2

I have a Windows Server 2008 R2 machine which is a domain controller under Active Directory: Domain Services and I want to also run quite a few things from this one machine. Mostly I'm learning how to hook everything up and don't really care too much about enterprise redundancy stuff.

Anyway, the issues I'm coming across now are that the AD: DS needs a DNS. We're hosting the DNS on this machine as well, on a different IP address. We have 8 addresses facing an internal network in the data center and then 8 addresses facing the Internet.

This is how I'd like to see things set up for each address. Every bullet is a separate address and use for it.

  • Authoritative DNS for websites and internal machines and forwarding service for everything else. OCSP address for the certification authority.
  • IIS for websites
  • VPN

Now, the problem that comes with this is managing all of the addresses things need to manage or listen on or ignore. It seems that the Windows DNS likes to just associate addresses automatically and give them the same domain name as whatever the DNS is running on, because it makes sense in large systems with a dedicated DNS. However, I want this machine to have different domains for almost every IP address and I really don't want the Windows DNS overwriting or remaking deleted A and AAAA records. It even adds the private IP addresses to the DNS, which really don't need to be there.

How can I better manage the different addresses and services? The DNS problem is my top priority right now and then after that, I'm not sure how to resolve the issue of managing multiple domains and the VPN from one machine on different addresses. It seems like since everything wasn't built to be run on one machine, it's going to be difficult. But I'm learning, so it's all interesting.

Any input here would be much appreciated.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Michael J. Gray
  • 263
  • 4
  • 13
  • 3
    Note that multi-homed domain controllers are not recommended. See for example http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a1583d7f-fa59-4497-89de-666d683e53a0/ or http://social.technet.microsoft.com/Search/en-US?query=%22domain%20controllers%22%20multi-homed&ac=8 – Harry Johnston Jul 15 '12 at 00:08

1 Answers1

4

For DNS, uncheck "Register this connection's addresses in DNS" - that will stop the automatic registration of the IPs in DNS, and you can define the records manually without interference from automatic updating.

dns register

The DNS service also registers IPs into DNS that it's bound to, since it automatically populates NS records and associated A records; configure the DNS service to only bind to the specific IP that it's used on (server properties -> interface).

As far as getting the IP bindings for the services under control, changing the address that's bound to is different for every application. For instance, for IIS, see this question.

Having all these unrelated applications running within the same OS is probably not ideal; an issue with one application, maintenance needs, or a security breach all have the potential to disrupt every service on the server, and you may have problems with information exposure running all of the public and private services on the same device (for instance, running internal DNS on a publicly accessible authoritative DNS server).

Splitting your servers up based on their functional role minimizes your exposure to service disruptions and security issues. Virtualize!

Community
  • 1
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Note that turning off "register this connection's addresses in DNS" on a domain controller used to break AD. I don't know whether or not this has been fixed. – Harry Johnston Jul 15 '12 at 00:10
  • @HarryJohnston You are quite right that it doesn't like it when I do that. But doing it for the private interface alone seems to work fine. We'll see in a few hours, which is usually the delay we're notice the update at. – Michael J. Gray Jul 15 '12 at 00:28
  • Looks like it worked after a disable/enable of the interface after changing the setting! Thanks again. – Michael J. Gray Jul 15 '12 at 03:48