Re: [ActiveDir] Multihomed Domain Controllers
Since ...uh.. you know ..me.. and uh... well... I hang in the 'hood at times..what can I say? Honestly in the 2k3/XP era I can't say I have browse master issues anyway... Brian Desmond wrote: *I don’t know anyone who goes in network neighborhood. My last AD gig had 90K windtel devices and 500K users at almost 800 WAN locations – going in nethood was a pretty silly idea…* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rocky Habeeb *Sent:* Thursday, July 13, 2006 7:25 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers Brian, Could you please explain to me what you mean by "save for the browsing situation, but who uses that anyway?" Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Brian Desmond *Sent:* 13 July, 2006 1:29 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers *I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, July 12, 2006 8:36 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, *Jeff Green* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a)DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b)Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c)Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d)Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks *From:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org>
RE: [ActiveDir] Multihomed Domain Controllers
Hi, I'm not saying that teaming should not be used... I'm saying that teaming in load balancing mode should not be used as MS does not support it. Teaming in fault tolerance mode can be used for this. More info can be found here: http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp_2.mspx search for "load balancing" Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Thu 2006-07-13 17:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Hi Jorge Aha, does that happen to be a link somewhere on the net that I can reference to? Personally for DC I never find a need for adapter teaming, if the nic dies and I get an alert from the monitoring server that's all good for me - clients should failover elsewhere anyway... So any bullets against teaming would be excellent! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 13, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Paul >>>Williams >>>Sent: Thursday, July 13, 2006 13:50 >>>To: ActiveDir@mail.activedir.org >>>Subject: Re: [ActiveDir] Multihomed Domain Controllers >>> >>>We team everything. It seems stupid not too. Use fault tolerance >>>only (as opposed to load balancing) and you've got additional >>>resilliency. FT works fine with different paths, e.g. different >>>switches. >>> >>> >>>--Paul >>> >>>- Original Message - >>>From: "Freddy HARTONO" <[EMAIL PROTECTED]> >>>To: >>>Sent: Thursday, July 13, 2006 2:02 AM >>>Subject: RE: [ActiveDir] Multihomed Domain Controllers >>> >>> >>>> Don't mean to hijack this thread but on a similar note - whats the >>>> downside for installing DCs with Adapter Teaming? >>>> >>>> All I know is that when adapter teaming is enabled, setting up WINS >>>> service will pops and error message (which can be ignored)...but >>>> anything else? I've always been a firm believer of one nic and no >>>> teaming... >>>> >>>> Any comments? >>>> >>>> >>>> Thank you and have a splendid day! >>>> >>>> Kind Regards, >>>> >>>> Freddy Hartono >>>> Group Support Engineer >>>> InternationalSOS Pte Ltd >>>> mail: [EMAIL PROTECTED] >>>> phone: (+65) 6330-9785 >>>> >>>> >>>> -Original Message- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of >>>Susan Bradley, >>>> CPA aka Ebitz - SBS Rocks [MVP] >>>> Sent: Wednesday, July 12, 2006 11:41 PM >>>> To: ActiveDir@mail.activedir.org >>>> Subject: Re: [ActiveDir] Multihomed Domain Controllers >>>> >>>> In the year 2006.. I hope we are still not making host >>>file entries on >>>> servers and workstations :-) >>>> >>>> Peter Johnson wrote: >>>> >>>>> You might want to then create entries in the host file on >>>the backup >>>>> server so that you guarantee that the backup server >>>always uses the >>>>> right network connection. >>>>> >>>>> >>>>> >>>>> >>>- >>>- >>>>> -- >>>>> >>>>> *From:* [EMAIL PROTECTED] >>>>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >>>>> Rutherford >>>>> *Sent:* 12
RE: [ActiveDir] Multihomed Domain Controllers
I don’t know anyone who goes in network neighborhood. My last AD gig had 90K windtel devices and 500K users at almost 800 WAN locations – going in nethood was a pretty silly idea… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 13, 2006 7:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Brian, Could you please explain to me what you mean by "save for the browsing situation, but who uses that anyway?" Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian Desmond Sent: 13 July, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have
RE: [ActiveDir] Multihomed Domain Controllers
Hi Jorge Aha, does that happen to be a link somewhere on the net that I can reference to? Personally for DC I never find a need for adapter teaming, if the nic dies and I get an alert from the monitoring server that's all good for me - clients should failover elsewhere anyway... So any bullets against teaming would be excellent! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 13, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Paul >>>Williams >>>Sent: Thursday, July 13, 2006 13:50 >>>To: ActiveDir@mail.activedir.org >>>Subject: Re: [ActiveDir] Multihomed Domain Controllers >>> >>>We team everything. It seems stupid not too. Use fault tolerance >>>only (as opposed to load balancing) and you've got additional >>>resilliency. FT works fine with different paths, e.g. different >>>switches. >>> >>> >>>--Paul >>> >>>- Original Message - >>>From: "Freddy HARTONO" <[EMAIL PROTECTED]> >>>To: >>>Sent: Thursday, July 13, 2006 2:02 AM >>>Subject: RE: [ActiveDir] Multihomed Domain Controllers >>> >>> >>>> Don't mean to hijack this thread but on a similar note - whats the >>>> downside for installing DCs with Adapter Teaming? >>>> >>>> All I know is that when adapter teaming is enabled, setting up WINS >>>> service will pops and error message (which can be ignored)...but >>>> anything else? I've always been a firm believer of one nic and no >>>> teaming... >>>> >>>> Any comments? >>>> >>>> >>>> Thank you and have a splendid day! >>>> >>>> Kind Regards, >>>> >>>> Freddy Hartono >>>> Group Support Engineer >>>> InternationalSOS Pte Ltd >>>> mail: [EMAIL PROTECTED] >>>> phone: (+65) 6330-9785 >>>> >>>> >>>> -Original Message- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of >>>Susan Bradley, >>>> CPA aka Ebitz - SBS Rocks [MVP] >>>> Sent: Wednesday, July 12, 2006 11:41 PM >>>> To: ActiveDir@mail.activedir.org >>>> Subject: Re: [ActiveDir] Multihomed Domain Controllers >>>> >>>> In the year 2006.. I hope we are still not making host >>>file entries on >>>> servers and workstations :-) >>>> >>>> Peter Johnson wrote: >>>> >>>>> You might want to then create entries in the host file on >>>the backup >>>>> server so that you guarantee that the backup server >>>always uses the >>>>> right network connection. >>>>> >>>>> >>>>> >>>>> >>>- >>>- >>>>> -- >>>>> >>>>> *From:* [EMAIL PROTECTED] >>>>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >>>>> Rutherford >>>>> *Sent:* 12 July 2006 12:57 >>>>> *To:* ActiveDir@mail.activedir.org >>>>> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >>>>> >>>>> >>>>> >>>>> No issues, if you... >>>>> >>>>> >>>>> >>>>> Go to the TCP/IP settings of the backup network card, >>>click advanced, >>>>> goto the DNS tab and untick register the connection in DNS. >>>>> >>>>> >>>>> >>>>> Cheers, >>>>> >>>>> >>>>> >>>>> Rob >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >&g
RE: [ActiveDir] Multihomed Domain Controllers
