mbecmba1
asked on
AD sites and dc allocation urget help
I understand what sites and subnets are used for in AD. this my configuration:
1) We hqve a national network
2) Some 3000 users in London on a fast LAN. I am using 5 DC/DNS/GC servers to improve logon performance. I have also created 5 Sites called London-1 to London-5 to load balance among the 5 DCs and intend to place 1 DC in each site. Each site has at least 20 Vlans.
3) I have 5 more large (200 to 400 users) remote offices but with 34mb connectivity back to London and each have 1 DC/DNS/GC and their own site. Again a number of VLANs per site.
4) I also have 40 small offices (30 to 50 users) with limited connectivity. I have created two sites and assigned 20 offices (generally one VLAN in each office) to each site.
The above should provide performance and load balancing for GC/DNS and DC logon.
QUESTION. In London I have all my DCs in the same server room in the same subnet. Currently this server room subnet belongs to LONDON-2 site so when I promote the a server to DC it appears in that site.
OPTION-A) CAN I SIMPLY MOVE THE SERVER TO ANOTHER SITE LIKE LONDON-1 ????
OPTION-B) If not should I create a physical VLAN (CISCO VLAN) and create an AD SUBNET and then attach that subnet to the correct SITE ???
OPTION-C) or Can I simply create an AD subnet with just one IP-address (The DCs IP-address) nd assign that subnet to the SITE???
Please assess the above 3 options and tell me:
1) Which option is correct?
2) WHY??? I really need to know why and evidence for the reply.
I think I should get away with option-A but need to check with fellow experts...
I need this answered by tomorrow and hence 500 points for a quick and thorough answer please...
Thanks...
1) We hqve a national network
2) Some 3000 users in London on a fast LAN. I am using 5 DC/DNS/GC servers to improve logon performance. I have also created 5 Sites called London-1 to London-5 to load balance among the 5 DCs and intend to place 1 DC in each site. Each site has at least 20 Vlans.
3) I have 5 more large (200 to 400 users) remote offices but with 34mb connectivity back to London and each have 1 DC/DNS/GC and their own site. Again a number of VLANs per site.
4) I also have 40 small offices (30 to 50 users) with limited connectivity. I have created two sites and assigned 20 offices (generally one VLAN in each office) to each site.
The above should provide performance and load balancing for GC/DNS and DC logon.
QUESTION. In London I have all my DCs in the same server room in the same subnet. Currently this server room subnet belongs to LONDON-2 site so when I promote the a server to DC it appears in that site.
OPTION-A) CAN I SIMPLY MOVE THE SERVER TO ANOTHER SITE LIKE LONDON-1 ????
OPTION-B) If not should I create a physical VLAN (CISCO VLAN) and create an AD SUBNET and then attach that subnet to the correct SITE ???
OPTION-C) or Can I simply create an AD subnet with just one IP-address (The DCs IP-address) nd assign that subnet to the SITE???
Please assess the above 3 options and tell me:
1) Which option is correct?
2) WHY??? I really need to know why and evidence for the reply.
I think I should get away with option-A but need to check with fellow experts...
I need this answered by tomorrow and hence 500 points for a quick and thorough answer please...
Thanks...
You have the correct idea. I think you handled the remote sites just fine - I hope you factored in the replication problems with this configuration. Sites are also used to control replication - as long as no servers are in those remote sites, then you'll have no issue.
However....
Option A - if the server has an IP other than belonging to the subnet associated with LONDON-1 you will have problems. Subnets represent the physical network addressing scheme. When associated with a Site they server the function of two things: 1) replication topology and 2) client logon location. By moving a server without re-addressing it to the appropriate subnet you will confuse AD and the mechanism it uses to determine which clients to server for logon and how to route replication traffic.
Option B - You could do that, sure. Wouldn't it be easier to re-IP the server and move it?
Option C - No. If the IP of the server already belongs to another subnet and associated site then the reasoning is the same as Option A (above).
If you need any further explanation, let me know.
However....
Option A - if the server has an IP other than belonging to the subnet associated with LONDON-1 you will have problems. Subnets represent the physical network addressing scheme. When associated with a Site they server the function of two things: 1) replication topology and 2) client logon location. By moving a server without re-addressing it to the appropriate subnet you will confuse AD and the mechanism it uses to determine which clients to server for logon and how to route replication traffic.
Option B - You could do that, sure. Wouldn't it be easier to re-IP the server and move it?
Option C - No. If the IP of the server already belongs to another subnet and associated site then the reasoning is the same as Option A (above).
