question

tonitodux avatar image
0 Votes"
tonitodux asked tonitodux commented

DNS - preffered ethernet connection over Wi-Fi?

Hi,

I have a situation with Veeam Backup where machines only respond / do backup if there are in a subnet which corresponds to our Ethernet connected machines. Wi-Fi has another subnet. In DNS manager we always see the laptops for example are shown to be in this Wi-Fi network but the fact is that all of the laptops are connected with ethernet cable over the dockingstation. How do I force the clients to report to DNS manger with ethernet connection subnet? I was thinking that I will need to adjust the metric over GPO somehow like in the screenshot here:

140049-metric.jpg


Is there another way from DNS manager directly?

Appreciate the answers.

windows-dhcp-dns
metric.jpg (32.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered tonitodux commented

Hi there,

The DNS server will respond to the query in a round-robin fashion if the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC. To prevent this issue, we need to make sure the unwanted NIC address isn't registered in DNS.

Steps to avoid registering unwanted NICs in DNS on a multihomed domain controller
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/unwanted-nic-registered-dns-mulithomed-dc



If the reply is helpful, please Upvote and Accept it as an answer

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

the article has got some point yes. If I would to accomplish this part where under the Wi-Fi adapter I have to remove: "On the unwanted NIC TCP/IP Properties, select Advanced > DNS, and then unselect Register this connections Address in DNS." - i would then need to do this on all machines in our company. Can this be managed by GPO, it has to be, either by a direct setting or regedit.

This step is not clear, we have four DCs in our environment and removing three of them on our main DC does not make sense too much:
"On the Zone properties, select Name server tab. Along with FQDN of the DC, you'll see the IP address associated with the DC. Remove unwanted IP address if it's listed." - I am not sure what this will accomplish.

The truth is that we are momentarily having issues with DNS and DHCP, receiving error 9005 (DNS operation refused.). I will need time to sort it all out, and report back here, but I will not forget the thread.

Thank you

0 Votes 0 ·

Hi,

this article tells us how to disable a NIC on the DC, however I was asking about clients (laptops). I just want to force when laptop is connected to the docking station, and it has wi-fi turned on for the DNS manager to register first the cable connection. Nothing more nothing less.

BR

0 Votes 0 ·
GaryReynolds avatar image
1 Vote"
GaryReynolds answered

Hi @tonitodux

The metric will not fix the issue, this is used to define the routing table order, so the LAN interface take prescedence over the WiFi are both are connected.

There are number of reasons why a clients might not be registering the IP address of their connection. First I would check that the register this connection option is enabled on all the network cards. This is causes the OS to send an DNS update command to the DNS server.

140500-register-connection.png

Check that the DHCP to providing the same DNS server on both LAN and WiFi connections.

Also check the configuration the forward DNS zone to ensure that it has updates enabled and set to either 'secure only', or 'non-secure or secure'

140547-zone-properties.png

From a workstation that has the wifi IP address in DNS, connect it to the LAN and run the following command:

 ipconfig /registerdns

This is will force the network to register it IP address with DNS. Check if the DNS entry is updated, if not delete the record in DNS and run the command again, and see if the record is created.

Gary.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tonitodux avatar image
0 Votes"
tonitodux answered

Hi Gary,

thank you for your answer. This seems like a good suggestion to try out, but I have one question. If the laptops are outside of the company, and they connect over VPN which gives them the 3.0 subnet, and company Wi-Fi subnet is 4.0 - what happens then? Will they be registered assuming they connect over a Wi-Fi connection? What could be the possible ramification, not sure.

Dynamic updates was always set to "Secure only", but another thing I have to share is that our aging/scavenging is set to 1 day on both settings, this was set on purpose but I am not sure if this is helping or dragging some other issues along with it. Our dyn. DNS update credentials were not set on all DCs for over a year now, I manage to see this issue but I am still receiving receiving " error 9005 (DNS operation refused.)". I have lots of things to try out and bring this DNS infrastructure to work flawlessly. I will report back here but it will take a while.

Cheers

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @tonitodux

You have a couple of things in the mix here, and you might need to break each one down to determine how things are currently work, but more importantly I think you need to define what good looks like.

I'm assuming the primary objective here are the backups. Based on this I think you need to define what are your requirements for backups, in terms of frequency, scope, valid connection, etc. This will provide a starting point to test from and confirm that the backup solution, network configuration, mode of use can meet these requirements, or you need to change the requirements\expectation to align with the current solution and configuration.

A couple of things to consider:

Transport medium for the backup: do you want to backup machines over the LAN, WiFi, or VPN connections, LAN is best as it provides a reliable two way connection and typically can handle the additional bandwidth of the backup traffic. Wifi is typically best for client initiated traffic, and due power saving features, it can be unreliable for server initiated traffic, also wifi has limited shared bandwidth, so using it for backup traffic could significantly impact the usability for other users, i.e. if you have a client at the limits of AP range, and the client is using a low encoding method and this will consume more bandwidth, and increase backup time. VPN, has a different set of limitation, the user's internet connection and fixed bandwidth of the VPN terminator, software capability. The scope of the backups, frequency, number of users will be factors in deciding which transports will be supported, or limitation will be understood.

Both I and LimitlessTechnology-2700 have suggested way to force or limit which network card in the clients are registering their IP address, two different approaches, but you need to define your requirements to decide which approach is correct, i.e. if backups are only to be completed on the LAN, stop the wifi card from registering, or both cards register if both transports are supported. Note: to answer your other question: You only need to do LimitlessTechnology-2700 suggestion on the DCs if you have multiple NICs in the DCs, if you only have single NICs please ignore, or your DC will not be discoverable.

DNS updates, this is a big one, and is probably the root cause of your problem. There are two options here, let the clients manage their own registrations, or central manage them from the DHCP server. It sounds like you might have a bit of both at the moment. The suggestion here is understand how all these components work together, there are few and its not immediately obvious how they interact, and then test to confirm your understanding is correct. Here are few article to get you started 51810.windows-server-integration-between-dns-and-dhcp.aspx, dd145315(v=ws.10), dd334715(v=ws.10), configure-dns-dynamic-updates-windows-server-2003, and 21724.how-dns-aging-and-scavenging-works.aspx


Once you have stable name resolution, you can look at the backup and if your requirements can be supported by the various network transport type, and if you limit or change the scope of the backups.

I hope that helps.

Gary.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.