TSM network entry being pulled into DNS entry

Discussion in 'DNS Server' started by John, Nov 10, 2004.

  1. John

    John Guest

    Hi,

    The Domain Controllers have NIC cards for TSM backup. And this is on a
    separate network. netlogon.dns shows this entry. Also in several other
    locations in that file it shows

    TAPI3Directory.xyz.domain.local. 600 IN A 10.1.171.97
    DomainDnsZones.xyz.domain.local. 600 IN A 10.1.171.97
    ForestDnsZones.xyz.domain.local. 600 IN A 10.1.171.97

    How can we rectify that DNS does not pull the TSM network card.

    Also, I went and removed this entry in DNS
     
    John, Nov 10, 2004
    #1
    1. Advertisements

  2. John

    John Guest

    Hi Ace,

    Thanks for the reply, this was really a very helpful article which I got and
    it helped me to prove that my DNS setting was not wrong and its obvious that
    this happens. I thank you. But, now have a question. I would like to do the
    changes on the registry on the domain controllers, but first I would like to
    get this done on the fault tolerant domain controller and then once I ensure
    that it is working fine with the fault tolerant domain controller then I can
    go ahead and do the registry changes on the main domain controller. What
    would u suggest? Or should I do the changes on a test box and then proceed.

    thanks,
    John

     
    John, Nov 11, 2004
    #2
    1. Advertisements

  3. In
    If you are saying there are multiple NICs on a DC that is also a DNS server,
    that is normally not advised, due to the implications, such as what you are
    experiencing. If need be, registry modfications can force this to work. HOw?
    Here is a re-post from a few previous posts that this has been discussed at
    length. Ignore the stuff about NAT and a router, and just apply the reg
    entries that will stop the DNS registration behaviors. If you can get away
    with a single NIC, that would be more advisable.

    /begin re-post
    ==============================
    This is a touchy and debated subject about multihomed DCs, expecially if
    they are a DNS server and/or a RAS server, as well. And as you well know,
    we would rather avoid a multihomed DC because of what happens to AD due to
    the external IP that gets registered for the LdapIpAddress, which is that
    "(same as parent) A IpAddressOfDc", record, and the GcIpAddress (under the
    _msdcs.gc zone). Otherwise, if they need a multihomed DC, it's recommended
    to alter this default behavior with a couple of reg entries.

    So, if we were to have a multihomed DC, and can't get around it, such as a
    NAT server, or even as an SBS server that you want to utilize ISA Server on
    it (otherwise, dish out $40.00 and get a Linksys router if one needs a NAT
    box, or a standalone server), here are some steps to follow that I've posted
    previously about this, and just refined it a bit tonite.

    Well, you asked for it, and here it is!!


    ***
    Part of the issue you're seeing is with mutli NICs, when opening ADUC, logon
    issues, or any other domain requests, it maybe getting the wrong IP that is
    registered for the SRV resource. BTW- we always suggest to NEVER mutlihome a
    DC, DNS and especially never to put RRAS on it either. For such a server,
    it's highly suggested to use a member server or a standalone, for that. Or
    just acquire an inexpensive ($40.00) Linksys router to handle NAT.

    But in many cases, I can understand that many companies may not have the
    budget for such an inexpensive router, or be possible, for whatever
    technical reasons one may come up withy, in their environement.

    That said, here are the steps to insure a fully functional multihomed DC/DNS
    and/or RAS server:


    1. In Network & Dialup connections, Advanced menu, Advanced Settings, in the
    top window, make sure the internal interface is at the top of the binding
    order. If not, move it to the top. This insures all network requests will
    default to the internal interface.

    2. Insure that all the NICS only point to your internal DNS server(s) only
    and none others. Reason, is we don't want to use the external interface,
    especially if the internal interface fails, it will seek the external
    interface properties.

    3. Disable NetBIOS on the other NICs (i know you did that thru the reg with
    that article, but insure that it's disabled in NIC properties too). May want
    to take a look at this to stop NetBIOS on teh RRAS interfaces:
    296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
    Entry]:
    http://support.microsoft.com/?id=296379

    Otherwise, RRAS or not, it will cause duplicate name errors because Windows
    sees itself with multi names thru the Browser service but with different
    IPs.

    4. Disable File and Print services and disable MS Client on the outer NIC.
    Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
    need these for whatever reason for resource access from clients, then you
    would probably have to keep them on.

