Windows Tip Sheet
Home Sweet Home Home Home
If you're crazy enough to connect your multihomed DC to a DMZ, here's how to do it.
Multihomed domain controllers can be tricky beasts. I recently had a client
who -- for reasons I won’t go into -- had a multihomed DC connected to
both their intranet and to a DMZ. The DMZ, of course, was separated from the
intranet by a firewall. Half the time you tried to contact this DC, your connection
would fail, which created a great many logon issues.
The problem, of course, is that the DC was registering both its interfaces
with DNS, but one of those interfaces -- the one hooked up to the DMZ -- wasn’t
reachable by clients on the appropriate ports. Obviously, hooking a DC up to
anything but your intranet is probably asking for trouble of some kind, but
the connectivity issue can be resolved by disabling DNS registration on the
DMZ-connected network adapter. You’ll find this in the TCP/IP properties
of the appropriate adapter, on the Advanced tab. Once the DC stops registering
the unreachable IP address in DNS, clients will start using only the reachable
adapter, and all will be well.
Of course, I don’t need to detail the potential dangers of having your
company’s security database connected to something like a DMZ or the Internet
-- so proceed with caution!!
More Resources
- Microsoft has something to say about multihomed DCs here.
- Smaller businesses may do something like install ISA Server on a DC, which
leads to the problem I’ve described. Here’s
how to do it properly.
- This is hardly a new problem: Here’s
a blast from the past discussing multihomed browser issues in the NT 4 world.
Remember?
Micro-Tips
One way to create a multihomed DC without realizing it is in virtual computing
environments like VMware or Virtual PC; because it’s so easy to create
virtual machines that have multiple adapters, you may not realize you’ve
created a multihomed DC at all. Be sure to carefully review your virtual machines’
network configuration, since an improper configuration can make the virtual
DC impossible to reach, or at least inconsistent.
About the Author
Don Jones has more than a decade of professional experience in the IT industry. He's the author of more than 30 IT books, including Windows PowerShell: TFM; VBScript, WMI, and ADSI Unleashed; Managing Windows with VBScript and WMI; and many more. He's a top-rated and in-demand speaker at conferences such as Microsoft TechEd and TechMentor, and writes the monthly Windows PowerShell column for Microsoft TechNet Magazine. Don is a multiple-year recipient of Microsoft's Most Valuable Professional (MVP) Award with a specialization in Windows PowerShell. Don's broad IT experience includes work in the financial, telecommunications, software, manufacturing, consulting, training, and retail industries and he's one of the rare IT professionals who can not only "cross the line" between administration and software development, but also between IT workers and IT management.