Why does my Windows Server 2008 machine register all of its IP addresses into DNS?

All IP addresses are registered on the DNS servers when the IP addresses are assigned to one network adapter.

Ran into this issue the other day and I figured that I would share. Basically, I was setting up a DirectAccess deployment and the customer wanted to stick the NLS instance on an existing Exchange Server 2007 CAS server. OK… no problem. Let’s add another IP address, create another Web site, and change the Web site bindings so that each site binds to a single IP address.

Done… or at least that is what I thought. Soon after doing this their Outlook clients started getting certificate errors (basically name mismatch with the FQDN of the host). Odd, so I took a look at DNS and saw that there were now two DNS entries for the host. Dooooh… this is Windows Server 2008.

You see, Microsoft completely changed how the TCP/IP stack behaves in Windows Server 2008 and Vista. Therefore, a single IP transport now supports multiple layers and there is no longer a ‘Primary’ IP address. So, when multiple IP addresses are assigned to a single interface, all of the addresses are treated evenly and are all registered into DNS. In other words, this behavior is not a bug, but by design. However, the behavior is a pain in the butt because unless you do “something” about it the IP address used will be round robin (DNS).

The pain in the butt workaround is to disable dynamic DNS registration on the NIC and then create the host DNS entry manually. The lesser pain in the butt workaround is to install the HotFix referenced on KB975808: http://support.microsoft.com/?kbid=975808. Once you have installed the HotFix, you will be able to use the netsh skipassource flag. When using this flag while adding new addresses you tell the stack that the new address is not used for outgoing packets. Therefore, these IP addresses will not be registered on the DNS servers. For example:

netsh int ipv4 add address "Local Area Connection" 192.168.1.2 skipassource=true

If you like this, check out some other posts from Tyson:

• Using social networks to establish a publicly verifiable level of trust…
• Which browser is more secure IE8, Safari 4, Firefox 3.5, Chrome 4, or Opera 10?
• When a computer science degree matters, and when it doesn't
• Since when did cloud computing become/need a manifesto?
• Why would one phish using a Certificate Authority (CA) as bait?
• Would I trust you, if everyone else trusted you?
• Here is a good question: Is scripting programming or just systems administration?
• Fun with PowerShell 2.0 Eventing!
• Creating a custom 404 page to handle link redirection for ASP.NET web applications

Or if you want, you can also check out some of Tyson's latest publications:

• Windows PowerShell Unleashed (2^ndEdition)
• Windows Server 2008 Unleashed (Yes, I did help on this book)

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

• Microsoft
• ce
• Dynamic DNS
• Multiple IP Addresses
• Windows Server 2008