There’s an interesting DNS registration behavior that occurs on domain controllers.  I’m not sure that it only occurs on domain controllers but I do know that it isn’t normal behavior.

Most of our hardware these days comes with two NICs as part of the standard package.  On a standard server, this doesn’t really mean much for DNS registration.  If both NICs are plugged in and configured, both NICs will register in DNS.  If only one NIC is plugged in and configured but both are enabled in the OS, only the configured NIC will be registered in DNS.  The other NIC will not get an APIPA address and will not register in DNS.  In ipconfig the adapter will show as Media disconnected.  This is the behavior that we’d expect and want.

Domain controllers behave differently though.  And this is something that came up in nearly every risk assessment that I performed so I thought it’d be worthwhile to mention it here.  A domain controller with two NICs where only one is plugged in and configured will still get an APIPA address (169.254.x.y) on the NIC with the media disconnected.  Additionally, and maybe even more bizarre, the primary NIC will register a host record for the domain name with the APIPA address of the disconnected NIC in DNS.

I haven’t researched why this behavior occurs so if you know why then I’d be interested to know it.  Typically I don’t like to blog on things when I can’t explain them but because this comes up so often and I haven’t had the time to test it, I wanted to get it posted so you can at least remediate the issue.

To prevent the APIPA address from being registered, disable the disconnected NIC in the operating system.  This will prevent the address from registering in DNS.