locked
Change network location on Domain Controller RRS feed

  • Question

  • I have a windows server 2008 domain controller with two network interfaces, one connected to our intranet and another connected to internet. When I finish install the DC, both of NICs are identified as Domain Network. Is it possible to change the NIC connected to Internet as Public Network? I do know it's not good to connect the DC to Internet but it's required for our small corporate network.

    Thanks

    Leo


    Monday, September 2, 2013 10:01 AM

Answers

All replies

  • Network Location Awareness:

    http://technet.microsoft.com/en-us/library/cc753545(v=ws.10).aspx

    Domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. An administrator cannot manually assign this network location type. Because of the higher level of security and isolation from the Internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets. On a computer that is running Windows 7 or Windows Server 2008 R2, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. On computers that are running Windows Vista or Windows Server 2008, then the Domain network location type is applied only when a domain controller can be detected on the networks attached to every network adapter.


    Devaraj G | Technical solution architect

    Monday, September 2, 2013 11:19 AM
  • I have a windows server 2008 domain controller with two network interfaces, one connected to our intranet and another connected to internet.

    Multi-homing a DC is not recommended. That was well described by Ace: http://blogs.dirteam.com/blogs/acefekay/archive/2009/08/03/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    When I finish install the DC, both of NICs are identified as Domain Network. Is it possible to change the NIC connected to Internet as Public Network? I do know it's not good to connect the DC to Internet but it's required for our small corporate network.

    It is not a good practice to have a Public NIC for a DC. If you just need to make some DMZ servers communicate with the DC then even a single NIC enough - It is just a question of routing.

    If you would like to keep this NIC, you should at least disable DNS registration on it.

    For more details about network and NIC related configuration and questions, please consider asking them here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS&filter=alltypes&sort=lastpostdesc


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Monday, September 2, 2013 10:51 PM
  • I agree with Mr X that it's not recommended to put a DC on the internet, and second and most of all, never to multihome a DC. There are numerous ramifications that occur on a DC. Mr X poste my blog on how to configure it, but there's quite a number of things you have to do to it, but it does not negate the fact that it's still on the internet.

    Assuming you are doing this for NAT reasons, you can purchase an inexpensive firewall/NAT/router, such as a Linksysy, Netgear, and others, that will do the same job, and protect the DC and all internal machines. This device will perform NAT functions and be the gateway for your corporate network. If your budget allows, you can purchase a higher end enterprise class firewall device, such as a Cisco ASA. For the price, you get exceptional protection, and it's a fraction of the cost of devoting a full Windows machine for this purpose (cost of machine, operating system, possible drawback of attacks since it's directly connected, etc).

    -

    If you do not have the budget, then follow my blog and make the necessary registry and other changes so the public card does not get registered into DNS. However, it may still register as a domain on the external interface because it can find itself. However, if you change the external NIC DNS to external, it may not.

    See, this is part of the reason why we do not recommend this setup. You may be opening the DC up for possible attack. 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by pbbergs [MSFT] Friday, September 6, 2013 12:06 PM
    Tuesday, September 3, 2013 5:16 AM
  • Thanks guys. I understand it's not good to have mulitple NICs on the DC.  It's a chellange. I will follow the blog to try to configure it and aslo suggest my boss to purchase dedicated gateway instead of the one on the DC. 
    Tuesday, September 3, 2013 8:42 AM
  • Hi,

    I would like to confirm the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang
    TechNet Community Support

    Friday, September 6, 2013 1:36 AM