Author: NetworkAdminKB.com

Created: 2011-03-01

Modified: 2011-03 -05

 

Information:

This article provides instructions on how to multihome a Windows 2008 server.  While Windows 2008 server is used in this example the concepts can be applied to any Windows OS.

 

These instructions apply in most cases where dual homed or multihomed computers are used.  These instructions are not for use in an attempt to load balance or round robin DNS communications to mutihomed computers. Common examples of mutihomed computers that fit this criteria include Firewalls, SMTP Gateways, Clustered Servers, Application Gateways, Proxy Servers, etc.  However, many of the recommendations can be applied to other situations.  Always check for application support before implementing multihomed computers.  Some applications / vendors do not support it.

 

In general, always consider the use of multihomed computers as a last resort / temporary solution.  Usually, the proper solution is to leverage routing between the networks.  If the networks are currently disjointed you should consider joining the networks together or implement separate solutions for each network.

 

These outlines focuses on TCP/IP version 4, but the same concepts apply if your primary protocol is TCP/IP version 6, just adjust the preferences accordingly.

 

How to configure multihomed computers for the most common situations

1)      Assumptions:

a.       A common set of DNS servers are used / or the Secondary Network does not use DNS.

2)      Determine the Primary and Routing NIC

a.       Selecting the Primary and Routing NIC is based on which NIC/IP Address will communicate to the most networks.  In routing terms, you should only have one default gateway, and that gateway should know about as many networks as possible.

b.      This NIC/IP Address will be registered in DNS and WINS allowing other computers to resolve to this name only.

c.       Rename this NIC as Primary

d.      Configure the TCP/IP properties on this NIC as normal

                                                               i.      IP Address

                                                             ii.      Subnet Mask

                                                            iii.      Gateway

                                                           iv.      Primary and Secondary DNS

                                                             v.      Primary and Secondary WINS

3)      Secondary NIC

a.       This NIC is configured with an IP Address and Subnet Mask only. 

b.      Rename this NIC as Secondary

c.       This NIC should never be configured with a default gateway, DNS or WINS Settings.

d.      Allowing this NIC to register in DNS is not recommended.

                                                               i.      On the DNS tab disable DNS Registration.

e.       Allowing this NIC to register in WINS is not recommended.

                                                               i.      Do not configure WINS Server settings.

                                                             ii.      On the WINS tab, disable Netbios to prevent this NIC from responding to Netbios broadcasts for the server name.

f.        You may manually configure static DNS entries for this IP Address.  You should not use the existing Server name, but rather a unique DNS name instead.

                                                               i.      Example: Server-nic2.dns.fqdn

4)      Disable Computer Browser

a.       In Windows 2008 this is already disabled, verify this service is still disabled.

b.      Failure to disable the Computer Browser can cause issues with the Network Neighborhood computer listing.

5)      Adjust Network Binding order

a.       Place the Primary NIC on top, then the Secondary NIC.

b.      Place TCP/IPv4 (or TCP/IPv6 if preferred) before any other protocols.

6)      Add Persistent Static Routes as needed

a.       Any network that the Secondary NIC needs to communicate with must have a static route added so the Secondary NIC is the preferred NIC.

b.      Below is an example, where 192.168.1.1 is the gateway available to the Secondary NIC.  You should configure a metric value less than that assigned to the Primary NIC.

 

Route -p -4 add 10.0.0.0 mask 255.0.0.0 192.168.1.1 metric 1

 

c.       In general use route summaries (mask 255.0.0.0) for these persistent routes.  The routes in the routing table are evaluated from the most specific subnet mask to the least specific.  For example 255.255.255.255, then 255.255.254, then 255.255.255.252, etc.  If you have specific questions about what routes to enter talk to the people that maintain your routers on the network.

7)      Third, Fourth, etc NICs

a.       Configure Third and beyond NICs the same way as the Second NIC

b.      Adjust the Network Binding Order so that Third and beyond NICs are listed after the Primary NIC.

c.       Add persistent Static Routes for the Third and beyond NIC Networks.

