question

Benn-8904 avatar image
0 Votes"
Benn-8904 asked DSPatrick commented

DNS IP Priority when a server has two IP’s.

Scenario:
We had a Domain Controller that was setup with only one IP (172.16.10.10), we are decommissioning that server and moving that IP to a new DC, we have setup that DC so it has two IPs assigned to it. We have one IP we use for the Server (172.16.10.12) and are going to use the 172.16.10.10 as the DNS IP). We have setup the DNS to only use 172.16.10.10.
Internally there are no issues, everything works as it should, but when you go to lookup anything externally, like www.google.com.au it fails, therefore no internet. When we check the firewall no external DNS queries are going out. But when we add 172.16.10.12 to the DNS adapter, we can see all the query’s going out via this address, not the 172.16.10.10 address and the internet starts working again.
So the Question is does the higher IP take preference over the lower IP when sending DNS traffic out from the server?
We do have other Domain Controllers in a different site that have a higher DNS IP than the Server IP and they have no issues.
Were not sure if it’s a DNS/Server issues with the IP’s assigned or if there is some firewall issue since 172.16.10.10 was working with no issues before we moved it to the new DC.

windows-dhcp-dns
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Benn-8904 avatar image Benn-8904 ·

please note that the IP's are assigned to the same Nic, so the servers only have one network card in them.

0 Votes 0 ·

2 Answers

DSPatrick avatar image
0 Votes"
DSPatrick answered Benn-8904 commented

Multi-homing a domain controller will always cause no end to grief for active directory DNS.

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Benn-8904 avatar image Benn-8904 ·

we have had no issues with having dual IP's assigned to our DC for the last 10+ years.. so we dont know why its happening to these servers now, its working fine for the other five DC's we have running.

0 Votes 0 ·
DSPatrick avatar image DSPatrick Benn-8904 ·

If you have multiple IP addresses for a domain controller. The name of the domain controller will be resolved to one or the other of the addresses randomly so expect the unexpected. There's no good reason for this.

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
DSPatrick avatar image DSPatrick DSPatrick ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
Benn-8904 avatar image Benn-8904 ·

198654-capturedns.png






This is the settings for another DC, and when we nslookup that DC it will only resolve to the 201/202 address... it doesn't resolve to the server IP at all.. and in DNS we only see 201/202 with the DC name. we have never had any issues with this setup..

So the Question "Does the higher IP take preference over the lower IP when sending DNS traffic out from the server" still hasn't been answered...

The settings for this server is like the picture above. when only the DNS IP (172.16.10.10) is ticked, no external dns querys are seen on the firewall, but when the server IP is ticked then only we only see dns querys from that IP on the firewall... Again the .10 address was working before been moved to the new server.. So we dont know why the .12 address is taking preference, if that doesn't matter, then is there a firewall issue somewhere...

0 Votes 0 ·
capturedns.png (4.2 KiB)
DSPatrick avatar image DSPatrick Benn-8904 ·

This simply is not a supported configuration and unexpected results are likely. What is the purpose of the multi-homing?


0 Votes 0 ·
Benn-8904 avatar image Benn-8904 DSPatrick ·

The reason it has been setup this way, was to make it easier to move IPs that we use for DNS to new DC when they are updated, ie from Server 2008 R2 to Server 2012 R2 to Server 2019, like what we have just done..

Do you have links to what is the supported way to upgrade DNS to new servers without breaking DNS along the way..

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

The simplest method to migrate to new domain controllers is below.

The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can move on to next one.

If you wanted to reuse an old address, after migration (and old one has been decommissioned) you can change the domain controller's address, then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service. If the subnet is also changing then recreate the reverse lookup zone. Just right-click Reverse Lookup Zones\New Zone and step through the wizard.

--please don't forget to upvote and Accept as answer if the reply is helpful--





· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image DSPatrick ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·