Windows 2012 Multihomed Domain Controller

In researching whether one can run a Windows 2012 domain controller with multiple network cards (aka “multihomed”) I ran into a lot of old posts referring to Windows 2003, Windows 2000 and even NT4 – but not a lot of new information.  All of them say something like a multihomed configuration “isn’t recommended” or “isn’t supported”; not many of the pages actually address whether it will work.  So here is my recent experience.

Yes, you can run a domain controller on a multihomed machine, but you need to make some configuration changes for it to work.

The reason that we wanted to do this was to physically split up the network traffic.  We were running a private network between all of our servers and the network attached storage, and didn’t want the clients to see this traffic at all, let alone have a badly behaving client overload the network hardware and impact the connection to storage.

For the purposes of demonstrating with an actual example, let’s assume that you have a machine with 2 network interface cards:

  • NIC 1: “PUBLIC” 192.x.x.x network (clients use this to reach the DC)
  • NIC 2: “PRIVATE” 10.x.x.x network (private network, only for servers or storage)

I’ve labelled the 192.x.x.x network as PUBLIC just so it’s clear that client machines use this to contact the DC, it doesn’t mean that the IP address is necessarily publicly routable.

Here are the changes needed:

1. [required] Prevent the DC from offering DNS services on the PRIVATE interface

  • Right-click the Windows menu and select Run
  • Type regedit and hit enter
  • Navitage to: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  • Add a new string: PublishAddresses
  • For the value, put the PUBLIC (192.x) static IP address

2. [optional] Remove unneeded items from the PRIVATE connection

Some of these may vary depending on your setup.  You should know what you need on your own PRIVATE network; we only needed TCP/IPv4 so here is what we disabled:

  • Open the Network and Sharing Center
  • Click on the connection for the PRIVATE network
  • Click on Properties
  • Uncheck “File and Printer Sharing for Microsoft Networks”
  • Uncheck “Microsoft Network Adaptor Multiplexor Protocol”
  • Uncheck “Link-Layer Topology Discovery Responder”
  • Uncheck “TCP/IPv6”

3. [required] Stop the PRIVATE address from being added as a DNS entry for this host

  • Open the Network and Sharing Center
  • Click on the connection for the PRIVATE network
  • Click on Properties
  • Click on TCP/IPv4
  • Click on Properties > Advanced
  • In the DNS tab, uncheck the box “Register this connection’s addresses in DNS”

4. [required] Remove PRIVATE addresses that were already registered

  • Open Server Manager
  • Click on Tools > DNS
  • Click on the folder for each of your forward lookup zones, and anywhere that you find a PRIVATE address, right-click and remove it
  • Open the folder for each of your forward lookup zones, and in each of the sub-folders also remove any PRIVATE addresses that you find (examine the whole tree)

5. [required] Reboot the machine

This is needed for all of the above changes to take effect.