Fine Grained Control When Registering Multiple IP Addresses On a Network Card


Edit: 24-1-2013:  A second article using PowerShell 3.0 is here

Edit: 30-1-2013: – A third article is using advanced PowerShell 3.0 is here.

Edit 28-8-2013: – A similar issue with the setting being removed is present in Windows Server 2012.  Article with workaround is here

 

 

The previous behaviour in Windows was to register all IP addresses that were entered on the network card’s property sheet into DNS if the “Register this connection’s address in DNS” option was selected (Which is the default).

Register In DNS Option on Network Card

 

For servers with a single NIC which has one IP bound to it this works great as we can dynamically register changes in IP addressing into DNS and all in the world is good.  What happens though when you start to complicate matters and have additional IPs and additional NICs?

In the two NIC scenario, it is easy to set one NIC to register into DNS and then clear the register in DNS option for the second NIC.  That allows for the IP on the first NIC to be registered and the IP on the second NIC will not.  This would be a common scenario for a server that had multiple interfaces where one would be used for a management/backup purpose and end users should not be able to resolve the server’s name to the management IP as their traffic would not be allowed to route to that interface.  That’s fine but what about the scenario of a single NIC with multiple IPs bound to it? An example would be a web server with multiple IPs for different web sites.

Previously, if you did not want the server to register all of its IPs into DNS, then the register in DNS option would have to be disabled and the administrator would have to manually maintain the DNS registration information in the DNS zone.  If this was not done then all the IPs that were bound to the server would be registered in DNS and clients potentially would be returned an incorrect IP.

Windows 2008 and 2008 R2 now have the option to selectively register IPs into DNS.  This capability was first released as an update for Windows 2008 and 2008 R2.  After you install this hotfix, you can assign IP addresses that will not be registered for outgoing traffic on the DNS servers by using a new flag of the Netsh command. This new flag is the skipassource flag.

For example, the following command creates an IPv4 address that is not registered for outgoing traffic on the DNS servers:

Netsh Int IPv4 Add Address <Interface Name> <IP Address> SkipAsSource=True

 

"Interface Name" is the name of the interface for which you want to add a new IP address.

"IP Address" is the IP address you want to add to this interface.

 

For Example:

Netsh Int IPv4 Add Address Team-1 172.16.5.10  SkipAsSource=True

 

 

How can I see what IPs have this flag set?  To list the IPv4 addresses that have the skipassource flag set to true, run the following command:

Netsh int ipv4 show ipaddresses level=verbose
 

Note the “Skip As Source” entries in the below:

Skip As Source

 

That’s all pretty neat but if you are are wondering what is my interface name check the GUI or run the following Netsh command to show the interfaces:

Netsh Interface Show Interface

 

Netsh Interface Name

Note the Interface Name column on the right hand side.

Which corresponds to the GUI:

Windows Network Connections

 

Note that once you have configured the above, if you then go to the regular GUI and make changes there, the SkipAsSource flag is overwritten unless you have installed the update to correct this known issue.

Consider the following scenario:

  • You have a computer that is running Windows 7 or Windows Server 2008 R2.
  • You install hotfix 2386184 (http://support.microsoft.com/kb/2386184/ ) on the computer to enable the skipassource flag of the netsh command.
  • You assign many IP addresses to a network adapter on the computer by using the netsh command together with the skipassource flag.
  • You update some IP settings for the network adapter in the Network and Sharing Centre graphical user interface (GUI). For example, you edit the subnet mask of an IP address that has the skipassource flag set to true.

The issue occurs because the GUI does not recognize the skipassource flag, and the GUI uses an incorrect method to handle changes of IP settings. When IP settings are changed, the GUI deletes all the old IP addresses from the old list and then adds new IP addresses to the new list. Because the GUI does not know the skipassource flag, the GUI does not copy the flag when IP addresses are added to the list. Therefore, the skipassource flag is cleared.

 

Cheers,

Rhoderick

Comments (22)

  1. anonymouscommenter says:

    Has this changed in Windows Server 2012, or what is the behavior now in the Release Candidate? Thanks.

