Archived from groups: microsoft.public.win2000.active_directory (More info?)
Hi all,
I have heard about problems with running AD on multihomed DCs but none of
the fixes seem to work for me.
I had two DCs. The first one I installed I need to reformat entirely and
turn into a workstation, leaving me just one DC (this is fine--it's a home
network. If it all blows up, oh well.)
I moved the global catalog server to the DC that was to remain and then ran
dcpromo on the one I demoted. Fine. That leaves me with one DC, which is
multihomed with one NIC inside and one with a public DHCP-assigned IP from
the ISP. The problem is that when the outside NIC is enabled, I cannot
connect to AD-specific snap-ins (like ADUC or ADSS): I get the message
"Naming information is not available because: The server is not operational".
When I disable the outside NIC, this problem is not evident and I can add
users, etc.
I understand that this problem is manifested when DNS is set up such that
DNS requests are directed to non-AD DNS servers (such as an ISPs). Here is
what I have done to make sure this does not happen (generally, everything in
this http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 article):
1. Made the Inside NIC the top in the binding list.
2. Set the Outside NIC so that the DNS server is the IP address of the DC.
3. Set the Inside NIC so that the DNS server is the IP address of the DC.
4. Removed the public IP address from the AD DNS zone.
5. Set the Outside NIC so that it would not register that connection in DNS.
6. Told the DNS service on the DC to only listen on the Inside NIC's IP
addresses (it actually has two bound to the NIC, 10.0.0.1 and 10.0.0.9--that
is not problem, coud it be?)
7. Unchecked "Enable round robin" resolution.
8. ipconfig /flushdns and ipconfig /registerdns.
Now, some of the computers on my home network are Macintoshes, and they
cannot run UDP through the MS Proxy (which is also running on the DC) since
UDP is not supported in SOCKS as implemented by MS. So the DC also has to
answer DNS queries for the Mac clients. As such, in DNS I have deleted the
root zone and in the DC's DNS properties under forwarders, added the IP
addresses of the ISP's DNS servers.
I notice that the outside NIC's IP address keeps reappearing in the AD DNS
zone, both in the general domain.com zone and in the gc._msdcs.domain.com
zone. So clearly there is something I am missing. I have read of a registry
edit associated with keeping the public from registering automatically in the
DNS zone, but that was for Win2K3 and I am loathe to try that on a Win2K
server.
I am running Proxy both for NAT and for Internet access control. It is easy
to block access to certain domains, and I like the idea of being to go
through the logs to see where the kiddies have been visiting. They know I do
this from time to time, so perhaps that is keeping them in line. If domain
restrictions were easy with a standard router/firewall which would also log
access, that might convince me to try to abandon this plan. For the
meanwhile, however I would love to get this running properly. Any help would
be most appreciated.
Best regards,
Matt Doyle
Hi all,
I have heard about problems with running AD on multihomed DCs but none of
the fixes seem to work for me.
I had two DCs. The first one I installed I need to reformat entirely and
turn into a workstation, leaving me just one DC (this is fine--it's a home
network. If it all blows up, oh well.)
I moved the global catalog server to the DC that was to remain and then ran
dcpromo on the one I demoted. Fine. That leaves me with one DC, which is
multihomed with one NIC inside and one with a public DHCP-assigned IP from
the ISP. The problem is that when the outside NIC is enabled, I cannot
connect to AD-specific snap-ins (like ADUC or ADSS): I get the message
"Naming information is not available because: The server is not operational".
When I disable the outside NIC, this problem is not evident and I can add
users, etc.
I understand that this problem is manifested when DNS is set up such that
DNS requests are directed to non-AD DNS servers (such as an ISPs). Here is
what I have done to make sure this does not happen (generally, everything in
this http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 article):
1. Made the Inside NIC the top in the binding list.
2. Set the Outside NIC so that the DNS server is the IP address of the DC.
3. Set the Inside NIC so that the DNS server is the IP address of the DC.
4. Removed the public IP address from the AD DNS zone.
5. Set the Outside NIC so that it would not register that connection in DNS.
6. Told the DNS service on the DC to only listen on the Inside NIC's IP
addresses (it actually has two bound to the NIC, 10.0.0.1 and 10.0.0.9--that
is not problem, coud it be?)
7. Unchecked "Enable round robin" resolution.
8. ipconfig /flushdns and ipconfig /registerdns.
Now, some of the computers on my home network are Macintoshes, and they
cannot run UDP through the MS Proxy (which is also running on the DC) since
UDP is not supported in SOCKS as implemented by MS. So the DC also has to
answer DNS queries for the Mac clients. As such, in DNS I have deleted the
root zone and in the DC's DNS properties under forwarders, added the IP
addresses of the ISP's DNS servers.
I notice that the outside NIC's IP address keeps reappearing in the AD DNS
zone, both in the general domain.com zone and in the gc._msdcs.domain.com
zone. So clearly there is something I am missing. I have read of a registry
edit associated with keeping the public from registering automatically in the
DNS zone, but that was for Win2K3 and I am loathe to try that on a Win2K
server.
I am running Proxy both for NAT and for Internet access control. It is easy
to block access to certain domains, and I like the idea of being to go
through the logs to see where the kiddies have been visiting. They know I do
this from time to time, so perhaps that is keeping them in line. If domain
restrictions were easy with a standard router/firewall which would also log
access, that might convince me to try to abandon this plan. For the
meanwhile, however I would love to get this running properly. Any help would
be most appreciated.
Best regards,
Matt Doyle
Facebook
Twitter
Instagram