2

We're having problems with DNS resolution working properly when each server is on two, non-connected networks (an Ethernet and an InfiniBand).

An example network can be seen by the basic Visio network diagram

enter image description here

When using the FQDN for the AD server, the server may return to the user the 10.1.0.3, which isn't actually reachable. However, only the few internal users have an issue, as all servers have access to both networks. Additionally, while some may suggest turning off dynamic update on the IB side, that is the preferred route for all server traffic.

We're currently using Windows Server 2012 R2, with Active Directory Integrated DNS. We'd prefer not having to move to a dedicated DNS server, but unless there is an available solution, that's our next move.

Let me know what other details would be useful and any assistance is greatly appreciated!

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59
Nate
  • 21
  • 2

1 Answers1

2

A couple of thoughts.

First, the easy solution: You have two separate networks here, and two sets of computers, and only one of the two networks is accessible by both sets of computers. Therefore, your Active Directory/DNS domain controllers should cater to the lowest common denominator.

Unbind the DNS service from the Infiniband adapter, re-order the NIC binding order, uncheck "register this connection in DNS" so that the Infiniband connector does not automatically register a host record with DNS, and clean up any host records that correspond to the Infiniband IP address.

AD/DNS does not require or benefit from 48Gb/s of network throughput, and this is the stance I would probably take if I were you, because I do not prefer introducing the unnecessary complexity of maintaining multihomed domain controllers, even if they are technically supportable. You say the Infinband network is the "preferred" route, but personally I prefer a route that works for everyone. (Reserve the other network for applications that could actually benefit from all that jaw-dropping bandwidth... I'm sure you dropped that money on Infiniband for something useful besides authenticating to AD really fast.)

Option 2 (because I know you won't follow my advice in option 1 ;):

Netmask ordering. On Windows 2008+ DNS servers, netmask ordering defaults to "class C" subnets. But since you are using 10.0/16 and 10.1/16 networks, or "class Bs" you are not getting the benefit of netmask ordering from your DNS server. Try changing that setting on your DNS servers with the command Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF to reflect your IP addressing scheme. (The default is 0x000000FF which corresponds to 255.255.255.0, or 0.0.0.255, depending on how you look at it.)

http://blogs.technet.com/b/askpfeplat/archive/2013/02/18/3553181.aspx

http://davidtosoff.com/2012/03/15/windows-dns-netmask-ordering/

PS - As an aside, if I were you I'd consider going IPv6-only on my Infiniband network. No sense in spending thousands of dollars on sweet new hardware and then bogging it down with a 30 year-old, obsolete network protocol.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199