2 IPS address on 1 DC
Posted by nricko@reddit | sysadmin | View on Reddit | 41 comments
Hello,
Someone at work ask me to put 2 IP adresses on the DC1 of my organization.
Context :
I have 2 DCs and multiples clients (Windows & Linux). All the Windows clients are domain integrated. Their NTP source is the DC1 (with the PDC emulator role). We call the IP address of the DC1 "IP1". OK, no problem.
The Linux clients are not in the domain. There is a dedicated NTP server for them with IP address "IP2".
The idea is to take off this dedicated NTP server and to switch the Linux clients on the DC1 for NTP source. OK.
For that, they ask me to add a new IP address to the DC1. So this DC will have 2 IPs (IP1 + IP2) on the same network card (and both IPs are in the same network).
I'm not fond of this. I don't like the idea to have 2 different IP on me DC1, for DNS, LDAP, Kerberos, etc... What are the risks ?
For me it would be a better solution to reconfigure all the Linux clients with a FQDN (not an IP) as NTP source in chrony. Like that we can manage it via Alias in the DNS and voilà.
So my quetion is : what are the risks to configure a second IP (in the same network) on the network card of my DC1 ?
Thank you in advance.
Enough_Pattern8875@reddit
Bro just create a dns entry for it. Do not assign multiple IPs to a domain controller.
netmc@reddit
DCs get weird when having multiple IPs on the same LAN segment. It will work perfectly until it doesn't. As long as the network cards come up in the right order, everything will be fine. The moment the stars align and the NICs bind in the other order, all hell will break loose and you'll be pulling your hair out trying to hunt down seemingly random issues.
Different IPs on separate LAN segments are fine though.
_Do_The_Needful_@reddit
I worked with a guy who swore by adding secondary IPs to all machines for migration purposes, he would call them "service IPs". His idea was he would create a new server when the time comes, migrate the data, then move over the "service IP" to minimize downtime.
Aside from needing twice the size of an IP block for the same amount of servers, his systems constantly had problems. I left that place almost 10 years ago and never looked back. I would not recommend it.
DarkAlman@reddit
DCs really hate having multiple IP addresses assigned to them, so I wouldn't do this.
You can either build a dedicated NTP server with the IP address the Linux hosts are looking for, or spin up a new DC that uses that IP address.
Switching to a URL for time source would be even better, because then you can change it for all machines with 1 setting.
xewill@reddit
Incoming down votes, but my hot take is that it can be fine. Not ideal, but if needs must..
I had a situation using 2008 functional level AD where I needed to get rid of a legacy stand alone DNS/time server that was used in a hybrid NetWare/Microsoft stack .
The NetWare managed kit and some switches used the old nameserver for DNS and nntp, that old kit needed to retain service on both those services without changing the configured IP on a lot of endpoints.
So I spun up working services on DC2 (Nntp was a bitch , had to download something), on switchover day we added the IP as a sub address on the NIC and the sky did not fall in. Everything was fine.
Everything was on the same subnet.
Dcidiag /test DNS (?syntax) was used a lot before after.
Active Directory uses srv records in DNS to advertise the location of the services. As long as those resolve to routeable IPs it's going to be fine.
ARJeepGuy123@reddit
We've had more than one IP on a DC before and it never caused any problems
DarkAlman@reddit
That you noticed
Your Kerberos tickets, and GPO processing was probably a total mess
xewill@reddit
Can you help me understand why this would be the case please.
DarkAlman@reddit
The biggest issue is that DNS will only respond with a single IP address for the server which may not be reachable by the client.
Typically the 2nd IP sits on a different subnet than the 1st IP.
So the device will do a lookup to talk to a DC to update a setting or a ticket and fail and give off behavior.
The AD and DNS services may also randomly refuse to bind to one of the IPs on the host.
redstarduggan@reddit
Yep, not seen issues, but it's a fairly basic flat setup. Plan to eventually remove them again but lots of hard coded dns for factory systems to get shifted first.
