TSM network entry being pulled into DNS entry

Hi,

The Domain Controllers have NIC cards for TSM backup. And this is on a
separate network. netlogon.dns shows this entry. Also in several other
locations in that file it shows

TAPI3Directory.xyz.domain.local. 600 IN A 10.1.171.97
DomainDnsZones.xyz.domain.local. 600 IN A 10.1.171.97
ForestDnsZones.xyz.domain.local. 600 IN A 10.1.171.97

How can we rectify that DNS does not pull the TSM network card.

Also, I went and removed this entry in DNS

 

Hi Ace,

Thanks for the reply, this was really a very helpful article which I got and
it helped me to prove that my DNS setting was not wrong and its obvious that
this happens. I thank you. But, now have a question. I would like to do the
changes on the registry on the domain controllers, but first I would like to
get this done on the fault tolerant domain controller and then once I ensure
that it is working fine with the fault tolerant domain controller then I can
go ahead and do the registry changes on the main domain controller. What
would u suggest? Or should I do the changes on a test box and then proceed.

thanks,
John

 

In

If you are saying there are multiple NICs on a DC that is also a DNS server,
that is normally not advised, due to the implications, such as what you are
experiencing. If need be, registry modfications can force this to work. HOw?
Here is a re-post from a few previous posts that this has been discussed at
length. Ignore the stuff about NAT and a router, and just apply the reg
entries that will stop the DNS registration behaviors. If you can get away
with a single NIC, that would be more advisable.

/begin re-post
==============================
This is a touchy and debated subject about multihomed DCs, expecially if
they are a DNS server and/or a RAS server, as well. And as you well know,
we would rather avoid a multihomed DC because of what happens to AD due to
the external IP that gets registered for the LdapIpAddress, which is that
"(same as parent) A IpAddressOfDc", record, and the GcIpAddress (under the
_msdcs.gc zone). Otherwise, if they need a multihomed DC, it's recommended
to alter this default behavior with a couple of reg entries.

So, if we were to have a multihomed DC, and can't get around it, such as a
NAT server, or even as an SBS server that you want to utilize ISA Server on
it (otherwise, dish out $40.00 and get a Linksys router if one needs a NAT
box, or a standalone server), here are some steps to follow that I've posted
previously about this, and just refined it a bit tonite.

Well, you asked for it, and here it is!!


***
Part of the issue you're seeing is with mutli NICs, when opening ADUC, logon
issues, or any other domain requests, it maybe getting the wrong IP that is
registered for the SRV resource. BTW- we always suggest to NEVER mutlihome a
DC, DNS and especially never to put RRAS on it either. For such a server,
it's highly suggested to use a member server or a standalone, for that. Or
just acquire an inexpensive ($40.00) Linksys router to handle NAT.

But in many cases, I can understand that many companies may not have the
budget for such an inexpensive router, or be possible, for whatever
technical reasons one may come up withy, in their environement.

That said, here are the steps to insure a fully functional multihomed DC/DNS
and/or RAS server:


1. In Network & Dialup connections, Advanced menu, Advanced Settings, in the
top window, make sure the internal interface is at the top of the binding
order. If not, move it to the top. This insures all network requests will
default to the internal interface.

2. Insure that all the NICS only point to your internal DNS server(s) only
and none others. Reason, is we don't want to use the external interface,
especially if the internal interface fails, it will seek the external
interface properties.

3. Disable NetBIOS on the other NICs (i know you did that thru the reg with
that article, but insure that it's disabled in NIC properties too). May want
to take a look at this to stop NetBIOS on teh RRAS interfaces:
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface [Reg
Entry]:
http://support.microsoft.com/?id=296379

Otherwise, RRAS or not, it will cause duplicate name errors because Windows
sees itself with multi names thru the Browser service but with different
IPs.

4. Disable File and Print services and disable MS Client on the outer NIC.
Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
need these for whatever reason for resource access from clients, then you
would probably have to keep them on.

