DNS Resolution with Multiple Subnets

Ben Lambert · 11-03-2010

Hi,

I have 3 domain controllers (with DNS) sitting in a DMZ (behind ISA doing
NAT between the internals and DMZ). I have a few servers that are connected
to multiple client subnets (3) via multiple NICs.

The trouble that I am having is having the proper names resolve for the
proper subnet. I have DHCP assigning a connection specific DNS, but it always
looks to the primary first for unqualified names. If I have multiple A
entries for the same server, inevitably the client picks the wrong one and
can't reach it. Also, to make it more difficult, some of the clients roam
between the networks.

I tried installing another DNS server that is connected to the local
subnets, but was unable to get zone transfers going for some reason.

What options are there for getting resolving addresses for the right network?

Thanks!

Ace Fekay [MVP-DS, MCT] · 11-03-2010

"Ben Lambert" <BenLambert@discussions.microsoft.com> wrote in message news:3FC8D795-4566-496F-8938-D2E42272AB9D@microsoft.com...
> Hi,
>
> I have 3 domain controllers (with DNS) sitting in a DMZ (behind ISA doing
> NAT between the internals and DMZ). I have a few servers that are connected
> to multiple client subnets (3) via multiple NICs.
>
> The trouble that I am having is having the proper names resolve for the
> proper subnet. I have DHCP assigning a connection specific DNS, but it always
> looks to the primary first for unqualified names. If I have multiple A
> entries for the same server, inevitably the client picks the wrong one and
> can't reach it. Also, to make it more difficult, some of the clients roam
> between the networks.
>
> I tried installing another DNS server that is connected to the local
> subnets, but was unable to get zone transfers going for some reason.
>
> What options are there for getting resolving addresses for the right network?
>
> Thanks!

This subject has come up from time to time. It depends on a number of things. If you have one hostname with multiple IPs, DNS will perform a Round Robin, however, if Subnet Priortization is enabled (which both RR and priortization are on by default), it will pick an answer closer to its own subnet. If none of them are closest to its own subnet, then it randomly picks one, which is what RR is.

Now I am also not sure if the record you are tyring to resolve is a DC or not. If a DC and it has multiple entries, then you're implying that the DC is multihomed, which is a highly not-recommended practice due to DNS implkications and partly for the reasons above.

Whatever DNS address is the first in the list, it will use that first. However, if the zone is AD integrated, then all DC/DNS servers have the same exact copy of the zone. If you try to introduce an additional DNS (or even use an ISP's for that matter), you are inviting numerous problems with AD.

What type of server do you have that requires multiple IPs? Are you saying you have a server at all three locations, or are you saying you have one server with multiple IPs that is connected to multiple subnets? Is this a DC?

If a DC, I will say do not do it, and simply put one IP on it (which is what's recommended), and allow your infrastructure routers to route traffic. Even if it is a member server. Multihoming complicates things, especially with name resolution (hostname and NetBIOS names), and if on a DC, you are inviting Ad problems.

Can you elaborate on the scenario, please?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Ben Lambert · 11-03-2010

Hi Ace,

Thank you for your response!

No, the servers in question are not DCs. They are simply member servers that
are connected to more than one subnet (VLANs). One is the file server, so
routing the traffic to it ends up being much slower, the other handles some
other random bits (WDS, AV, IAS) for the local subnets.

Since the DC/DNS servers are in a DMZ behind NAT, they only see one IP
address for queries, so the subnet prioritization doesn't work for them.
That's why I was hoping to add an additonal DNS (only) server that is
connected to the local subnets so that it would provide the prioritization.

If that is a viable solution, then I would like to set it up correctly so
that it integrates with the AD DNS properly. I am trying to avoid having a DC
connected directly to the subnets (paranoia).

Thanks.