LetSufficient5139@reddit
Just no. Yes, it'll appear to work but you will have background Kerberos ticket failures with mismatched SPNs,
In your case the switches can be moved to a new time server without any issues, they can lose communication to the NTP server for quite a long period of time without cause for concern too. You didn't HAVE to do any of what you did, you just decided to go for the quick and dirty fix as your situation was certainly not "needs must" more "whats easiest for us".
freethought-60@reddit
Forgive me, but I don't understand what the final goal is, or rather, what the specific reason and/or problem is that led to the removal of that specific "dedicated" server with unknown specifications. It seems to me like a sort of complication of simple matters, bearing in mind that relying on a single NTP source is most often considered a very bad idea.
I mean, if you have LINUX machines it takes very little to configure Chrony to provide time services.
nricko@reddit (OP)
The final goal is to rationalize the NTP architecture. Eliminated what they consider like excess resources, bla bla, ...
There's a lot of different constraints but I don't agree with this solution.
Dedicated NTP with DNS record for Linux NTP is fine for me. But I'm not the decision guy. So I want some arguments to pusk my views on the subject.
And as someone else said on this subject, I don't like to do more things than necessary on DCs.
Bright_Arm8782@reddit
Your PDC emulator should be the ultimate source of time for your AD domain.
Otherwise, enough drift will mean people won't be able to log in.
freethought-60@reddit
Then point your Linux machines to both your DCs, which I imagine are configured to receive the time from other upstream NTP sources and which I assume are both set to offer time services, via DNS or however else you deem appropriate but, as others have already suggested (correctly, they know this from experience), without complicating things with other network interfaces, multiple IPs and the like.
ihaxr@reddit
Sounds like the Linux team doesn't want to have to update all their servers with the proper DC1 IP address and instead wants OP to risk breaking AD
freethought-60@reddit
It could be, but since I don't know the environment, any hypothesis / advice is good.
InsaneITPerson@reddit
When I was working with newbies a long time ago there were several tips I used to tell them. A few were always check your physical link before messing with network settings. Another was never make changes to the default domain GPO that can be done in other GPOs. And then there was never use multiple IP addresses on any domain controller or use it as a router. This was during Windows 2000. Still sound practice today.
ORA2J@reddit
Yeah, when i was getting my degree, some dumb instructors made us do a setup where DC's were tied to a SAN through a secondary interface for backups. Of course, that IP wasn't routed through any means.
I'll let you guess how much stuff this crap is messed up... The two guys that made us do this are probably the individuals i've hated the most to be around in my life, and these completely wrong teachings are just the tip of the iceberg.
Straight-Look7021@reddit
Alright I will express an opinion. You could and can do this - that does not mean you should. Why not set IP2 on the gateway (router/firewall) of the network the IP2 is on and have it forward requests to your DC on IP1?
Commercial_Growth343@reddit
I worked somewhere that had 2 IP's for their DC's because of DC migrations. Our clients and servers all had DNS entries pointed to the two original DC's, then we built 2 replacement DC's and did not want to change everyones DNS to the new ones, so we just added 2nd IP's using the old server IP's to the new servers (immediately after shutting down the old DC's). Worked great and I would not question doing it again.
vabello@reddit
I would avoid this if there’s any other option, however, if it’s just a secondary IP on the same subnet as IP1, and all clients can reach it, it should work fine. The issue arises when you assign a second IP that isn’t reachable by some clients. The DNS records reference both IPs so it’ll be like having a domain controller in your site offline to clients all the time.
Unable-Entrance3110@reddit
I have multiple IPs on my DCs. One IP has no gateway and is the management network. I set a port-level ACL on the management VLAN so that NLA can't detect anything on it (it reliably comes up as unknown/public). This just leaves the process of re-binding the DNS server on the DC after reboot since it always binds to all available IPs. Oddly enough, my virtualized DCs don't have this problem even though they are also multi-homed.
vabello@reddit
Doesn’t that IP get registered in your AD zone?
Unable-Entrance3110@reddit
It is if it's bound as a listener on the DNS server. Otherwise, no.
vabello@reddit
I’ve never had luck having a domain controller not register every IP address bound to every NIC, regardless of DNS Server binding.
