By default Windows servers will not accept connections that are initiated with an alias. To enable servers to be accessed by a DNS alias name, create and enable the DisableStrictNameChecking option HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters on each server.
If the servers are joined to an Active Directory domain, you can also add the SPN of the alias to the computer that currently owns the name. However, if the SPN is added to a computer, you will need to remove the SPN and add it to the other computer when you change the alias to point to it.
https://support.microsoft.com/en-us/kb/281308
Another setting is the DisableLoopbackCheck. This isn't necessary for clients to access the server by the alias, but if you need to access the alias from the server itself, you will need to set DisableLoopbackCheck to 1.
https://support.microsoft.com/en-us/kb/926642
If you really need to multihome your DC, please follow these step. I took them from there. The document link to old KB, but it's a updated document by a know blogger.
The following are the manual steps to configure a Multihomed DC
Insure that all the NICS only point to your internal DNS server(s) only and none others, such as your ISP’s DNS servers’ IP addresses.
In Network & Dialup properties, Advanced Menu item, Advanced Settings, move the internal NIC (the network that AD is on) to the top of the binding order (top of the list).
Disable the ability for the outer NIC to register. The procedure, as mentioned, involves identifying the outer NIC’s GUID number. The following link will show you how:
246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
http://support.microsoft.com/?id=246804
- Disable NetBIOS on the outside NIC. That is performed by choosing to disable NetBIOS in IP Properties, Advanced, and you will find that under the “WINS” tab.
You may want to look at step #3 in the following article to show you how to disable NetBIOS on the RRAS interfaces if this is a RRAS server.
Chapter 11 – NetBIOS over TCP/IP
http://technet.microsoft.com/en-us/library/bb727013.aspx
Or enable/disable NetBIOS on an interface in the registry:
To do it in the registry but you will need to identify the GUID of that interface – (this may not apply to PPP interfaces)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces, find the GUID(s) with NetbiosOptions set to 0 and set them to 2.
Using WMIC:
First, get the list of interfaces:
wmic nicconfig get caption,index,TcpipNetbiosOptions
Then use the “index number” in the next command:
wmic nicconfig where index=1 call SetTcpipNetbios 2
SetTcpopNetbios options are:
0 – Use NetBIOS setting from the DHCP server
1 – Enable NetBIOS over TCP/IP
2 – Disable NetBIOS over TCP/IP
More info on the wmic commands and the registry entries can be found in this forum thread link:
Thread – Configuring NetBIOS over TCP/IP
http://social.technet.microsoft.com/Forums/en-US/winservercore/thread/d18bd172-e1a0-4a61-ba52-0952a1e3cabc/
Configure TCP/IP to use WINS
http://technet.microsoft.com/en-us/library/cc757386(WS.10).aspx
Note:
A standard Windows service, called the “Browser service”, provides the list of machines, workgroup and domain names that you see in “My Network Places” (or the legacy term “Network Neighborhood”). The Browser service relies on the NetBIOS service. One major requirement of NetBIOS service is a machine can only have one name to one IP address. It’s sort of a fingerprint. You can’t have two brothers named Darrell. A multihomed machine will cause duplicate name errors on itself because Windows sees itself with the same name in the Browse List (My Network Places), but with different IPs. You can only have one, hence the error generated.
Disable the “File and Print Service” and disable the “MS Client Service” on the outer NIC. That is done in NIC properties by unchecking the respective service under the general properties page. If you need these services on the outside NIC (which is unlikely), which allow other machines to connect to your machine for accessing resource on your machine (shared folders, printers, etc.), then you will probably need to keep them enabled.
Uncheck “Register this connection” under IP properties, Advanced settings, “DNS” tab.
Delete the outer NIC IP address, disable Netlogon registration, and manually create the required records
a. In DNS under the zone name, (your DNS domain name), delete the outer NIC’s IP references for the “LdapIpAddress”.
b. If this is a GC, you will need to delete the GC IP record as well (the “GcIpAddress”). To do that, in the DNS console, under the zone name, you will see the _msdcs folder. Under the _msdcs folder, you will see the _gc folder. To the right, you will see the IP address referencing the GC address. That is called the GcIpAddress. Delete the IP addresses referencing the outer NIC.