If you need any further explanation, let me know.
Sorry for the grammar - typing is not my forte.
server in two instances should have been serve.
server in two instances should have been serve.
ASKER
Hi Netman, It give me a nice warm feeling that other think I ma not totaly off the rail with this AD stuff.
I had suspiciouns about A as we added a few DCs to domain and we moved them, it caused so much mess in AD and DNS that replication stopped and it got very messy. I had to salvage just one working DC and demote all others and rebuild my Forward lookup zone as it had so much rubbish in it.
I am not sure I explained options B and C properly.
I have a server room with just one VLAN for all my london servers (all in the same rack) ie: VLAN 10.142.17.x
my London servers are:
UKLONDC01 10.142.17.63
UKLONDC02 10.142.17.55
UKLONDC03 10.142.17.150
UKLONDC04 10.142.17.151
UKLONDC05 10.142.17.152
Above have mask 255.255.255.0
UKLONDC02 is the only server which is promoted currently. others waiting for DCPROMO.
The site UKLONDC01 for example has some 20 London VLANs included as subnets. The subnet vlans can be anything like 10.142.20.1 with mask 155.255.255.0 and also another vlan on second floor 10.143.10.1 with mask 255.255.254.0
OPTION B: Use cisco to create a physical vlan which has a range of just one address. For example for UKLONDC01 we create a vlan that only has 10.142.17.63 and then create a subnet for this vlan and then mke this new AD subnet part of LONDON-1 site.
We do this for all LONDON DCs and we will have a PHYSICAL and an AD Logical (SUBNETS) seperation.
I am not sure how to create a subnet in AD with a range of just ONE. Could do with your help there.
OPTION C: Slight variation on B. We do not create a CISCO vlan so the server room VLAN remains as a class C vlan but we create similar to B AD SUBNETS consisting of just one IP-address. So we are not creating the physical but creating the logical SUBNET and then adding this to a site.
WOULD THIS CONFUSE The hell out of AD when the physical does not match the logical???
Your quick answer is very appreciated...
Thanks...
I had suspiciouns about A as we added a few DCs to domain and we moved them, it caused so much mess in AD and DNS that replication stopped and it got very messy. I had to salvage just one working DC and demote all others and rebuild my Forward lookup zone as it had so much rubbish in it.
I am not sure I explained options B and C properly.
I have a server room with just one VLAN for all my london servers (all in the same rack) ie: VLAN 10.142.17.x
my London servers are:
UKLONDC01 10.142.17.63
UKLONDC02 10.142.17.55
UKLONDC03 10.142.17.150
UKLONDC04 10.142.17.151
UKLONDC05 10.142.17.152
Above have mask 255.255.255.0
UKLONDC02 is the only server which is promoted currently. others waiting for DCPROMO.
The site UKLONDC01 for example has some 20 London VLANs included as subnets. The subnet vlans can be anything like 10.142.20.1 with mask 155.255.255.0 and also another vlan on second floor 10.143.10.1 with mask 255.255.254.0
OPTION B: Use cisco to create a physical vlan which has a range of just one address. For example for UKLONDC01 we create a vlan that only has 10.142.17.63 and then create a subnet for this vlan and then mke this new AD subnet part of LONDON-1 site.
We do this for all LONDON DCs and we will have a PHYSICAL and an AD Logical (SUBNETS) seperation.
I am not sure how to create a subnet in AD with a range of just ONE. Could do with your help there.
OPTION C: Slight variation on B. We do not create a CISCO vlan so the server room VLAN remains as a class C vlan but we create similar to B AD SUBNETS consisting of just one IP-address. So we are not creating the physical but creating the logical SUBNET and then adding this to a site.
WOULD THIS CONFUSE The hell out of AD when the physical does not match the logical???
Your quick answer is very appreciated...
Thanks...
Creating a subnet of just one IP is not practical. Subnets are ranges of IP addresses - typically, a whole network. By creating a subnet of one address you create an "island" that AD will not be able to determine how clients are supposed to use it - since no other client will be a member of this subnet.
There's nothing wrong with creating a subnet for all your servers on the 10.147.17.x network. There is also nothing wrong with creating subnets for all your VLans and associating them to sites.
I still don't think I understand the reasoning behind creating separate, single IP subnets. Is this so you can associate the servers to remote sites while still having them in one room? If so, simply re-IP them to the correct subnet for the site you want to service with them. They can still coexist on the same wire - you'll just need to VLAN them or create the proper subnets off of separate interfaces on the router (more expensive this way).