Main_Ambassador_4985@reddit
I have had to deal with multi-homed DC’s on Server 2008 and 2012
Don’t do it as a practice.
It requires more work in that it brings up more problems with DC service bugs and IP bindings. Be prepared to read event logs.
It will work most of the time and all of the sudden you are debugging Microsoft’s problematic code updates.
Remember KISS. Keep it simple stupid.
gangaskan@reddit
This causes unforseen issues on your network with active directory, DNS, DHCP, etc....
Keep the ntp server, it's not causing any resource.
Better yet, what's to stop you from directing the DC's to use that time source and any other devices? That's what it's there for
purplemonkeymad@reddit
While I don't recommend it, it will work if you are adding it to an existing interface. The problem with domain controllers and multiple ips, is if one of those ips is not routeable for all clients (like in multi-homed setups,) then it's not excluded as a DC to pick and some will probably pick that ip at some point.
But just to check, are you getting more CALs to cover the linux machines that will now be talking to your DC (since they were not doing so before?) I feel like the original setup might have been to avoid this.
mjung79@reddit
I had inherited multiple IP addresses on domain controllers. It worked, but it was confusing and you needed to make sure every source of truth understood the multiple IPs (such as network or host firewalls). In general I would strongly recommend against this.
You should be reconfiguring your clients with the correct NTP information. If the clients are not in the same subnet you may be able to destination NAT the traffic but that is just kicking the can down the road. Rip off the bandaid and fix the client environment.
SevaraB@reddit
Multiple IPs on the same interface is bad news. Even putting an extra PCI card in there gets tricky because Windows makes a terrible router and is really weird about picking which interface to use for what. But with the same interface you also have to worry about which IP Windows will use to send requests, and source address selection algorithm isn’t exactly intuitive. A lot of software devs just make their stuff use whichever IP address has higher numbers and call it a day.
usmcjohn@reddit
i would move NTP to something else completely.
freethought-60@reddit
Which is an valid approach used in contexts where "AD" is not necessarily the center of the world and/or you don't want to build a dependency on something that might be unavailable.
joeykins82@reddit
Do not assign multiple IP addresses to a Domain Controller.
Your proposal of switching from the use of fixed IP addresses to DNS in the *nix NTP config is the correct course of action.
nricko@reddit (OP)
I think it's the best solution. But I don't find any "official" documentation on this to push my solution.
joeykins82@reddit
I've been working with Active Directory for 25 years: it's just one of those "don't do that, it's insane and unnecessary" things.
The only thing which should be making calls to a specific IP address is the DNS client configuration; everything else should use DNS resolution. It's a foundational step for IPv6 readiness and being future-proof by design seeing as future changes can be made by simply updating one DNS record instead of the configurations on every system.
rfc968@reddit
This.
On top of all the issues you’ll get with routing, VLANs and ACLs you’ll royally bugger yourself with the NLA Service. It will regularly decide the NIC is not connected to the domain network, but rather a „just“ a private one or worse: public. Thus apply different firewall rules. With that in mind, you may need to unnecessarily open up the firewall.
And that’s not even considering the more exotic and exciting issues with NPS/Radius.
Cormacolinde@reddit
That’s definitely the best option. If those two IPs are different subnets you could also do forwarding on the firewall.
ccsrpsw@reddit
DNS for NTP for non Windows domain machines. Always.
Add in things like smart room signs, Mac’s, any kind of IOT and just the act of having ntp and ntp.domain.com exist will just make things magically work (unless it has some weird embedded android os then you need to fake up ntp.google.com to keep them going outside your network- but known thing right?)
Horrigan49@reddit
Dont. Adding more ip to DC is bad practice, it can And Will cause multiple issues.
If they need to have ip2 As ntp, on the ip2 device set NTP relay. That is much more easier to do than fking DC with 2nd IP.
perth_girl-V@reddit
I dont believe adding a 2nd ip has any massive risk to domain functionality