Multi-Homed AD servers. 1 for production, and 1 for management

Question

In a multi-tenant environment, we have a client that is running a couple of active directory servers on servers that we manage for them. The servers are multi-homed for a primary network which is connected to the client's VLAN and a management network that is connected to a private VLAN (isolated and promiscuous ports). Services like Backups, Anti-Malware, Log Inspection, FIM (File Integrity Monitoring) and PAM services run over this management network as well as future services. Client is utilizing Sharepoint and there are issues with their Sharepoint implementation. They have narrowed down the issues to the AD servers and have disabled these management NICs

Are there any recommended configurations for Sharepoint with a multi-homed environment in which it only uses one of the NICs and not both? We have already completed the following on the AD servers:

• Configure DNS to only listen for DNS queries on the primary NIC
• Configured the management NIC to not register the connection's addresses in DNS
  • We made sure that there were no DNS entries using the management network's IP addresses in DNS
• Configured the bindings in the Advanced Settings from the Network Connections window to list the primary NIC first.

Any and all additional recommendations are much appreciated.

Thanks,

Answer 1

"Issues with SharePoint" is a bit vague to be useful. You may want to narrow this down. Was it DNS? The DC Locator process? Are they using DFS? Is it the authentication process that is failing, or do they have some custom code that is failing?

Multi-homed domain controllers will never work perfectly.

You also need to configure the "PublishAddresses" registry value:

Key: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  
Value: PublishAddresses  
Value Type: REG_MULTI_SZ  
Registry Value Data:<IP address of primary network adapter>  

Without this setting, your DNS server may be registering both ip addresses. The interesting part of this is the management adapter address may not always be consistently registered, and since there are multiple ip addresses returned in a query for the domain, the same address is not always selected so reproducing the symptom may be elusive.

Even with PublishAddresses, it's possible that the domain controller may register itself on the other network adapter. You may sometimes see this if you run:

nltest /dsgetdc:domain.com /server:dcname  

You may notice the Address: registered is sometimes the management adapter.

It may be possible to workaround this by running a startup script that runs netsh to disable the management adapter and then re-enable it, but that also may not work reliably 100% of the time.

Another potential area of trouble could be the name servers registered for the zone/delegation in DNS. I would check in DNS to ensure there aren't any occurrences of the ip address of the management adapter for name servers or same as parent. It should also go without saying that the domain controller name should not have both ip addresses registered using an A/AAAA record. I would recommend using a different name for the A record for the management adapter. (dcname-mgmt or something like that).

You may also want to check the ip addresses of your management network adapters and confirm they are not associated with the subnets of any existing sites, or any "catch all" subnets (like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).

Answer 2

According to my client, they were having an issue with DNS resolving to the other IP address. This was more of a timing issue as the DNS entries and DNS configurations on the other NIC were changed after the fact. DNS chaching needed to be flushed on the other server that was authenticating against the domain controller after the changes were made.