 

How to configure multihomed computers for almost any situation

The following outline is provided as a guide and should be very helpful in planning the configuration of a multihomed computer.  Read through it carefully and make sure you understand the following topics before reading the outline.

 

  • Disjointed Networks: are networks that have no routing between them.  Because of this the multihomed computer attaches directly to each of these networks.
  • DMZ: Is a separate subnet of your Internal Network protected by a firewall.  The firewall usually restricts access from the DMZ to the Internal Network for various reasons.  A DMZ may have its own domain and DNS servers that reside on the DMZ network for use only by those computers, or the DMZ may use the same internal domain and DNS servers, or the DMZ may have no domain or DNS servers.  Basically the implementation of the DMZ may vary greatly between organizations.
  • Internal Network: Is usually your company network.  It may be any size and span multiple locations.
  • Fully Routable Network: Is when a computer anywhere on the network can communicate with any other computer on the network.  This is also called an any-to-any network.  Name resolution via DNS/WINS is not a consideration, only the ability to establish IP communication from any IP Address to any IP Address.
  • Clustered Server: For the purpose of this article, this is a server that has two network connections.  One NIC is connected to an Internal Network or DMZ, the other NIC is attached to a private or disjointed network that does not contain DNS or WINS servers.
  • Local Network: Is the IP Address range assigned to the computer for each NIC.  These IP Address ranges are considered local because a router/gateway is not needed to communicate with other devices in this range.
  • Non-Local or Remote Networks: are IP Address ranges that require the use of a router to communicate with devices in those IP Address ranges.
  • Primary DNS Suffix: Is the DNS Zone the computer registers itself with using Dynamic DNS.  This setting should be manually configured on computers in a workgroup. By default, this setting will be registered with all DNS servers listed on any NIC.  Read this article for more information How the Client DNS Settings work to resolve DNS names.  The Primary DNS Suffix is configured in the following location on Windows 2008.

  • Routing Table: is a set of rules that are used to determine where IP packets are to be sent.  The routes in the routing table are evaluated from the most specific subnet mask to the least specific.  For example 255.255.255.255, then 255.255.254, then 255.255.255.252, etc.  The route that is select is the one that matches the IP Address Range and has the most specific Subnet mask.
  • Round Robin DNS: is a technique for load balancing (and/or providing fault-tolerance) by alternating which IP Address is returned when multiple DNS Host (A) records existing with the same name.  It is enabled by default on all Windows 2003/2008 DNS Servers.

 

1)      Determine and configure the Routing NIC

a.       Select the Routing NIC based on which NIC/IP Address will communicate with the most networks.  In routing terms, the computer should only have one default gateway, and that gateway should know about as many networks as possible.  FYI: This reduces the routing table administration of this computer!

b.      Configure the TCP/IP properties on the Routing NIC to include the Default Gateway

                                                               i.      IP Address

                                                             ii.      Subnet Mask

                                                            iii.      Default Gateway

c.       Do not configure any other TCP/IP Properties at this time.

2)      Configure the Non-Routing NICs IP Configuration

a.       The Non-Routing NIC is configured with an IP Address and Subnet Mask only.

                                                               i.      Do not configure a default gateway for this NICs IP Address.

b.      Do not configure any other TCP/IP Properties at this time

3)      Determine the Primary IP Address and configure DNS/WINS settings.

a.       Use the following outline to help you select which IP Address will be registered in DNS/WINS, perform all DNS/WINS queries for the computer, and be the Primary IP Address provided by DNS/WINS to other computers.

                                                               i.      If the NICs are connected to Disjointed Networks or this is a Clustered Server.

1.      Only one network has DNS/WINS Servers or this is a Clustered Server

a.       Select the IP Address that can communicate with these DNS/WINS Servers.

b.      Configure the DNS/WINS TCP/IP properties on this NIC

                                                                                                                                       i.      Primary and Secondary DNS

                                                                                                                                     ii.      Primary and Secondary WINS

2.      Both networks have DNS Servers

a.       Select the IP Address that can communicate with the DNS servers that contain the DNS Zone the computer uses as its Primary DNS Suffix.