5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
domain FQDN - that looks like (same as parent). If this is a GC, you need
to
also stop the GC record as well.

To stop these from registering that info, I used these two articles. The
first article shows the reg entries to use to stop registering, and the
other article to determine how to stop the GC (Global Catalog) record. If
both of these records contain the external IP, it may cause problems with
client logon, GPOs applying (client side extensions), Exchange issues, and
the DC Locator functions.

Private Network Interfaces on a Domain Controller Are Registered in DNS:
http://support.microsoft.com/?id=295328

Restrict the DNS SRV resource records updated by the Net Logon service
[including GC]:
http://www.microsoft.com/technet/tr...proddocs/standard/sag_dns_pro_no_rr_in_ad.asp


Therefore, to start off, let's disable the SRV record registration process
in the reg. If this Value does not exist, create it.

Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress

After you set this value, you must manually create the internal IP address
for your DC, (which is the LdapIpAddress, and this reg entry needs to be
done on each DC, and a record created for each DC), to appear as:

(same as parent) A "TheInternalIpAddress"

To perform this, just rt-click your zone, new host,
leave the hostname blank, and enter the IP of the internal NIC.

You'll need to also manually create the GcIpAddress as well, if this is a
GC. This is crucial as well as the above record, because an internal client
cannot communicate with the external IP and can be a major concern with
numerous processes, including the logon process, Exchange DS Access errors,
etc:

The GC record is located under the _msdcs._gc SRV record under the zone. So
all you
need to do, is rt-click the 'gc' folder under the '_msdcs' folder, new host,
and leave the hostname blank, and enter the IP of the internal NIC.


6 Since this is also a DNS server, the IPs from both NICs will register,
even if you tell it not to in the NIC properties. This is because DNS
registers all known IPs of itself, as the SOA record. This article explains
this:

275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/default.aspx?scid=KB;en-us;275554&

Basically it says to disable Dynamic Updates on all interfaces. This way it
will not register both the internal and external IP as a Host Record.
Otherwise this can cause issues too, due to the multiple registered IPs for
the same name. But this depends on whether the client is on the same subnet
or not. If the client is on the same subnet, subnet prioritization will
ensure the client gets the internal IP. If the client is on another subnet,
Round Robin will kick in, and if so, then we won't know which IP the DC will
resolve to. To disable DnsDynamicUpdates of the DHCP Client service (an
imporant *required* service, whether the machine is static or DHCP, that is
tied into the dynamic update service, as well as the resolver service) see
below. Keep in mind, this will kill the 'A' and PTR record registration of
the DC:

The registry key to disable dynamic update of the DHCP client service is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate

Data type: REG_DWORD
Range: 0 - 1
Default value: 0

The above is explained here:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
NIC too):
http://support.microsoft.com/?id=246804


7. Also, since this is a DNS server that is only being used for AD internal
functionality, we will need to instruct DNS to not to listen to DNS queries
on the external interface. To do that, we need to remove the interface from
the list of interfaces that the DNS server listens on. To do so, follow
these steps:

1. Start the DNS Management Microsoft Management Console (MMC).
2. Right-click the DNS server, and then click Properties.
3. Click the Interfaces tab.
4. Under Listen on, click to select the Only the following IP
addresses check box.
5. Type the IP addresses that you want the server to listen on.
Include only the IP addresses of the interfaces for which you want a host A
record registered in DNS.
6. Click OK, and then quit the DNS Management MMC.





Hope that helps!
Ace
==========================
/end re-post



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

In

Actually John, that wasn't an article per se, but one of my own posts that I
put together. It's proven and it works.

As far as your question, if your internal and external domain names are
different, then the registry changes only need to applied to the one DC that
is multihomed.

Backup your reg first, if you are unsure, to a .reg file. This way a double
click of that file will restore it to it's previous state.

But please do keep in mind, as I previously stated, *if at all possible*,
it's not advised to multihome a DC due to what can happen.

Cheers!

Ace