I have seen this used successfully at the last place I worked. We had one server onsite for each client we serviced. Each server we hosted in the data centre was associated to a subnet of it's own that was then associted to a site which spanned this network and the client site. Our site was joined to theirs via VPN tunnels over point-to-point frame, point-to-point DSL or through the internet cloud.
I think if you could clarify your intentions with these London servers it might be easier to explain myself.
There's nothing wrong with creating a subnet for all your servers on the 10.147.17.x network. There is also nothing wrong with creating subnets for all your VLans and associating them to sites.
I still don't think I understand the reasoning behind creating separate, single IP subnets. Is this so you can associate the servers to remote sites while still having them in one room? If so, simply re-IP them to the correct subnet for the site you want to service with them. They can still coexist on the same wire - you'll just need to VLAN them or create the proper subnets off of separate interfaces on the router (more expensive this way).
I have seen this used successfully at the last place I worked. We had one server onsite for each client we serviced. Each server we hosted in the data centre was associated to a subnet of it's own that was then associted to a site which spanned this network and the client site. Our site was joined to theirs via VPN tunnels over point-to-point frame, point-to-point DSL or through the internet cloud.
I think if you could clarify your intentions with these London servers it might be easier to explain myself.
ASKER
Ok Here is the clarification:
this is my goal:
1) Keep all London servers in the same room.
2) Yes I want to associate 1 specific DC with a number of subnets in a site so they logon to that server.
All 5 london DCs are on the same subnet 10.142.17 which is part of LONDON-2 site right now. so when I DCPROMO they show up in London-2. I need to move the other DCs to other London sites which have their own collection of Subnets and VLANS.
You are saying that: I create a subnet for each server and re-ip them. then I add that subnet to the site and hence AD will do it's thing and create the replication connections automatically.
I guess I could ask our network guys to provide me with 5 class C VLANs and make sure the ports my servers are connected are in these new vlans. I can RE-IP the other 4 DCs to use an address in the new vlan. I then create my subnet and join them to the sites like any other cliet vlan in that site.
Have I understood your suggestion???
ps: I have not created any sitelink bridge as I am leving KCC to do it's thing and I noly have one DC per site. CORRECT ??? I have created connection objects with different costs based on the WAN speed not I have not created SITELINKBRidge. I assume if KCC is left alone then I don't need to create any???
Thanks I guess we are nearly there...
this is my goal:
1) Keep all London servers in the same room.
2) Yes I want to associate 1 specific DC with a number of subnets in a site so they logon to that server.
All 5 london DCs are on the same subnet 10.142.17 which is part of LONDON-2 site right now. so when I DCPROMO they show up in London-2. I need to move the other DCs to other London sites which have their own collection of Subnets and VLANS.
You are saying that: I create a subnet for each server and re-ip them. then I add that subnet to the site and hence AD will do it's thing and create the replication connections automatically.
I guess I could ask our network guys to provide me with 5 class C VLANs and make sure the ports my servers are connected are in these new vlans. I can RE-IP the other 4 DCs to use an address in the new vlan. I then create my subnet and join them to the sites like any other cliet vlan in that site.
Have I understood your suggestion???
ps: I have not created any sitelink bridge as I am leving KCC to do it's thing and I noly have one DC per site. CORRECT ??? I have created connection objects with different costs based on the WAN speed not I have not created SITELINKBRidge. I assume if KCC is left alone then I don't need to create any???
Thanks I guess we are nearly there...
Yes. You understand my thinking. I would IP the servers before DCPROMO'ing them, they will add themselves to the correct subnet and site if you create them first. KCC will do the rest for you.
You should have no problems with this - you're on the right track.
You should have no problems with this - you're on the right track.
ASKER
Thanks mate. It is good to get the seal of approval from another fellow techie.
I shall ask the network guys to give me 4 new VLANs and then change the ip-address of the DCs. Then create the AD subnet and add to the right sites and start DCPROMOing.
Thanks again and points are well desrved.
I shall ask the network guys to give me 4 new VLANs and then change the ip-address of the DCs. Then create the AD subnet and add to the right sites and start DCPROMOing.
Thanks again and points are well desrved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
and caterham on 10.134.2.5 ect etc. There are 20 small vlans which I have defined as 20 AD subnets, I have also created a subnet for our datacenter and put one DC in there. Then I have put the datacentre Subnet and the 20 remote subnets into a site called REMOTE-1. now all the PCs in the 20 remote vlans should logon to that DC in the data-centre....
Hope to here from you guys soon...