                                                                                                                                       i.      Checking this setting is a quick way of determining domain or workgroup membership.  Always allow the computer to use Dynamic DNS (DDNS) and self register its Primary IP Address in it Primary DNS Zone.

b.      Configure the DNS/WINS TCP/IP properties on this NIC

                                                                                                                                       i.      Primary and Secondary DNS

                                                                                                                                     ii.      Primary and Secondary WINS

                                                             ii.      If the NICs are connected to a DMZ and Internal Network

1.      Select the IP Address that can communicate with the DNS servers that contain the DNS Zone the computer uses as its Primary DNS Suffix

                                                                                                                                       i.      Checking this setting is a quick way of determining domain or workgroup membership.  Always allow the computer to use Dynamic DNS (DDNS) and self register its Primary IP Address in its Primary DNS Zone.

                                                                                                                                     ii.      Configure the DNS/WINS TCP/IP properties on this NIC

1.      Primary and Secondary DNS

2.      Primary and Secondary WINS

                                                            iii.      If the NICs are connected to fully routed network

1.      Select the IP Address assigned to the Routing NIC

a.       Configure the DNS/WINS TCP/IP properties on this NIC

                                                                                                                                       i.      Primary and Secondary DNS

                                                                                                                                     ii.      Primary and Secondary WINS

b.      Rename this NIC as Primary

4)      Configure other/Secondary NIC

a.       Select the other/Secondary NIC

b.      Rename this NIC as Secondary

                                                               i.      If the NICs are connected to Disjointed Networks this is a Clustered Server.

1.      Only one network has DNS/WINS Servers

a.       Never configure DNS or WINS settings on the Secondary NIC.  The Primary NIC does all DNS/WINS communications.

                                                                                                                                       i.      Never allow this NIC to register in DNS

1.      On the DNS tab, disable DNS Registration

                                                                                                                                     ii.      On the WINS tab, disable NetBIOS to prevent this NIC from responding to NetBIOS broadcasts for the server name.

2.      Both networks have DNS Servers and no overlap/duplication of DNS Zones exist.

a.       Configure Primary and Secondary DNS Servers on the Secondary NIC

                                                                                                                                       i.      Never allow this NIC to register in DNS

1.      On the DNS tab disable DNS Registration

2.      Manually configure a DNS entry for this IP Address in the required DNS zone.

3.      Both networks have WINS Servers

a.       Configure Primary and Secondary WINS Servers

                                                                                                                                       i.      Verify only this NICs IP address is registered in WINS.  Check the Primary NICs WINS Servers registration as well.

                                                             ii.      If the NICs are connected to a DMZ and Internal Network

1.      No DNS/WINS Servers are available via the Secondary NIC.

a.       Do not configure DNS/WINS Server settings for the Secondary NIC

b.      On the DNS tab, disable DNS Registration

c.       On the WINS tab, disable NetBIOS to prevent this NIC from responding to NetBIOS broadcasts for the server name.

2.      DNS Servers are available on the Secondary Network, and they contain different DNS Zones.  Some DNS Zone overlap may occur on the DNS Servers.

a.       Configure Primary and Secondary DNS Servers

                                                                                                                                       i.      Never allow this NIC to register in DNS

1.      On the DNS tab, disable DNS Registration

                                                                                                                                     ii.      Manually configure a DNS entry for this IP Address in the required DNS zone

3.      WINS Servers are available via the Secondary NIC.

a.       Configure Primary and Secondary WINS Servers

b.      Verify only this NICs IP address is registered in WINS.  Check the Primary NICs WINS Servers registration as well.