You prolly have the outdated one, Jorge :) I've written and read materials that speak to MS actively supporting NIC Teaming on DCs. I believe that the latest WSSRA DC Build Guide has NIC Teaming in it. Generally, though, my designs tend to preach simplicity and NIC Team on DC and I fail to see the necessity of doing this on DCs unless you only manage single-DC infrastructures. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Almeida Pinto, Jorge deSent: Thu 7/13/2006 6:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of >>>Paul Williams >>>Sent: Thursday, July 13, 2006 13:50 >>>To: ActiveDir@mail.activedir.org >>>Subject: Re: [ActiveDir] Multihomed Domain Controllers >>> >>>We team everything. It seems stupid not too. Use fault >>>tolerance only (as opposed to load balancing) and you've got >>>additional resilliency. FT works fine with different paths, >>>e.g. different switches. >>> >>> >>>--Paul >>> >>>- Original Message - >>>From: "Freddy HARTONO" <[EMAIL PROTECTED]> >>>To: >>>Sent: Thursday, July 13, 2006 2:02 AM >>>Subject: RE: [ActiveDir] Multihomed Domain Controllers >>> >>> >>>> Don't mean to hijack this thread but on a similar note - whats the >>>> downside for installing DCs with Adapter Teaming? >>>> >>>> All I know is that when adapter teaming is enabled, setting up WINS >>>> service will pops and error message (which can be ignored)...but >>>> anything else? I've always been a firm believer of one nic and no >>>> teaming... >>>> >>>> Any comments? >>>> >>>> >>>> Thank you and have a splendid day! >>>> >>>> Kind Regards, >>>> >>>> Freddy Hartono >>>> Group Support Engineer >>>> InternationalSOS Pte Ltd >>>> mail: [EMAIL PROTECTED] >>>> phone: (+65) 6330-9785 >>>> >>>> >>>> -Original Message- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of >>>Susan Bradley, >>>> CPA aka Ebitz - SBS Rocks [MVP] >>>> Sent: Wednesday, July 12, 2006 11:41 PM >>>> To: ActiveDir@mail.activedir.org >>>> Subject: Re: [ActiveDir] Multihomed Domain Controllers >>>> >>>> In the year 2006.. I hope we are still not making host >>>file entries on >>>> servers and workstations :-) >>>> >>>> Peter Johnson wrote: >>>> >>>>> You might want to then create entries in the host file on >>>the backup >>>>> server so that you guarantee that the backup server >>>always uses the >>>>> right network connection. >>>>> >>>>> >>>>> >>>>> >>>- >>>- >>>>> -- >>>>> >>>>> *From:* [EMAIL PROTECTED] >>>>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >>>>> Rutherford >>>>> *Sent:* 12 July 2006 12:57 >>>>> *To:* ActiveDir@mail.activedir.org >>>>> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >>>>> >>>>> >>>>> >>>>> No issues, if you... >>>>> >>>>> >>>>> >>>>> Go to the TCP/IP settings of the backup network card, >>>click advanced, >>>>> goto the DNS tab and untick register the connection in DNS. >>>>> >>>>> >>>>> >>>>> Cheers, >>>>> >>>>&
Re: [ActiveDir] Multihomed Domain Controllers
Yes, I can imagine MSFT using that as a "get out of jail card" as that is specifiying "NLB teaming" and not FT teaming. FT teaming is fine as you're only using one NIC at any given time. --Paul - Original Message - From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> To: Sent: Thursday, July 13, 2006 2:54 PM Subject: RE: [ActiveDir] Multihomed Domain Controllers In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: "Freddy HARTONO" <[EMAIL PROTECTED]> To: Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *W: * www.quostar.com <http://www.quostar.com> - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guid
RE: [ActiveDir] Multihomed Domain Controllers
Really the advantage is that the server can not easily get to the spyware to begin with. The list is basically a list of spyware and adware servers on the internet, but the addresses are all pointed at 127.0.0.1. Here's a few lines : 127.0.0.1 007arcadegames.com 127.0.0.1 101com.com 127.0.0.1 101order.com 127.0.0.1 123banners.com 127.0.0.1 123found.com If you hit a site that wants to go to one of these servers (with a pop-up for example) the server tries to talk to back to itself. If it is running on a web server, it is especially funny. I had a client once who thought his web site had been hacked. He was surfing the web from one of his web servers, and every time he went to cnn.com it popped up a copy of HIS site on the screen. It took me a while to explain to him through the laughter what was happening. I think I finally convinced him to stop surfing from his server farm. Once the spyware is on the server, it is way too late for this kind of defense. At that point you are going to have to go to some active process to get rid of it. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Thursday, July 13, 2006 1:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Can't your spyware just change/delete the host entries again? Or use an IP address (or do you configure static routes for the subnets that the IP addresses reside in that those host entries point to?) Has this tactic ever helped anyone in a spyware-on-the-server situation? (except possibly in a SOHO situation where the server's been treated like a desktop?) Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Kevin Brunson : Sent: Thursday, 13 July 2006 3:00 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Multihomed Domain Controllers : : I have definitely found the hosts file to be useful on servers to keep : them from EVER getting to spyware sites. This guy has a great list : : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos : t : s : : Just cut and paste into the hosts file and you are good to go. I : scripted it for all of the servers I deal with. But I guess this is : getting pretty far OT: :) : Kevin : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, : CPA aka Ebitz - SBS Rocks [MVP] : Sent: Wednesday, July 12, 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Multihomed Domain Controllers : : In the year 2006.. I hope we are still not making host file entries on : servers and workstations :-) : : Peter Johnson wrote: : : > You might want to then create entries in the host file on the backup : > server so that you guarantee that the backup server always uses the : > right network connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
In the "Windows Server System Reference Architecture" (WSSRA) Microsoft states: "At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues" (Taken from the Directory Services Blueprint - page 29) >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of >>>Paul Williams >>>Sent: Thursday, July 13, 2006 13:50 >>>To: ActiveDir@mail.activedir.org >>>Subject: Re: [ActiveDir] Multihomed Domain Controllers >>> >>>We team everything. It seems stupid not too. Use fault >>>tolerance only (as opposed to load balancing) and you've got >>>additional resilliency. FT works fine with different paths, >>>e.g. different switches. >>> >>> >>>--Paul >>> >>>----- Original Message - >>>From: "Freddy HARTONO" <[EMAIL PROTECTED]> >>>To: >>>Sent: Thursday, July 13, 2006 2:02 AM >>>Subject: RE: [ActiveDir] Multihomed Domain Controllers >>> >>> >>>> Don't mean to hijack this thread but on a similar note - whats the >>>> downside for installing DCs with Adapter Teaming? >>>> >>>> All I know is that when adapter teaming is enabled, setting up WINS >>>> service will pops and error message (which can be ignored)...but >>>> anything else? I've always been a firm believer of one nic and no >>>> teaming... >>>> >>>> Any comments? >>>> >>>> >>>> Thank you and have a splendid day! >>>> >>>> Kind Regards, >>>> >>>> Freddy Hartono >>>> Group Support Engineer >>>> InternationalSOS Pte Ltd >>>> mail: [EMAIL PROTECTED] >>>> phone: (+65) 6330-9785 >>>> >>>> >>>> -Original Message- >>>> From: [EMAIL PROTECTED] >>>> [mailto:[EMAIL PROTECTED] On Behalf Of >>>Susan Bradley, >>>> CPA aka Ebitz - SBS Rocks [MVP] >>>> Sent: Wednesday, July 12, 2006 11:41 PM >>>> To: ActiveDir@mail.activedir.org >>>> Subject: Re: [ActiveDir] Multihomed Domain Controllers >>>> >>>> In the year 2006.. I hope we are still not making host >>>file entries on >>>> servers and workstations :-) >>>> >>>> Peter Johnson wrote: >>>> >>>>> You might want to then create entries in the host file on >>>the backup >>>>> server so that you guarantee that the backup server >>>always uses the >>>>> right network connection. >>>>> >>>>> >>>>> >>>>> >>>- >>>- >>>>> -- >>>>> >>>>> *From:* [EMAIL PROTECTED] >>>>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >>>>> Rutherford >>>>> *Sent:* 12 July 2006 12:57 >>>>> *To:* ActiveDir@mail.activedir.org >>>>> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >>>>> >>>>> >>>>> >>>>> No issues, if you... >>>>> >>>>> >>>>> >>>>> Go to the TCP/IP settings of the backup network card, >>>click advanced, >>>>> goto the DNS tab and untick register the connection in DNS. >>>>> >>>>> >>>>> >>>>> Cheers, >>>>> >>>>> >>>>> >>>>> Rob >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *Robert Rutherford* >>>>> *QuoStar Solutions Limited* >>>>> >>>>> >>>>> The Enterprise Pavilion >>>>> Fern Barrow >>>>> Wallisdown >>>>> Poole >>>>> Dorset >>>>> BH12 5HH >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *T:* >>>>> >>>>> >>>>> >>>>> +44 (0) 8456 440
Re: [ActiveDir] Multihomed Domain Controllers
I think the term is "BAN" in this case. ;-) On 7/13/06, Jeff Green <[EMAIL PROTECTED]> wrote: Well, I don't think the driving factor is the size of the IT operationin terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 xSharepoint), the factors are My "client" facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendorsrecommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration.So I guess you could look at as a "poor man's SAN".>From my perspective it seems a reasonable thing to do.---Jeff GreenNetwork Support ManagerSAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098"I dream of hover cars and old transistor radios ... she dreams offlowers in a field of sunny bungalows"-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain ControllersSo how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that youneed to backup on the DC's that are requiring full backups of all yourDC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritativerestores that you need. Now if you have other apps that you need to do alarge data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however itdefinitely would not fall under best practices for Domain Controllers.Kurt FaldePremier Field EngineerNortheast RegionMicrosoft Corporation [deleted]Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
Yeah, I figured you'd have a different experience with nic teaming. :) On 7/13/06, Brian Desmond <[EMAIL PROTECTED]> wrote: I don't deploy any servers which are connected to a monitoring system that calls me at night or calls my manager without fault-tolerant NIC teaming. Inevitably it will be my fault when the network team crashes a supervisor in a 6509 or a line card dies. I have no second thoughts about using a $250 switchport as a failover port. Some shops I've found the network guys expect this from my part so it's not their problem when a NIC dies or a cable gets screwed up or whatever. Conversely I've dealt with network teams and systems people who haven't the faintest clue how teaming works and go ballistic when they hear it. It won't cause spanning tree issues (most popular network team myth I've heard), it doesn't require setting up an etherchannel (you can't have an etherchannel span switches), and it doesn't require four IOS commands and three TAC calls to make it work. It also doesn't crash switches, create broadcast loops, flood segments, etc. I've deployed thousands of network connections with HPQ, Broadcom, and Intel teaming software and have not had issues yet. On clusters I always team across the onboard and PCI NIC for the redundancy. DCs and other stuff without a PCI NIC I just team the two ports for switch fault tolerance. This is also an easy way to see if your network people didn't follow directions on the cross connects – if the team negotiates a 200mbps or 2gbps connection, they're on the same switch, and quite likely the same line card Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 8:29 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO < [EMAIL PROTECTED]> wrote: Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and noteaming... Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support Engineer InternationalSOS Pte Ltdmail: [EMAIL PROTECTED] phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations :-)Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the> right network connection.>>>> -- > -- >> *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert> Rutherford> *Sent:* 12 July 2006 12:57> *To:* ActiveDir@mail.activedir.org> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >>>> No issues, if you...>>>> Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. >>>> Cheers,>>>> Rob>>>>>>>>> > *Robert Rutherford*> *QuoStar Solutions Limited*>>> The Enterprise Pavilion> Fern Barrow> Wallisdown> Poole> Dorset> BH12 5HH>>> >>>>>> *T:*>>> > +44 (0) 8456 440 331>> *F:*>>>> +44 (0) 8456 440 332>> *M:*>>> > +44 (0) 7974 249 494>> *E: *>>> > [EMAIL PROTECTED] [EMAIL PROTECTED] >>> *W: *>> >> www.quostar.com < http://www.quostar.com>>>>>>>> >>>>>>>>>>>>>>>>> --> -- >>>> >> **From:** [EMAIL PROTECTED]> [mailto: [EMAIL PROTECTED] ] *On Behalf Of *Jeff Green> *Sent:* 12 Ju
RE: [ActiveDir] Multihomed Domain Controllers
Brian, Could you please explain to me what you mean by "save for the browsing situation, but who uses that anyway?" Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian DesmondSent: 13 July, 2006 1:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may cont
Re: [ActiveDir] Multihomed Domain Controllers
Yeah except the fact that thin clients have about twice the useful life, are less prone to failure by virtue of having no moving parts, and use a fraction of the power. There's still a TCO argument to be made, but the initial outlay argument is gone. Andrew Fidel "Matt Hargraves" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07/12/2006 04:46 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Multihomed Domain Controllers Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
FWIW - I too have teamed NICs in FT mode on DCs on many occasions and have never experienced any issues. The NIC driver only presents one NIC to the OS so I don't why that should cause an issue. The FT aspects are transparent to the OS. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 13 July 2006 12:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: "Freddy HARTONO" <[EMAIL PROTECTED]> To: Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers > Don't mean to hijack this thread but on a similar note - whats the > downside for installing DCs with Adapter Teaming? > > All I know is that when adapter teaming is enabled, setting up WINS > service will pops and error message (which can be ignored)...but > anything else? I've always been a firm believer of one nic and no > teaming... > > Any comments? > > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Wednesday, July 12, 2006 11:41 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Multihomed Domain Controllers > > In the year 2006.. I hope we are still not making host file entries on > servers and workstations :-) > > Peter Johnson wrote: > >> You might want to then create entries in the host file on the backup >> server so that you guarantee that the backup server always uses the >> right network connection. >> >> >> >> -- >> -- >> >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >> Rutherford >> *Sent:* 12 July 2006 12:57 >> *To:* ActiveDir@mail.activedir.org >> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >> >> >> >> No issues, if you... >> >> >> >> Go