In news:95503814-737C-4BFE-B0D2-(E-Mail Removed),
bill tie <(E-Mail Removed)> made this post, which I then
commented about below:
> I've a two-NIC Win2k3 domain controller with RRAS configured as LAN
> router. I've followed every KB article on two-NIC DCs. I seem to
> have no errors in the EventViewer. Dcdiag and Netdiag seem to pass
> with flying colors.
>
> I'm unable to ping IP addresses in front of or behind the DC.
>
> [NAT/Firewall]
> IP: 192.168.1.1
> |
> |
> IP: 192.168.1.2
> DG: 192.168.1.1
> [Win2k3 DC with Lan-router RRAS]
> IP: 10.1.0.1
> DG: blank
> |
> |
> IP: 10.1.0.z
> DG: 10.1.0.1
> [client]
>
> From the client, I can't ping the IP address of the NAT/Firewall.
> From the NAT/Firewall, I can't ping the IP address of the client.
>
> What am I missing?
>
> Thank you.
What firewall software are you using? Windows ICF, ISA or third party?
Is this SBS or Windows Server?
For a DC, it would be wise for a couple of rules (or guidelines) to be
followed, if possible:
1. Never use a Firewall on a DC (complicates domain communication with the
29 ports DC/client communications require.
2. Never multihome it.
If the need to multihome it is necessary, here is a repost of a post I made
long ago for another person that required a mutlihomed DC with DNS and RRAS
on it. Honestly, it is better to use a member server for this role.
========================
++++++++++++++++++++
Honestly, multi-homed DCs are not recommended because of the associated
issues that can occur, as you've encountered. We usually recommend
purchasing an inexpensive Linksys, DLink, etc, Cable/DSL router to perform
NAT for you, take out the extra NIC off the DC, but still let the DC handle
DHCP (and not the router).
Since this DC is multi-homed, it requires additional configuration to
prevent the public interface addresses from being registered in DNS. This
creates a problem for internal clients locating AD to authenticate and find
other services and resources such as the Global Catalog, file sharing and
the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
logged, authenticating to shares and printers, logging on takes forever,
among numerous other issues.
But if you like, there are some registry changes to eliminate the
registration of the external NIC. Here's the whole list of manual steps to
follow (this inculdes some of the stuff I already gave you):
But believe me, it's much easier to just get a separate NAT device or
multihome a non-DC then having to alter the DC. - Good luck!
1. In the DNS management console, on the properties of the DNS server,
Interfaces tab, set DNS to only listen on the private IP you want in DNS for
the server. This is the interface that your AD network is on and that the
clients use.
2. Add this registry entry with regedt32 to stop the (same as parent folder)
records and the GC record, also called the LdapIpAddress and GcIpAddress.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters
On the Edit menu, point to New, and then click REG_MULTI_SZ as the data
type:
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
(and in the box, you would type in the following to stop their
registration):
LdapIpAddress
GcIpAddress
3. Then you will need to manually create the LdapIpAddress and GcIpAddress
records in DNS.
The LdapIpAddress resolves to the domain controllers in the domain. The
GcIpAddress resolves
to the Global Catalogs in the forest as gc._msdcs.forestroot.com.
To manually create the LdapIpAddress, create a new host but leave the name
field blank,
give it the IP of the internal interface. Windows 2k barks at you saying
(same as parent folder) is not a valid host name,click OK to create the
record anyway.
Windows 2003 won't bark. It's house-broken out of the box.
To manually create the GcIpAddress, navigate to the _msdcs folder, under it
click the gc
folder, then rt-click, create new host, leave the name field blank, give it
the IP of the
internal interface. Windows 2k barks at you saying (same as parent folder)
is not a valid
host name,click OK to create the record anyway. Windows 2003 won't bark here
either.
4. To stop registration of both NICs, add (if it exists) or alter this reg
entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters
On the Edit menu, point to New, and then click DWORD Value to add the
following registry value:
Value name: RegisterDnsARecords
Data type: REG_DWORD
Value data: 0
Then manually create a new host record for the server name in DNS and give
it the IP of the internal interface
5. Right click on Network places, choose properties, in the Advanced menu
item
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.
6. On the outer NIC, disable File and Print Services, Microsoft Client
Service,
then go into IP properties, click on Advanced, choose the WINS tab and
disable NetBIOS.
7. On the outer NIC, only put in the internal IP address of the DNS server
(this machine).
8. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if not
sure which
DNS to forward to until you've got the DNS address of your ISP. How to set a
forwarder?
Depending on your operating system,choose one of the following articles:
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1
323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
(How to configure a forwarder):
http://support.microsoft.com/d/id?=323380
<==*** Some additional reading ***==>
246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
Server 2003
http://support.microsoft.com/?id=246804
295328 - Private Network Interfaces on a Domain Controller Are Registered in
DNS
[also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg sameasparent
private IP]:
http://support.microsoft.com/?id=295328
306602 - How to Optimize the Location of a DC or GC That Resides Outside of
a Client's
Site [Includes info LdapIpAddress and GcIpAddress information and the SRV
mnemonic values]:
http://support.microsoft.com/?id=306602
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003 (including how-to configure a forwarder):
http://support.microsoft.com/default...b;en-us;825036
291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default...b;en-us;291382
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379
292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
unwanted IPs registering]:
http://support.microsoft.com/?id=292822
_________________________
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
Similar Threads
Linear Mode
