Avoiding a multi-homed Domain Controller in a dual network environment

active-directorymulti-homednetworking

I'm trying to take over an old infrastructure and clean it up, but I'm running into some issues deciding on the new architecture.

We have a set of around a dozen or two test/production servers in a rack, with two parallel networks between them. Each server has two NICs, and is connected to both networks.

One of the networks is the external net, with public internet IPs, and internet access. The other one is a local network, with internal IPs, and is used as a fast lane internal communication network, to transfer backups and connect to DBs, without being affected/affecting the external network's bandwidth.

I want to set up a domain controller in the network, and my initial plan was to set it up in the internal network, so all the AD communication is sent over the internal lan, but if I want the AD to have internet access (for updates etc) it would also have to be connected to the external network, which would make it multi homed.

Alternatively, I can connect it to the external net only, but that would mean that AD communication goes over the external net as well, and the DNS names given to the servers will point to external IPs, which is not really what I want. Also, in this case all the servers will mark the external net adapter as a Domain adapter (Ideally I would like the external adapter to be a "Public" network, and the internal one the "private"/"domain" network)

Is setting up the DC as a multi-homed server the only logical solution here? I feel like I'm missing something very simple

P.S. To note: I don't need the DC to be accessible from the internet, and the DNS names created by the DC should not be public, they're only for internal adressing.

P.P.S. My plan was to set up both NICs on the DCs (static IPs on both networks), block any incoming connections to the server over the external net adapter (it will be only for internet access), and bind the local DNS servers to the internal IP. Each of the servers in the net will be accessing the DC by the internal IP to avoid resolution issues. Does that sound good enough?

Best Answer

I think your plan is flawed.

From my point of view, the "right" thing to do is:

  • Put a Firewall in front of all of this
  • Put a Router in front of all of this (can be the same as the FW, depends of course)
  • Have all Servers as "internal", you can still segregate them into multiple networks of course
  • Disable/Rip out the secondary NIC if you don't need the bandwith, or trunk them for failovering
  • Forward the necessary ports to the necessary servers

Now you can just route "internally" between the networks, without multi-homing them.

Related Topic