to the TCP/IP settings of the backup network card, click advanced, >> goto the DNS tab and untick register the connection in DNS. >> >> >> >> Cheers, >> >> >> >> Rob >> >> >> >> >> >> >> >> >> >> *Robert Rutherford* >> *QuoStar Solutions Limited* >> >> >> The Enterprise Pavilion >> Fern Barrow >> Wallisdown >> Poole >> Dorset >> BH12 5HH >> >> >> >> >> >> >> >> >> *T:* >> >> >> >> +44 (0) 8456 440 331 >> >> *F:* >> >> >> >> +44 (0) 8456 440 332 >> >> *M:* >> >> >> >> +44 (0) 7974 249 494 >> >> *E: * >> >> >> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> *W: * >> >> >> >> www.quostar.com <http://www.quostar.com> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> -- >> >> >> >> >> >> **From:** [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green >> *Sent:* 12 July 2006 11:43 >> *To:* ActiveDir@mail.activedir.org >> *Subject:* [ActiveDir] Multihomed Domain Controllers >> >> Hi, >> >> First posting to this list but I've lurked quite a while and I've > >> been very impressed by the quality of replies by the gurus. >> >> My question is regarding the advisability of having multihomed DCs. >> Basically I want >> to run backups over a separate GbE and as my servers have dual inbuilt > >> NICs this seems an obvious route to take. I know there are some issues > >> with DNS (I have a DNS integrated AD). >> >> Would this cause replication problems, etc ? >> >> Any other "gotchas" ? >> >> >> >> Many Thanks, >> >> --- >> Jeff Gre
Re: [ActiveDir] Multihomed Domain Controllers
We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: "Freddy HARTONO" <[EMAIL PROTECTED]> To: Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *W: * www.quostar.com <http://www.quostar.com> -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Jeff, If you back them up over the client-facing LAN conn or over your Gb back-end I wouldn't have any concerns. If you want to just standardise your setup then just go for it. Cheers. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: 13 July 2006 12:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Well, I don't think the driving factor is the size of the IT operation in terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x Sharepoint), the factors are My "client" facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendors recommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration. So I guess you could look at as a "poor man's SAN". >From my perspective it seems a reasonable thing to do. --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... she dreams of flowers in a field of sunny bungalows" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation [deleted] Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Well, I don't think the driving factor is the size of the IT operation in terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x Sharepoint), the factors are My "client" facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendors recommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration. So I guess you could look at as a "poor man's SAN". >From my perspective it seems a reasonable thing to do. --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... she dreams of flowers in a field of sunny bungalows" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation [deleted] Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Can't your spyware just change/delete the host entries again? Or use an IP address (or do you configure static routes for the subnets that the IP addresses reside in that those host entries point to?) Has this tactic ever helped anyone in a spyware-on-the-server situation? (except possibly in a SOHO situation where the server's been treated like a desktop?) Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Kevin Brunson : Sent: Thursday, 13 July 2006 3:00 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Multihomed Domain Controllers : : I have definitely found the hosts file to be useful on servers to keep : them from EVER getting to spyware sites. This guy has a great list : : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos : t : s : : Just cut and paste into the hosts file and you are good to go. I : scripted it for all of the servers I deal with. But I guess this is : getting pretty far OT: :) : Kevin : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, : CPA aka Ebitz - SBS Rocks [MVP] : Sent: Wednesday, July 12, 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Multihomed Domain Controllers : : In the year 2006.. I hope we are still not making host file entries on : servers and workstations :-) : : Peter Johnson wrote: : : > You might want to then create entries in the host file on the backup : > server so that you guarantee that the backup server always uses the : > right network connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
I don’t deploy any servers which are connected to a monitoring system that calls me at night or calls my manager without fault-tolerant NIC teaming. Inevitably it will be my fault when the network team crashes a supervisor in a 6509 or a line card dies. I have no second thoughts about using a $250 switchport as a failover port. Some shops I’ve found the network guys expect this from my part so it’s not their problem when a NIC dies or a cable gets screwed up or whatever. Conversely I’ve dealt with network teams and systems people who haven’t the faintest clue how teaming works and go ballistic when they hear it. It won’t cause spanning tree issues (most popular network team myth I’ve heard), it doesn’t require setting up an etherchannel (you can’t have an etherchannel span switches), and it doesn’t require four IOS commands and three TAC calls to make it work. It also doesn’t crash switches, create broadcast loops, flood segments, etc. I’ve deployed thousands of network connections with HPQ, Broadcom, and Intel teaming software and have not had issues yet. On clusters I always team across the onboard and PCI NIC for the redundancy. DCs and other stuff without a PCI NIC I just team the two ports for switch fault tolerance. This is also an easy way to see if your network people didn’t follow directions on the cross connects – if the team negotiates a 200mbps or 2gbps connection, they’re on the same switch, and quite likely the same line card Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote: Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > -- > -- > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] [EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > >
RE: [ActiveDir] Multihomed Domain Controllers
Hmm, this whole no surfing the web on DCs is potentially problematic if you're Defending Security Infrastructures in your datacenter. You would need to order the pizza whilst in the presence of your security infrastructures which might be collocated with the domain controllers. If you were to abandon your security infrastructures to order pizza, you would no longer be defending security infrastructures in your datacenter. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Kevin Brunson > Sent: Wednesday, July 12, 2006 1:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Multihomed Domain Controllers > > I only surf on the big ones. The small ones just don't catch the waves > right. > > I don't even let them go to Windows Update. WSUS connections > configured through Group Policy are about as far as I want them to go > to the internet. The problem is users, and in many cases admins. I > get a server just right, go back to my office, and by the time I get > back they've already installed 15 programs ending in "zilla". > > And of course no self-respecting admin can get a $15 Citrix > infrastructure without immediately giving every STINKING user a > desktop. > Forget published apps. Forget everything that made it worth investing > any money whatsoever, let's just give them a STINKING desktop. Sorry, > I guess I must have let all of my thinking about Defending Security > Infrastructure get to my head. