Answered by:
Domain Controller 2012 Multihomed

-
Hi to all.
I've installed 2 Hyper-v 2012.
Now, I want to install 2 domain controller on the respective hyper-v.
These DC must however have 2 network cards with 2 different ip.
There are problems to have the DC multihomed about 2012??Thanks to all for any suggestions.
/Mino
Question
Answers
-
Hello,
why do you need/use 2 NICs on the CA? If you built a cluster with Windows server 2008 or higher the heartbeat can be configured without a specific NIC.
For the clustered CA setup you may ask in the following forum: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Marked as answer by Vivian_WangModerator Monday, August 12, 2013 1:42 AM
All replies
-
There are problems, yes. Mainly around DNS.
There's a lot of threads on this, as below:
If you get DNS issues, which is usually what happens, you will have A LOT of issues. Group policy, replication errors, account lockouts, etc.
In fact some of my member servers are multi-homed and they experience lookup failures (2 NICs). So on a DC, it just won't be worth the purpose of 2 NICs (why do you want 2 NICs?).
-
Why do you need 2 NICs on a DC?
Anyway, review the following article. This is applicable for Windows 2012 DCs also
http://support.microsoft.com/kb/272294
Santhosh Sivarajan | Houston, TX
Windows 2012 Book - Migrating from 2008 to Windows Server 2012
http://www.sivarajan.com/
This post is provided ASIS with no warran -
Multihomed DC's are still not an option because there are issues when two NIC register two different IP in the DNS & which creates conflicts with the DNS name resolution. Certainly, there are workarounds, but i wouldn't recommended to have dual NIC at least on the domain controller. Ace has write up & its a fantastic article to be reviewed.
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
2 NICs, because I have users who are authenticated on the internal LAN (Int LAN), and the users themselves make certificate request to a CA that has a different network (LAN Ext)
Now I move the question on the CA.
When I request a certificate, the authentication is made by the CA to the DC, on behalf of the user, right??
If so, then you just have 2 nic on CA (Int and Ext LAN LAN) and 1 on DC (Int LAN). Correct??
Thank you./Mino
-
Hello,
if you use multiple subnets "to a CA that has a different network (LAN Ext)" in a domain connect them wither with Layer3-switches(VLANs) or routers BUT not with a DC.
DO NOT USE A DC with multiple NICs, this result in problems you will not have in the future.
Also it is NOT RECOMMENDED to run any other server role on the Hyper-V host!!!
I don't know anybody that would use a VMWare host to run other server roles on it. THIS IS THE SAME FOR HYPER-V!!!
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Maybe I have not made it clear ... sorry.
Now describe the complete architecture so as to be clearer.
I have 2 Physical servers, in different sites, on which will install Hyper-V 2012.
Then I will create 2 VMs on each Hyper-V:
* 1 Server 2012 with the role of CA
* 1 Server 2012 with the role of DC
Now the CA must be in geographic cluster of two sites, same domain.
At each site there will be a DC.
Now I have users who are authenticated on the internal LAN (Int LAN), and the users Themselves make certificate request to a CA That has a different network (LAN Ext)
Now I move the question on the CA.
Each CA will have 2 nic for the "production" Int and Ext Lan Lan, 1 nic Heartbeat, 1 Nic for iSCSI traffic.
When I request a certificate, the authentication is made by the CA to the DC, On behalf of the user, right?
If so, then you just have 2 nic on CA (Int and Ext LAN LAN) and 1 nic on DC (Int LAN). Correct?/Mino
-
Hello,
ok for the part with the VMs installed on the Hyper-V host.
Be aware that it is not recommended to run CAs on DCs, just to mention it.
Authentication is done from the client to the DC and not from the client to the CA and then to the DC.
The CA will provide the certificates you have chosen either to machines, users or services that need it in the domain, so what is your purpose for the certificate?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Are certficati Web (services).
The CA is not installed on the DC but as a separate VM.
So if the authentication is done directly between user and dc, configuring 2 nic CA (Int and Ext LAN), DC 1 nic (Int Lan) and User Computer with 1 nic (Int Lan), does it work?/Mino
-
Hello,
why do you need/use 2 NICs on the CA? If you built a cluster with Windows server 2008 or higher the heartbeat can be configured without a specific NIC.
For the clustered CA setup you may ask in the following forum: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Marked as answer by Vivian_WangModerator Monday, August 12, 2013 1:42 AM
-
-