1. To stop these two records from registering that information, use the steps provided in the links below:
Private Network Interfaces on a Domain Controller Are Registered in DNS
http://support.microsoft.com/?id=295328
2.. The one section of the article that disables these records is done with this registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
(Create this Multi-String Value under it):
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress
The following link provides more information on the LdapIpAddress and GcIpAddress, as well as other Netlogon Service records:
Restrict the DNS SRV resource records updated by the Netlogon service[includingGC]:
http://technet.microsoft.com/en-us/library/cc778029(WS.10).aspx
3. Then you will need to manually create GcIpAddress and IpAddress records in DNS with the IP addresses that you need for the DC. To create the LdapIpAddress, manually create a new host under the domain, but leave the “hostname” field blank, and provide the internal IP of the DC, which results in a record that looks like:
(same as parent) A 192.168.5.200 (192.168.5.200 is used for this example)
4. You need to also manually create the GcIpAddress as well, if this is a GC. That would be under the _msdcs._gc SRV record under the zone. It is created in the same fashion as the LdapIpAddress mentioned above.
In the DNS console, right click the server name, choose properties, then under the “Interfaces” tab, force it only to listen to the internal NIC’s IP address, and not the IP address of the outer NIC.
Since this is also a DNS server, the IPs from all NICs will register, even if you tell it not to in the NIC properties. See this to show you how to stop that behavior (this procedure is for Windows 2000, but will also work for Windows 2003):
275554 – The Host’s A Record Is Registered in DNS After You Choose Not to Register the Connection’s Address:
http://support.microsoft.com/?id=275554
Disable the round robin functionality on the DNS server. To do so: (This step added 5/2010)
1. Click Start, click Settings, click Administrative Tools, and then click DNS.
2. Open the properties for the DNS server’s name.
If you haven’t done so, configure a forwarder. You can use 4.2.2.2 and 4.2.2.3, if not sure which DNS to forward to until you’ve got the DNS address of your ISP. How to set a forwarder? Good question. Depending on your operating system, choose one of the following articles, depending on your operating system.
300202 – HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202
323380 – HOW TO: Configure DNS for Internet Access in Windows Server 2003 (How to configure a forwarder):
http://support.microsoft.com/d/id?=323380
Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2
http://technet.microsoft.com/en-us/library/cc754941.aspx
Active Directory and NAT
I thought to touch base on this overlooked fact about AD communication through a NAT.
If a planned resources is to be provided in the AD infrastructure that uses AD authentication (Kerberos) that must traverse a NAT, it basically won’t work. This is due to secure RPC communications and NAT not being able to translate the traffic due to the encryption. If you really need to make it work, there are solutions to work around it, such as a Direct VPN between the services across the NAT devices, or additional NICs directly connecting them. More on it in this link, and Microsoft’s take and solution on it:
Description of support boundaries for Active Directory over NAT
http://support.microsoft.com/default.aspx?scid=kb;en-us;978772&sd=rss&spid=12925
Active Directory communication fails on multihomed domain controllers
http://support.microsoft.com/kb/272294
Source IP address selection on a Multi-Homed Windows Computer
There is often confusion about how a computer chooses which adapter to use when sending traffic. This blog describes the process by which a network adapter is chosen for an outbound connection on a multiple-homed computer, and how a local source IP address is chosen for that connection.
Source IP address selection on a Multi-Homed Windows Computer
http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx
Best Answer
I was having the same problem and it took me a couple of hours to figure out, so thought I'd share it.
Go to your Synology's Control Panel -> Network -> Advanced Settings (under General Tab) : Uncheck 'Reply to ARP Request if the Target IP address...'
Once you hit apply it may take a couple of minutes to reflect and BAAM. Works like a charm!
Hope this helps