By default, Windows DNS servers register a static A record for every IP address that the DNS server service is bound to.
If you have a multi-homed AD Server which is also a DNS server (as they often are), you’re fine as long as there’s no routing involved in your local network. The netmask ordering feature magically gives the correct IP address out to clients depending on the LAN segment they’re attached to. But if you also have routing, that breaks the netmask ordering, and clients just get round-robin randomised IPs. If they have routes to both IP’s fine. In the more common case, they don’t (after all, why else did you segregate your network and multi-home your DC/DNS server).
REGEDIT to the rescue:
Data type: REG_SZ
Range: IP address [IP address]
Default value: blank
This value specifies the IP addresses that you want to publish for the computer. The DNS server creates A resource records only for the addresses in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an A resource record for each of the computer’s IP addresses.
This entry is designed for computers that have multiple IP addresses. With this entry, you can publish only a subset of the available addresses. Typically, this entry is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address.
DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.
The DNS server does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
Thank you Microsoft. No really, a GUI would be nice, but thanks anyway.