                                                            iii.      If the NICs are connected to a fully routed network

1.      Do not configure DNS/WINS Servers settings for the Secondary NIC

a.       On the DNS tab, disable DNS Registration

b.      On the WINS tab, disable NetBIOS to prevent this NIC from responding to NetBIOS broadcasts for the server name.

c.       When manually configuring static DNS entries for this IP Address. 

                                                               i.      Do not create a DNS Host (A) Record in the same DNS Zone the Primary NICs IP Address is registered in.  This will enable round robin DNS lookups.  Doing so will cause communication problems using the DNS name.

5)      Disable Computer Browser

a.       In Windows 2008 this is already disabled, verify this service is still disabled.

b.      Failure to disable the Computer Browser can cause issues with the Network Neighborhood computer listing.

6)      Adjust Network Binding order

a.       Place the Primary NIC on top, then the Secondary NIC.

b.      Place TCP/IPv4 (or TCP/IPv6 if preferred) before any other protocols.

7)      Add Persistent Static Routes as needed

a.       Any network that the Non-Routing NIC needs to communicate with must have a static route added so the Non-Routing NIC is the preferred NIC.

b.      Below is an example, where 192.168.1.1 is the gateway available to the Non-Routing NIC.  You should configure a metric value less than that assigned to the Routing NIC.

 

Route -p -4 add 10.0.0.0 mask 255.0.0.0 192.168.1.1 metric 1

 

c.       In general use route summaries (mask 255.0.0.0) for these persistent routes.  If you have specific questions about what routes to enter talk to the people that maintain your routers on the network.

8)      Third, Fourth, etc NICs

a.       Configure the Third NIC and beyond the same way as the Secondary NIC

b.      Adjust the Network Binding Order so that Third NIC and beyond are listed after the Primary NIC.

c.       Add persistent Static Routes for the Third and beyond NIC Networks.

 

 

Known Issues and Limitations

Not all applications or Microsoft Services / functionality are supported on mulithomed servers.  Be sure to research you application’s support for mutihomed computers.  It is not recommended that you multihome these services.

  • DHCP
  • DNS
  • WINS
  • Active Directory / Domain Controllers

 

More Information:

Every device on a TCP/IP network contains a local routing table.  A routing table is not limited to only routers.  To view the routing table on any Microsoft Windows operating system use the route print command. 

 

The routing table helps the OS determine which NIC should be used to send packets out.  On a multihomed computer it is important to configure the routing table of the OS appropriately to make sure the appropriate NICs are used to establish, respond, and maintain TCP/IP communications.

 

A packet is sent to the default gateway only when no route exists in the routing table.  On a computer with a single NIC and IP address it is acceptable to send all non-local packets directly to the default gateway.  However, on a multihomed computer the default gateway is generally used to communicate with unknown networks while a routing table provides information about all known networks.

 

Firewalls are a good example of having the Primary NIC connected to the Internet configured with the default gateway (these are the unknown networks), while all known internal network must be configured into the firewall’s routing table to support the Secondary NIC.

 

The following is a list of common terminology that you may encounter while reading about multihomed computers.  Understanding the terminology and its uses will help you understand that all of the various recommendations for configuring a multihomed computer are really the same.

 

NIC with gateway

NIC without gateway

Description

Primary / Routing

Secondary / Non-routing

Generic language

Unknown Networks

Known Networks

Internet/3rd party vs internal networks

External Networks

Internal Networks

Internet/3rd party vs internal networks

Many Networks

Few Networks

All networks are internal and known. Configure the default gateway on the NIC that knows about the most networks.

Public

Private/Heartbeat

Cluster terminology.

DMZ

Public

One side in the DMZ, one side on the internal network.  Communications from the DMZ to the internet will go through the Firewall, the firewall should be configured as the default gateway on the DMZ NIC.

 

Microsoft KB Articles:

Active Directory communication fails on multihomed domain controllers

Default Gateway Configuration for Multihomed Computers

Multihomed DHCP server does not allocate IP addresses

Multihomed DHCP Server Assigns Duplicate IP Addresses

 

Article ID: 14, Created On: 9/16/2011, Modified: 9/16/2011