  2. Hi David – Not yet tried this on 2012.  

    I'll grab the final buid and check it out.

    Cheers,

    Rhoderick

  3. I used the same NetShell as listed above in RTM of Windows 2012, and SkipAsSource is still present

    Also the Set-NetIPAddress cmdlet supports this property:

    technet.microsoft.com/…/hh826151

    Cheers,

    Rhoderick

  4. anonymouscommenter says:

    Is there a fix for 2012 so that when you modify the an IP setting in the GUI, the IP addresses and skipassource flag aren't cleared? There was a fix for 2008 R2 / Win 7 support.microsoft.com/…/2554859

  5. Hi Shawn,

    Have you observed this behaviour or are just asking about an update?

    Cheers,

    Rhoderick

  6. And yes  – I have seen this on 2008 R2, I have that hotfix listed in the above article.

    Cheers,

    Rhoderick

  7. anonymouscommenter says:

    I'm seeing this behavior in Server 2012. We add an IP address via netsh or PowerShell with the skipassource flag set, then when an IP address is modified or added in the GUI, all of the IP addresses are cleared.

  8. Thanks for confirming Shawn.  Let me track down a couple of platform peeps.

    Cheers,

    Rhoderick

  9. anonymouscommenter says:

    Thanks Rhoderick.

    ShawnMartin@AT@westat.com

  10. anonymouscommenter says:

    If I have multiple virtual SMTP servers with different IP addresses, no matter what configuration I use with the GUI or netsh, all outgoing emails have the primary IP address attached to the sending domain.  This is a problem because a reverse DNS means the emails will bounce.  

  11. @ Shawn – I'm still looking into this.  Currently I'm OOF.  If you need an update before the first week in May or so please file a case.  if you do, feel free to let me know the #

    @Scott – let me guess the IP that you are seeing as used for outgoing is the primary IP from the NIC that is at the top of the binding order?

  12. Ok – have discussed this with product group folks.   Noted  that if you change via PowerShell the flag is preserved, and will update when possible.  I don't know what timeline that will be – sorry!

    Cheers,

    Rhoderick

  13. @ Shawn –  I have multiple repros of this.  I'll do a separate post to discuss, but at this time please use PowerShell to manage.  Are you a Microsoft Premier customer?  

    Cheers,

    Rhoderick

  14. anonymouscommenter says:

    Thanks for the update Rhoderick. No, not a Premier customer, just have an Enterprise Agreement w/ ~2,500 seats.

  15. anonymouscommenter says:

    Hello Rhoderick,

    Can you tell me how I can add the Subnet Mask along with the Ip Address using the Netsh comamand,

    Netsh int ipv4 add address <Interface Name> <ip address> skipassource=true

    I'm on Windows 2012 server and I'm not a Premier customer.

    Thanks

  16. Hi Albert,

    Have you tried this?

    Netsh int ipv4 add address <Interface Name> <ip address> <subnet mask> skipassource=true

    Cheers,

    Rhoderick

  17. Hi Shawn,

    Finally got some time to write this up.  

    Article is here

    blogs.technet.com/…/skipassource-flag-cleared-in-windows-2012.aspx

    When I get the RTM bits of Windows Server 2012 R2  I'll see how that build compares.

    Cheers,

    Rhoderick

  18. Tried this out on RTM of Windows Server 2012 R2, and got the same issue as described in:

    blogs.technet.com/…/skipassource-flag-cleared-in-windows-2012.aspx

    Added a note to the header of that article.

    🙁

  19. This does not seem to work for 2012 R2 Domain Controllers. I just decommissioned old DCs and migrated their IPs to our new 2012 R2 DCs. I used Powershell 3.0 to add the IPs with the SkipAsSource option set to True. Netsh and Powershell shows the option
    correctly set for these IPs. Unfortunately DNS is still registering both IPs on the NIC, ignoring the SkipAsSource option.

    Is this a known issue with DCs?

  20. anonymouscommenter says:

    For Domain Controller you need also to remove the IP in DNS Properties Interface tab. If you don’t remove from this configuration it will register.

  21. anonymouscommenter says:

    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.

    I will come back & read all your posts soon. Regards, Lucy.