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Ben Lambert" <BenLambert@discussions.microsoft.com> wrote in message news:3FC8D795-4566-496F-8938-D2E42272AB9D@microsoft.com...
> > Hi,
> >
> > I have 3 domain controllers (with DNS) sitting in a DMZ (behind ISA doing
> > NAT between the internals and DMZ). I have a few servers that are connected
> > to multiple client subnets (3) via multiple NICs.
> >
> > The trouble that I am having is having the proper names resolve for the
> > proper subnet. I have DHCP assigning a connection specific DNS, but it always
> > looks to the primary first for unqualified names. If I have multiple A
> > entries for the same server, inevitably the client picks the wrong one and
> > can't reach it. Also, to make it more difficult, some of the clients roam
> > between the networks.
> >
> > I tried installing another DNS server that is connected to the local
> > subnets, but was unable to get zone transfers going for some reason.
> >
> > What options are there for getting resolving addresses for the right network?
> >
> > Thanks!
>
>
> This subject has come up from time to time. It depends on a number of things. If you have one hostname with multiple IPs, DNS will perform a Round Robin, however, if Subnet Priortization is enabled (which both RR and priortization are on by default), it will pick an answer closer to its own subnet. If none of them are closest to its own subnet, then it randomly picks one, which is what RR is.
>
> Now I am also not sure if the record you are tyring to resolve is a DC or not. If a DC and it has multiple entries, then you're implying that the DC is multihomed, which is a highly not-recommended practice due to DNS implkications and partly for the reasons above.
>
> Whatever DNS address is the first in the list, it will use that first. However, if the zone is AD integrated, then all DC/DNS servers have the same exact copy of the zone. If you try to introduce an additional DNS (or even use an ISP's for that matter), you are inviting numerous problems with AD.
>
> What type of server do you have that requires multiple IPs? Are you saying you have a server at all three locations, or are you saying you have one server with multiple IPs that is connected to multiple subnets? Is this a DC?
>
> If a DC, I will say do not do it, and simply put one IP on it (which is what's recommended), and allow your infrastructure routers to route traffic. Even if it is a member server. Multihoming complicates things, especially with name resolution (hostname and NetBIOS names), and if on a DC, you are inviting Ad problems.
>
> Can you elaborate on the scenario, please?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

Ace Fekay [MVP-DS, MCT] · 12-03-2010

"Ben Lambert" <BenLambert@discussions.microsoft.com> wrote in message news:991747A8-BDCC-48F0-8889-8F01B93F0D2D@microsoft.com...
> Hi Ace,
>
> Thank you for your response!
>
> No, the servers in question are not DCs. They are simply member servers that
> are connected to more than one subnet (VLANs). One is the file server, so
> routing the traffic to it ends up being much slower, the other handles some
> other random bits (WDS, AV, IAS) for the local subnets.
>
> Since the DC/DNS servers are in a DMZ behind NAT, they only see one IP
> address for queries, so the subnet prioritization doesn't work for them.
> That's why I was hoping to add an additonal DNS (only) server that is
> connected to the local subnets so that it would provide the prioritization.
>
> If that is a viable solution, then I would like to set it up correctly so
> that it integrates with the AD DNS properly. I am trying to avoid having a DC
> connected directly to the subnets (paranoia).
>
> Thanks.
>

It sounds like you are complicating a simple solution. If you decide to use other DNS servers, how have you planned to handle AD records? You can't simply set two DNS addresses on a machine, such as in a locaiton where the first one is a member server, and the second one being the one at corp. It will use the first, and if that doesn't respond it will go to the next one, removing the first from the eiligibility resolver list, and if the first one answers with a answer saying it doesn't have an answer, it looks at that as an answer so it doesn't look further. This is the resolver algorithm and cannot be changed.

The DC/DNS has your AD info, but the member servers will not, unless you setup a Secondary to pull zone from the corp DC/DNS, but thenwith a secondary, you cannot make changes on that zone. So I am not sure if you've looked at these limitations.

So tell me exactly what server has the multiple IP addresses.
Are you saying that this server is connected to corp and to the other location?
Is the server with multiple IPs a DC?
Have you considered using DFS?

Ace

Ben Lambert · 18-03-2010

Just to update things,

I decided to move one of the servers into a sort of DMZ that I had and will
change anything that is pointing to it. That way it will only have one IP
address, thus no more DNS issues.

For the file server, I changed the folder redirection policies to point to
the netBIOS name instead of the DNS name, which solves that issue. However,
changing the folder location (even on the same server), wipes out all the
user documents. Yeah, that's fun.

Ace Fekay [MVP-DS, MCT] · 19-03-2010

"Ben Lambert" <BenLambert@discussions.microsoft.com> wrote in message news:981E561B-4978-4E60-99DB-78D09DDEBF36@microsoft.com...
> Just to update things,
>
> I decided to move one of the servers into a sort of DMZ that I had and will
> change anything that is pointing to it. That way it will only have one IP
> address, thus no more DNS issues.
>
> For the file server, I changed the folder redirection policies to point to
> the netBIOS name instead of the DNS name, which solves that issue. However,
> changing the folder location (even on the same server), wipes out all the
> user documents. Yeah, that's fun.
>
>

Glad to hear you simplified the DNS resolving issue. However, it doesn't make sense about the user docs. If you have the 'move files over" setting (going on memory), it should move all the files to the new location when you change it.

Ace