    5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
    domain FQDN - that looks like (same as parent). If this is a GC, you need
    to
    also stop the GC record as well.

    To stop these from registering that info, I used these two articles. The
    first article shows the reg entries to use to stop registering, and the
    other article to determine how to stop the GC (Global Catalog) record. If
    both of these records contain the external IP, it may cause problems with
    client logon, GPOs applying (client side extensions), Exchange issues, and
    the DC Locator functions.

    Private Network Interfaces on a Domain Controller Are Registered in DNS:
    http://support.microsoft.com/?id=295328

    Restrict the DNS SRV resource records updated by the Net Logon service
    [including GC]:
    http://www.microsoft.com/technet/tr...proddocs/standard/sag_dns_pro_no_rr_in_ad.asp


    Therefore, to start off, let's disable the SRV record registration process
    in the reg. If this Value does not exist, create it.

    Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Registry value: DnsAvoidRegisterRecords
    Data type: REG_MULTI_SZ
    Values: LdapIpAddress
    GcIpAddress

    After you set this value, you must manually create the internal IP address
    for your DC, (which is the LdapIpAddress, and this reg entry needs to be
    done on each DC, and a record created for each DC), to appear as:

    (same as parent) A "TheInternalIpAddress"

    To perform this, just rt-click your zone, new host,
    leave the hostname blank, and enter the IP of the internal NIC.

    You'll need to also manually create the GcIpAddress as well, if this is a
    GC. This is crucial as well as the above record, because an internal client
    cannot communicate with the external IP and can be a major concern with
    numerous processes, including the logon process, Exchange DS Access errors,
    etc:

    The GC record is located under the _msdcs._gc SRV record under the zone. So
    all you
    need to do, is rt-click the 'gc' folder under the '_msdcs' folder, new host,
    and leave the hostname blank, and enter the IP of the internal NIC.


    6 Since this is also a DNS server, the IPs from both NICs will register,
    even if you tell it not to in the NIC properties. This is because DNS
    registers all known IPs of itself, as the SOA record. This article explains
    this:

    275554 - The Host's A Record Is Registered in DNS After You Choose Not to
    Register the Connection's Address:
    http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&

    Basically it says to disable Dynamic Updates on all interfaces. This way it
    will not register both the internal and external IP as a Host Record.
    Otherwise this can cause issues too, due to the multiple registered IPs for
    the same name. But this depends on whether the client is on the same subnet
    or not. If the client is on the same subnet, subnet prioritization will
    ensure the client gets the internal IP. If the client is on another subnet,
    Round Robin will kick in, and if so, then we won't know which IP the DC will
    resolve to. To disable DnsDynamicUpdates of the DHCP Client service (an
    imporant *required* service, whether the machine is static or DHCP, that is
    tied into the dynamic update service, as well as the resolver service) see
    below. Keep in mind, this will kill the 'A' and PTR record registration of
    the DC:

    The registry key to disable dynamic update of the DHCP client service is:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate

    Data type: REG_DWORD
    Range: 0 - 1
    Default value: 0

    The above is explained here:
    246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
    NIC too):
    http://support.microsoft.com/?id=246804


    7. Also, since this is a DNS server that is only being used for AD internal
    functionality, we will need to instruct DNS to not to listen to DNS queries
    on the external interface. To do that, we need to remove the interface from
    the list of interfaces that the DNS server listens on. To do so, follow
    these steps:

    1. Start the DNS Management Microsoft Management Console (MMC).
    2. Right-click the DNS server, and then click Properties.
    3. Click the Interfaces tab.
    4. Under Listen on, click to select the Only the following IP
    addresses check box.
    5. Type the IP addresses that you want the server to listen on.
    Include only the IP addresses of the interfaces for which you want a host A
    record registered in DNS.
    6. Click OK, and then quit the DNS Management MMC.





    Hope that helps!
    Ace
    ==========================
    /end re-post



    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Nov 19, 2004
    #3
  4. In
    Actually John, that wasn't an article per se, but one of my own posts that I
    put together. It's proven and it works.

    As far as your question, if your internal and external domain names are
    different, then the registry changes only need to applied to the one DC that
    is multihomed.

    Backup your reg first, if you are unsure, to a .reg file. This way a double
    click of that file will restore it to it's previous state.

    But please do keep in mind, as I previously stated, *if at all possible*,
    it's not advised to multihome a DC due to what can happen.

    Cheers!

    Ace
     
    Ace Fekay [MVP], Nov 20, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.