3

I am a noob with Active Directory, and I know just enough to have gotten our current setup running fine.

We run a web farm with several web servers connecting to a file server for content storage. We are in the process of adding in a second file server and getting the two synched up with DFS-R. That all works great. I've also set up a DFS namespace so all the web servers can talk to the namespace, to make an automatic failover situation possible. That works great, too.

EXCEPT, here's the issue. Our hosting provider has two NICs on each server it provisions. A public adapter, and a private adapter. Before I went down this road of using DFS namespaces, I've always used internal 10.x.x.x IPs to access various servers (old habit, I know I could be using the computer name). Therefore, all traffic before now happily flowed across private adapters.

Now that I'm trying to use DFS namespaces, and therefore non-IP-based naming, I noticed that content being pulled in from our file servers is coming in over the public adapter instead of the private adapter.

The question: How can I force Active Directory DNS to resolve to the private 10.x.x.x IPs instead of the public IPs? Yes, those 10.x.x.x IPs exist in the DNS already.

The base domain and each computer in Active Directory have multiple A (and AAAA records) apiece. Is there a way to have DNS respond with a "preferred" IP?

Ken Randall
  • 143
  • 1
  • 6

1 Answers1

6

You need to modify the DNS settings on the servers hosting the DFS namespace to prevent them from registering their public IPs. In the TCP/IP properties, on the DNS tab, on each of these servers untick the "Register this connection's address in DNS" box for the public NIC. You can manually delete the undesired entries from DNS and run an ipconfig /regsiterdns on the servers to observe if you've successfully prevented them from re-registering.

If any of the servers hosting the DFS namespace are running DNS servers you'll also have to set the "PublishAddresses" REG_SZ value under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" to include only the IP address of the server you want published (since servers with the DNS Server role will publish all their IPv4 addresses by default).

Personally, I'd unbind all of the unnecessary services and clients from the public facing NICs on all your servers, force them all not to register their public addresses in DNS, and try like heck to get all public addresses out of the DNS. I'd configure any services that didn't need to be public not to bind on the public addresses and use the Windows Firewall to prevent all incoming connections except to the services that are explicitly intended to be public facing. (Before anybody asks, I'd do this even if I had a hardware firewall in front of the machines. I'd play like the hardware firewall wasn't even there. I'd also put in outbound rules on the servers' firewalls and the hardware firewall, too, but that's because I'm obsessive. I don't want my boxes talking out to the world unless it's something I've explicitly allowed.)

Finally, if a server isn't supposed to be providing any public services at all I'd disable the public NIC (as @murisonc suggests) and remove the IP address (because, presumably, you don't want to pay for more IPs than you need).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331