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Wednesday, July 12, 2006 12:45 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Multihomed Domain Controllers > > You surf on your servers? > > My servers go to WU/MU...and maybe to Joe's blog for information on > Defending Security Infrastructure..iin fact they regularly hang out on > Joe's blog for all the information I need to know on Defending Security > Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that > link is the home page so that I'm constantly reminded about Defending > Security Infrastructur ..but other than that... they don't have > antispyware because they don't go anywhere to get spyware and the > Enhanced IE is still on there. > > > > > Kevin Brunson wrote: > > >I have definitely found the hosts file to be useful on servers to keep > >them from EVER getting to spyware sites. This guy has a great list : > >http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=ho > s > t > >s > > > >Just cut and paste into the hosts file and you are good to go. I > >scripted it for all of the servers I deal with. But I guess this is > >getting pretty far OT: :) Kevin > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, > >CPA aka Ebitz - SBS Rocks [MVP] > >Sent: Wednesday, July 12, 2006 10:41 AM > >To: ActiveDir@mail.activedir.org > >Subject: Re: [ActiveDir] Multihomed Domain Controllers > > > >In the year 2006.. I hope we are still not making host file entries on > >servers and workstations :-) > > > >Peter Johnson wrote: > > > > > > > >>You might want to then create entries in the host file on the backup > >>server so that you guarantee that the backup server always uses the > >>right network connection. > >> > >> > >> > >> > >> > >> > >-- > - > - > > > > > >>*From:* [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > >>Rutherford > >>*Sent:* 12 July 2006 12:57 > >>*To:* ActiveDir@mail.activedir.org > >>*Subject:* RE: [ActiveDir] Multihomed Domain Controllers > >> > >> > >> > >>No issues, if you... > >> > >> > >> > >>Go to the TCP/IP settings of the backup network card, click advanced, > >>goto the DNS tab and untick register the connection in DNS. > >> > >> > >> > >>Cheers, > >> > >> > >> > >>Rob > >> > >> > >> > >> > >> > >> > >> > >> > >> > >>*Robert Rutherford* > >>*QuoStar Solutions Limited* > >> > >> > >
RE: [ActiveDir] Multihomed Domain Controllers
I had a production environment which required hosts files to deal with the confusing mechanism behind Cisco's Layer 4 load balancer blades (CSMs). That was one of those if you didn't know about it (it being the CSM and the hosts file solution we came up with) you'd probably never figure it out type things. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, July 12, 2006 11:12 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Multihomed Domain Controllers > > But I hope we still have the option of doing so... I use the hosts > file on a regular basis to redirect the localhost name to the machine's > IP instead of to 127.blah and then stick in route statements so all > locally directed traffic bounces out to a router and back so I can look > at the network traces of the traffic. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > Do not read this worthless blog entry on Defending Security > Infrastructures > - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will > learn absolutely nothing about Defending Security Infrastructures. > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Wednesday, July 12, 2006 11:41 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Multihomed Domain Controllers > > In the year 2006.. I hope we are still not making host file entries on > servers and workstations :-) > > Peter Johnson wrote: > > > You might want to then create entries in the host file on the backup > > server so that you guarantee that the backup server always uses the > > right network connection. > > > > > > > > - > - > > -- > > > > *From:* [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > > Rutherford > > *Sent:* 12 July 2006 12:57 > > *To:* ActiveDir@mail.activedir.org > > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > > > > > No issues, if you... > > > > > > > > Go to the TCP/IP settings of the backup network card, click advanced, > > goto the DNS tab and untick register the connection in DNS. > > > > > > > > Cheers, > > > > > > > > Rob > > > > > > > > > > > > > > > > > > > > *Robert Rutherford* > > *QuoStar Solutions Limited* > > > > > > The Enterprise Pavilion > > Fern Barrow > > Wallisdown > > Poole > > Dorset > > BH12 5HH > > > > > > > > > > > > > > > > > > *T:* > > > > > > > > +44 (0) 8456 440 331 > > > > *F:* > > > > > > > > +44 (0) 8456 440 332 > > > > *M:* > > > > > > > > +44 (0) 7974 249 494 > > > > *E: * > > > > > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > *W: * > > > > > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - > - > > -- > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > > *Sent:* 12 July 2006 11:43 > > *To:* ActiveDir@mail.activedir.org > > *Subject:* [ActiveDir] Multihomed Domain Controllers > > > > Hi, > > > > First posting to this list but I've lurked quite a while and > I've > > been very impressed by the quality of replies by the gurus. > > > > My question is regarding the advisability of having multihomed DCs. > > Basically I want > > to run backups over a separate GbE and as my servers have dual > inbuilt > > NICs this seems an obvious route to take. I know there are some > issues > > with DNS (I have a DNS integrated AD). > > > > Would this cause replication problems, etc ? > > > > Any other "gotchas" ? > > > > > > > > Many Thanks, >
RE: [ActiveDir] Multihomed Domain Controllers
I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confi
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers That’s fine. You need to do two things: This needs to be a backup subnet (so no gateway) In the Network Connections explorer window under tools>advanced settings, prioritize your connections with this one being last (this is only necessary if you need a gateway for the backup subnet for whatever reason). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote: Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...butanything else? I've always been a firm believer of one nic and noteaming... Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations :-)Peter Johnson wrote:> You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the> right network connection.>>>> --> -- >> *From:* [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert> Rutherford> *Sent:* 12 July 2006 12:57> *To:* ActiveDir@mail.activedir.org> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers >>>> No issues, if you...>>>> Go to the TCP/IP settings of the backup network card, click advanced,> goto the DNS tab and untick register the connection in DNS. >>>> Cheers,>>>> Rob>>>>>>>>>> *Robert Rutherford*> *QuoStar Solutions Limited*> >> The Enterprise Pavilion> Fern Barrow> Wallisdown> Poole> Dorset> BH12 5HH>>>>>>>>> *T:*>>> > +44 (0) 8456 440 331>> *F:*>>>> +44 (0) 8456 440 332>> *M:*>>>> +44 (0) 7974 249 494>> *E: *>>> > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> *W: *>> >> www.quostar.com <http://www.quostar.com>>>>>>>>>>> >>>>>>>>>>>>>> --> -->>>> >> **From:** [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Jeff Green> *Sent:* 12 July 2006 11:43> *To:* ActiveDir@mail.activedir.org> *Subject:* [ActiveDir] Multihomed Domain Controllers> > Hi,>> First posting to this list but I've lurked quite a while and I've> been very impressed by the quality of replies by the gurus.>> My question is regarding the advisability of having multihomed DCs. > Basically I want> to run backups over a separate GbE and as my servers have dual inbuilt> NICs this seems an obvious route to take. I know there are some issues> with DNS (I have a DNS integrated AD). >> Would this cause replication problems, etc ?>> Any other "gotchas" ?>>>> Many Thanks,>> ---> Jeff Green > Network Support Manager> SAPIENS (UK) Ltd> t: +44 (0)1895 464228 f: +44 (0)1895 463098>> "I dream of hover cars and old transistor radios ... She dreams of> flowers in a field of sunny bungalows" >>> --> -- Confidentiality Note: The information contained in this email and> document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information.> If the recipient of this email is not the addressee, such recipient is> strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way.>> Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail> immediately at [EMAIL PROTECTED] , if you have received this> email in error.>> Disclaimer: The views, opinions and guidelines contained in this> confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd.> --> -->--Letting your vendors set your risk analysis these days? http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... Iwill hunt you down...http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Hijack this thread? I didn't know it could be hijacked any more than I already had. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Wednesday, July 12, 2006 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > -- > -- > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > -- > -- > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this seems an obvious route to take. I know there are some issues > with DNS (I have a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > -- > -- Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTECTED], if you have received this > email in error. > > Disclaimer: The views, opinions and guidelines contained in this > confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd. > -- > -
RE: [ActiveDir] Multihomed Domain Controllers
Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > -- > -- > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > -- > -- > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this seems an obvious route to take. I know there are some issues > with DNS (I have a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > -- > -- Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTECTED], if you have received this > email in error. > > Disclaimer: The views, opinions and guidelines contained in this > confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd. > -- > -- > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Fortunately, unless you know who has the data that you want to steal, the chances of any actual confidential data being stolen to the thieve's benefit is pretty slim. Even if you do find data that a competitor would want, most companies today are pretty hesitant about taking confidential information. Didn't you hear about Pepsi turning in that guy who was going to sell them confidential information from Coca Cola? The information that people are really worried about is controlled by the people who are usually more paranoid than we are the accountants ;)On 7/12/06, Al Mulnick <[EMAIL PROTECTED]> wrote: Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? I wonder though, desktop machines guarded by the cleaning crew are better? What about smart phones? Those keep you up late at night as well? :) We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?) either but leave that for another time My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not owned AND managed by the company) are enough to give you the heebie jeebies. I don't see bit-locker solving those issues. Know something different? On 7/12/06, Kurt Falde <[EMAIL PROTECTED] > wrote: Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves < [EMAIL PROTECTED]> wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? I wonder though, desktop machines guarded by the cleaning crew are better? What about smart phones? Those keep you up late at night as well? :) We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?) either but leave that for another time My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not owned AND managed by the company) are enough to give you the heebie jeebies. I don't see bit-locker solving those issues. Know something different? On 7/12/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves < [EMAIL PROTECTED]> wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves <[EMAIL PROTECTED]> wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
Sorry, forgive me for my lack of clarity. I was on the phone with Microsoft when I wrote that, so my head was shrinking…. But don’t worry, they refunded my case. I agree with you 100%. My rant was purely referring to the desktop published app, not a physical workstation. I was ranting about admins who can’t seem to understand that citrix costs more than rdp, but that is about the only difference if every user is connecting to the citrix desktop instead of published apps. Especially since they don’t want to lock the users down on the citrix servers. Wow, it’s a long way from multihomed domain controllers to Citrix and desktops vs. thin clients. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, July 12, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
[OT]Re: [ActiveDir] Multihomed Domain Controllers
I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves <[EMAIL PROTECTED]> wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [ActiveDir] Multihomed Domain Controllers
Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
I only surf on the big ones. The small ones just don't catch the waves right. I don't even let them go to Windows Update. WSUS connections configured through Group Policy are about as far as I want them to go to the internet. The problem is users, and in many cases admins. I get a server just right, go back to my office, and by the time I get back they've already installed 15 programs ending in "zilla". And of course no self-respecting admin can get a $15 Citrix infrastructure without immediately giving every STINKING user a desktop. Forget published apps. Forget everything that made it worth investing any money whatsoever, let's just give them a STINKING desktop. Sorry, I guess I must have let all of my thinking about Defending Security Infrastructure get to my head. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: >I have definitely found the hosts file to be useful on servers to keep >them from EVER getting to spyware sites. This guy has a great list : >http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos t >s > >Just cut and paste into the hosts file and you are good to go. I >scripted it for all of the servers I deal with. But I guess this is >getting pretty far OT: :) >Kevin > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, >CPA aka Ebitz - SBS Rocks [MVP] >Sent: Wednesday, July 12, 2006 10:41 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Multihomed Domain Controllers > >In the year 2006.. I hope we are still not making host file entries on >servers and workstations :-) > >Peter Johnson wrote: > > > >>You might want to then create entries in the host file on the backup >>server so that you guarantee that the backup server always uses the >>right network connection. >> >> >> >> >> >> >------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert >>Rutherford >>*Sent:* 12 July 2006 12:57 >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Multihomed Domain Controllers >> >> >> >>No issues, if you... >> >> >> >>Go to the TCP/IP settings of the backup network card, click advanced, >>goto the DNS tab and untick register the connection in DNS. >> >> >> >>Cheers, >> >> >> >>Rob >> >> >> >> >> >> >> >> >> >>*Robert Rutherford* >>*QuoStar Solutions Limited* >> >> >>The Enterprise Pavilion >>Fern Barrow >>Wallisdown >>Poole >>Dorset >>BH12 5HH >> >> >> >> >> >> >> >> >>*T:* >> >> >> >>+44 (0) 8456 440 331 >> >>*F:* >> >> >> >>+44 (0) 8456 440 332 >> >>*M:* >> >> >> >>+44 (0) 7974 249 494 >> >>*E: * >> >> >> >>[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >>*W: * >> >> >> >>www.quostar.com <http://www.quostar.com> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >--- - > > >> >> >> >> >>**From:** [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green >>*Sent:* 12 July 2006 11:43 >>*To:* ActiveDir@mail.activedir.org >>*Subject:* [ActiveDir] Multihomed Domain Controllers >> >>Hi, >> >>
Re: [ActiveDir] Multihomed Domain Controllers
You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=host s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *W: * www.quostar.com <http://www.quostar.com> **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Could someone please tell me what all this "Defending Security Infrastructure" stuff is about? Even though joe said "Do not read about "Defending Security Infrastructure"" on his blog, I went there and read all about what he wrote about "Defending Security Infrastructure" because I literally hang off every word joe writes, and he wrote about "Defending Security Infrastructure" and I wanted to know what his thoughts were on"Defending Security Infrastructure". But interestingly enough, joe didn't have much to say about "Defending Security Infrastructure" so I queried other avenues on "Defending Security Infrastructure" and there sure is a lot on the subject of "Defending Security Infrastructure" but I couldn't really distill it. So now I'm going to have to keep watching the joedog blog on "Defending Security Infrastructure", because if joe talks about "Defending Security Infrastructure", then "Defending Security Infrastructure" is probably pretty important. _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 12 July, 2006 12:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Susan, there are still valid reasons for using hosts file even in an enterprise. I believe that we went through this a couple of months ago. NB: Not to encourage joe or anything like that. I just need to point out that my statement above may be intepreted to imply that hosts files have a role to play in the whole big "Defending Security Infrastructure" realm; for example, if your "Defending Security Infrastructure" service delivery plans does NOT include a robust "split-brain" DNS infrastructure. Of course, a "Defending Security Infrastructure" plan that does not include that is not worth the name "Defending Security Infrastructure plan" at all and does not belong in the "Defending Security Infrastructure" big black ops book. Now I crawl back into my heavily-defended "Defending Security Infrastructure" bunker - or castle - or cave. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 7/12/2006 8:40 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > -------------------- > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] > > *W: * > > > > www.quostar.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers &
RE: [ActiveDir] Multihomed Domain Controllers
I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=host s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by > the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this > seems an obvious route to take. I know there are some issues with DNS > (I have > a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > > Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTECTED], if you have received this > email in error. > > Disclaimer: The views, opinions and guidelines contained in this > confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd. > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Susan, there are still valid reasons for using hosts file even in an enterprise. I believe that we went through this a couple of months ago. NB: Not to encourage joe or anything like that. I just need to point out that my statement above may be intepreted to imply that hosts files have a role to play in the whole big "Defending Security Infrastructure" realm; for example, if your "Defending Security Infrastructure" service delivery plans does NOT include a robust "split-brain" DNS infrastructure. Of course, a "Defending Security Infrastructure" plan that does not include that is not worth the name "Defending Security Infrastructure plan" at all and does not belong in the "Defending Security Infrastructure" big black ops book. Now I crawl back into my heavily-defended "Defending Security Infrastructure" bunker - or castle - or cave. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 7/12/2006 8:40 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] > > *W: * > > > > www.quostar.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by > the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this > seems an obvious route to take. I know there are some issues with DNS > (I have > a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > > Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTE
RE: [ActiveDir] Multihomed Domain Controllers
But I hope we still have the option of doing so... I use the hosts file on a regular basis to redirect the localhost name to the machine's IP instead of to 127.blah and then stick in route statements so all locally directed traffic bounces out to a router and back so I can look at the network traces of the traffic. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by > the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this > seems an obvious route to take. I know there are some issues with DNS > (I have > a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > > Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTECTED], if you have received this > email in error. > > Disclaimer: The views, opinions and guidelines contained in this > confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd. > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: > You might want to then create entries in the host file on the backup > server so that you guarantee that the backup server always uses the > right network connection. > > > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert > Rutherford > *Sent:* 12 July 2006 12:57 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Multihomed Domain Controllers > > > > No issues, if you... > > > > Go to the TCP/IP settings of the backup network card, click advanced, > goto the DNS tab and untick register the connection in DNS. > > > > Cheers, > > > > Rob > > > > > > > > > > *Robert Rutherford* > *QuoStar Solutions Limited* > > > The Enterprise Pavilion > Fern Barrow > Wallisdown > Poole > Dorset > BH12 5HH > > > > > > > > > *T:* > > > > +44 (0) 8456 440 331 > > *F:* > > > > +44 (0) 8456 440 332 > > *M:* > > > > +44 (0) 7974 249 494 > > *E: * > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > *W: * > > > > www.quostar.com <http://www.quostar.com> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > **From:** [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green > *Sent:* 12 July 2006 11:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Multihomed Domain Controllers > > Hi, > > First posting to this list but I've lurked quite a while and I've > been very impressed by > the quality of replies by the gurus. > > My question is regarding the advisability of having multihomed DCs. > Basically I want > to run backups over a separate GbE and as my servers have dual inbuilt > NICs this > seems an obvious route to take. I know there are some issues with DNS > (I have > a DNS integrated AD). > > Would this cause replication problems, etc ? > > Any other "gotchas" ? > > > > Many Thanks, > > --- > Jeff Green > Network Support Manager > SAPIENS (UK) Ltd > t: +44 (0)1895 464228 f: +44 (0)1895 463098 > > "I dream of hover cars and old transistor radios ... She dreams of > flowers in a field of sunny bungalows" > > > > Confidentiality Note: The information contained in this email and > document(s) attached are for the exclusive use of the addressee and > may contain confidential, privileged and non-disclosable information. > If the recipient of this email is not the addressee, such recipient is > strictly prohibited from reading, photocopying, distribution or > otherwise using this email or its contents in any way. > > Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail > immediately at [EMAIL PROTECTED], if you have received this > email in error. > > Disclaimer: The views, opinions and guidelines contained in this > confidential e-mail are those of the originating author and may not be > representative of Sapiens (UK) Ltd. > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *W: * www.quostar.com <http://www.quostar.com> **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
