Windows Tip Sheet

Home Sweet Home Home Home

If you're crazy enough to connect your multihomed DC to a DMZ, here's how to do it.

• By Don Jones
• 12/21/2005

The problem, of course, is that the DC was registering both its interfaces with DNS, but one of those interfaces -- the one hooked up to the DMZ -- wasn’t reachable by clients on the appropriate ports. Obviously, hooking a DC up to anything but your intranet is probably asking for trouble of some kind, but the connectivity issue can be resolved by disabling DNS registration on the DMZ-connected network adapter. You’ll find this in the TCP/IP properties of the appropriate adapter, on the Advanced tab. Once the DC stops registering the unreachable IP address in DNS, clients will start using only the reachable adapter, and all will be well.

Of course, I don’t need to detail the potential dangers of having your company’s security database connected to something like a DMZ or the Internet -- so proceed with caution!!

More Resources

• Microsoft has something to say about multihomed DCs here.
• Smaller businesses may do something like install ISA Server on a DC, which leads to the problem I’ve described. Here’s how to do it properly.
• This is hardly a new problem: Here’s a blast from the past discussing multihomed browser issues in the NT 4 world. Remember?

Micro-Tips
One way to create a multihomed DC without realizing it is in virtual computing environments like VMware or Virtual PC; because it’s so easy to create virtual machines that have multiple adapters, you may not realize you’ve created a multihomed DC at all. Be sure to carefully review your virtual machines’ network configuration, since an improper configuration can make the virtual DC impossible to reach, or at least inconsistent.