based on W2k. The
registries are similar, but I know some of the registration entries on W2k
have been changed on W2k3. Part of the issue you're seeing is with mutli
NICs, when opening ADUC or any other domain requests, it maybe getting the
wrong IP that is registered for the SRV resource. BTW- we always suggest to
NEVER mutlihome a DC, DNS and especially never to put RRAS on it either. Suggest
a member server for that. Or just get an inexpensive Linksys router to handle NAT.
But in many cases, I can understand that may not
be possible in your environement.

Suggestions, and keep in mind, when mentioning "other NICs", they are the
subnets that the NICs are on that your AD infrastructure is not on.

1. Insure that all the NICS only point to your internal DNS server(s) only
and none others.

2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).

3. Disable NetBIOS on the other NICs (i know you did that thru the reg with
that article, but insure that it's disabled in NIC properties too). May want
to take a look at this to stop NetBIOS on teh RRAS interfaces:
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
Entry]:
http://support.microsoft.com/?id=296379
Otherwise, RRAS or not, it will cause duplicate name errors because Windows
sees itself with multi names thru the Browser service but with different
IPs.

4. Disable File and Print services and disable MS Client on the other NICs.
Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
need these for whatever reason for resource access from clients, then you
would probably have to keep them on.

5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
domain FQDN - that looks like (same as parent). If this is a GC, you need to
also stop the GC record as well.
To stop these from registering that info, use this method (this was taken from):
http://support.microsoft.com/?id=295328)

==========================
To disable only the registration of the local IP addresses, set the
following registry value:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
            GcIpAddress
After you set this value, you must manually register your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP" DO that by just rt-clicking, new host,
leave the hostname blank, and enter the IP of the internal NIC.

You need to also manually create the GcIpAddress as well, if this is a GC.
That would be under the _msdcs._gc SRV record under the zone.
==========================

6. In DNS, _msdcs.gc, delete the IP addresses referencing the other NICs. I
would follow this article to stop the GC records from the other NICs
registering sine this is a major cause of concern for logons. You would need
to manually create the GC entry of the internal NIC.
Restrict the DNS SRV resource records updated by the Net Logon service
[including GC]:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_dns_pro_no_rr_in_ad.asp

7. Since this is a DNS server, the IPs from all NICs will register, even if
you tell it not to in the NIC properties. See this to show you how to stop
that behavior (for W2K, but may work):
275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In circumstances in which the list of IP addresses the DNS server listens to
and serves is different from the list of IP addresses published (registered
by the DNS Server service), use the following registry key:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also, how to kill registration (per NIC) prior to setting the above
publishing records:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
NIC too):
http://support.microsoft.com/?id=246804
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address [It still registers]:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
/End Repost

Good luck...

• Follow-Ups:
  • Re: DNS & NAT
    • From: Jeremy Church

• References:
  • DNS & NAT
    • From: Daniel Olinger
  • Re: DNS & NAT
    • From: Ace Fekay [MVP]

• Prev by Date: Re: DNS & NAT
• Next by Date: How to reset Secondary DNS that expired..
• Previous by thread: Re: DNS & NAT
• Next by thread: Re: DNS & NAT
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint