none
Domain Controller 2012 Multihomed

    Question

  • Hi to all.

    I've installed 2 Hyper-v 2012.

    Now, I want to install 2 domain controller on the respective hyper-v.
    These DC must however have 2 network cards with 2 different ip.
    There are problems to have the DC multihomed about 2012??

    Thanks to all for any suggestions.


    /Mino

    Monday, August 05, 2013 3:43 PM

Answers

All replies

  • There are problems, yes. Mainly around DNS.

    There's a lot of threads on this, as below:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/a1583d7f-fa59-4497-89de-666d683e53a0/can-dc-be-multihomed-in-windows-2008-server

    If you get DNS issues, which is usually what happens, you will have A LOT of issues. Group policy, replication errors, account lockouts, etc.

    In fact some of my member servers are multi-homed and they experience lookup failures (2 NICs). So on a DC, it just won't be worth the purpose of 2 NICs (why do you want 2 NICs?).

    Monday, August 05, 2013 4:11 PM
  • Why do you need 2 NICs on a DC?

    Anyway, review the following article.  This is applicable for Windows 2012 DCs also

    http://support.microsoft.com/kb/272294


    Santhosh Sivarajan | Houston, TX

    Windows 2012 Book - Migrating from 2008 to Windows Server 2012

    http://www.sivarajan.com/
    FaceBookTwitter LinkedIn SS Tech Forum
    This post is provided ASIS with no warran

    Monday, August 05, 2013 4:56 PM
  • Multihomed DC's are still not an option because there are issues when two NIC register two different IP in the DNS & which creates conflicts with the DNS name resolution. Certainly, there are workarounds, but i wouldn't recommended to have dual NIC at least on the domain controller. Ace has write up & its a fantastic article to be reviewed.

    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, August 06, 2013 3:37 AM
  • 2 NICs, because I have users who are authenticated on the internal LAN (Int LAN), and the users themselves make certificate request to a CA that has a different network (LAN Ext)

    Now I move the question on the CA.
    When I request a certificate, the authentication is made by the CA to the DC, on behalf of the user, right??

    If so, then you just have 2 nic on CA (Int and Ext LAN LAN) and 1 on DC (Int LAN). Correct??

    Thank you.

    /Mino

    Tuesday, August 06, 2013 7:21 AM
  • Hello,

    if you use multiple subnets "to a CA that has a different network (LAN Ext)" in a domain connect them wither with Layer3-switches(VLANs) or routers BUT not with a DC.

    DO NOT USE A DC with multiple NICs, this result in problems you will not have in the future.

    Also it is NOT RECOMMENDED to run any other server role on the Hyper-V host!!!

    I don't know anybody that would use a VMWare host to run other server roles on it. THIS IS THE SAME FOR HYPER-V!!!


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 06, 2013 8:38 AM
  • Maybe I have not made ​​it clear ... sorry.
    Now describe the complete architecture so as to be clearer.

    I have 2 Physical servers, in different sites, on which will install Hyper-V 2012.
    Then I will create 2 VMs on each Hyper-V:
      * 1 Server 2012 with the role of CA
      * 1 Server 2012 with the role of DC

    Now the CA must be in geographic cluster of two sites, same domain.

    At each site there will be a DC.

    Now I have users who are authenticated on the internal LAN (Int LAN), and the users Themselves make certificate request to a CA That has a different network (LAN Ext)

    Now I move the question on the CA.

    Each CA will have 2 nic for the "production" Int and Ext Lan Lan, 1 nic Heartbeat, 1 Nic for iSCSI traffic.
    When I request a certificate, the authentication is made ​​by the CA to the DC, On behalf of the user, right?

    If so, then you just have 2 nic on CA (Int and Ext LAN LAN) and 1 nic on DC (Int LAN). Correct?

    /Mino

    Tuesday, August 06, 2013 10:07 AM
  • Hello,

    ok for the part with the VMs installed on the Hyper-V host.

    Be aware that it is not recommended to run CAs on DCs, just to mention it.

    Authentication is done from the client to the DC and not from the client to the CA and then to the DC.

    The CA will provide the certificates you have chosen either to machines, users or services that need it in the domain, so what is your purpose for the certificate?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 06, 2013 11:22 AM
  • Are certficati Web (services).
    The CA is not installed on the DC but as a separate VM.

    So if the authentication is done directly between user and dc, configuring 2 nic CA (Int and Ext LAN), DC 1 nic (Int Lan) and User Computer with 1 nic (Int Lan), does it work?

    /Mino

    Tuesday, August 06, 2013 11:43 AM
  • Hello,

    why do you need/use 2 NICs on the CA? If you built a cluster with Windows server 2008 or higher the heartbeat can be configured without a specific NIC.

    For the clustered CA setup you may ask in the following forum: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 06, 2013 12:08 PM
  • In addition, if the CA is in a different site, it probably won't be a trusted CA by clients by default - just a consideration if not aware. :)

    This seems more like a CA architecture so best to post in the link Meinolf posted.

    Tuesday, August 06, 2013 2:35 PM
  • Hi,

    Any updates?

    Please feel free to let us know if you need further assistance.

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang
    TechNet Community Support

    Thursday, August 08, 2013 2:17 AM