I've never seen a problem with doing this stuff before and there are actually some backup solution providers that recommend using a paralell network for backup data to transmit across.That being said, I think the most important thing for you to make sure that you're *not* doing is testing it out on your FSMO roles holder. Do it with a non-GC domain controller first, then move up to a GC and after all of your DCs are working on the paralell network for backups, I'd probably move FSMO roles over to one of them that is working and move the last GC over (then move back the FSMO roles, if you have some old software that's hardcoded to the 'PDC'). On 7/12/06, Kevin Brunson <[EMAIL PROTECTED]> wrote: The one gotcha I have seen (only once though), was that somehow multihoming a 2000 DC corrupted a couple of registry keys. I think KB 888048 appeared a few days after the 8 hour phone call with MS. Basically the dc no longer had a DNS name. Needless to say that caused problems. But as long as you know which registry keys to change if it goes bad, you should be fine. I have seen a multitude of multihomed domain controllers since with no issues. Kevin Brunson From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Couple of points. Most have probably been covered, or read by you: Clearly label the NICs, e.g. LAN00 and BACKUP00. Adjust the binding order so that LAN00 is above BACKUP00. If you don't require NetBT, disable it on BACKUP00 (BackupExec will most likely not like you if you disable this). Forget about the Advanced TCP/IP DNS option "Don't register in DNS". There is a hotfix, and it's supposed to be in SP1, but I'm still seeing A records registered in DNS in my lab when I don't want them in there, so use the necessary registry key DisableDynamicUpdate on the NIC BACKUP00. Only have a gateway on LAN00 Bind the BackupExec agent to BACKUP00 only. If the backup LAN is routed, define persistent routes in the routing table. Brower operations won't affect AD. If you have bad entries in DNS, that will cause issues so check DNS. OS Shouldn't matter. I've implemented multi-homed systems many times in the past, and have been messing around with NLB and LDAP on DCs (in Unicast mode -requires a second NIC) over the last couple of days without any issues. DNS is the main issue. There can be some issues with NetBT/ WINS, but I personally wouldn't use LMHOSTS or WINS on the BACKUP00 NIC. That's a few points based on what I'm doing in the lab. Main thing is to test your configuration. In the last place I worked we used a dedicated backup LAN. No issues worth noting (in other words it worked and I don't remember any issues), and that was a mixed NT 4, 2k and k3 environment. Dedicated systems management LANs are also a good idea, e.g. iLO, etc. --Paul - Original Message - From: Jeff Green To: ActiveDir@mail.activedir.org Sent: Wednesday, July 12, 2006 1:03 PM Subject: RE: [ActiveDir] Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained
Re: [ActiveDir] Multihomed Domain Controllers
Did you hear me giggle? Are you watching me? Like I mentioned, keeping any solution as simple as possible will pay dividends later. If the solution requires two networks and a dual-homed DC, I have not qualms about doing that and I understand the amount of complexity that entails. I also accept that complexity by default if I have to go down that road. Satellite links? Permanent ones? Or mobile? ;-) On 7/12/06, Robert Rutherford <[EMAIL PROTECTED]> wrote: I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you *gasp* Cheers Robert Rutherford QuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 12 July 2006 14:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED] > wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers The one gotcha I have seen (only once though), was that somehow multihoming a 2000 DC corrupted a couple of registry keys. I think KB 888048 appeared a few days after the 8 hour phone call with MS. Basically the dc no longer had a DNS name. Needless to say that caused problems. But as long as you know which registry keys to change if it goes bad, you should be fine. I have seen a multitude of multihomed domain controllers since with no issues. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
Depends on your support engineers... mullihomed DCs are quite typical to the SBS CSS engineer :-) The KB in the 2000 era that we had tattooed to our foreheads due to our two nic DCs was this one http://support.microsoft.com/default.aspx?scid=kb;en-us;292822Al Mulnick <[EMAIL PROTECTED]> wrote:Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any
RE: [ActiveDir] Multihomed Domain Controllers
I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you *gasp* Cheers Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 12 July 2006 14:36To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited
Re: [ActiveDir] Multihomed Domain Controllers
Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green <[EMAIL PROTECTED]> wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. ---
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Ive used the same configuration in a number of relatively sizeable sites (2000+ user base) with no issues as the guys state.. just trial it. Cheers Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 13:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hacking a registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
You may want to configure one default gateway on your primary network interface and then configure the other nics routing (leave default gateway blank) in the local routing table else you can have "loads of fun" based on metrics and Lan speeds. Mark -Original Message- From: [EMAIL PROTECTED] Date: Wed, 12 Jul 2006 07:28:01 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Looks like SP1 fixes the DNS issue with replaces a few DNS files -- At this point Windows 2003 SP1 should be a minimum. Good find - Chuck
Re: [ActiveDir] Multihomed Domain Controllers
Looks like SP1 fixes the DNS issue with replaces a few DNS files -- At this point Windows 2003 SP1 should be a minimum. Good find - Chuck
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 12 July 2006 12:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers I'd search around and do some research and testing. A quick Google search uncovered this within seconds... http://support.microsoft.com/?id=832478 The browser service is notoriously flaky in multi homed environments, too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Multihomed Domain Controllers
There were known issues with NT 4.0 with WINS resolution for when WINS packets were lost trying to return through the 2nd NIC using multi-homed DCs. But I've have heard that this isn't the case in Windows 2000/2003. Otherwise you are probably OK but double-check DNS as well per the other email. Regards, Chuck
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.