Multiple networks, one main DC... How??

I'm going to be creating 6 seperated Class C networks behind a PFSense router/firewall. It will include a couple of VLANs along with a couple of native networks. My question is this; How can I make all the networks recognize and register with one main PDC. I won't be implementing any more DC's at the current time, and I want to make sure I will be able to do this without messing up our current Domain somehow. Thanks for your responses!
knox203Asked:
Who is Participating?
 
kzabbottSenior Systems AdministratorCommented:
I've only got 4 separated Class C networks but this works just fine.  You just need to define your lookup zones in your DNS and make sure that your DHCP Server (does your Router/Firewall handle the DHCP?)  and any static IPS you may assign in the different LANS all point to your DC for DNS.  You also need to open the appropriate ports on the firewall (TCP and UDP 53, I believe) so all of your LANS can access the DC for DNS.

I don't want to preach here, but if you are running WIndows 2000 or 2003 Active Directory, I would strongly urge you to create a second Active Directory Integraged DC (in the same primary net as your existing DC); having that single point of failure with such a network structure is simply begging for trouble.  Even if you throw Win 2K3 on an old P III or PIV box, it will still be a good backup to have.

Good luck with this!

Zachary
0
 
knox203Author Commented:
Thanks for the response,kzabbott! I should have clarified, the PDC handles DNS, DHCP, and WINS. I will be forwarding DHCP in my firewall from the PDC. I'll create new scopes for each new network. Thanks for the advice about the secondary DC. I will look into that soon!
0
 
knox203Author Commented:
By the way,kzabbott, what exactly do you mean by "define the lookup zones in DNS"? Could you clarify, please?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
kzabbottSenior Systems AdministratorCommented:
Sorry, I should have been more specific.  

On your DC, open DNS
You should see:
Forward Lookup Zones
Reverse Lookup Zones

I am assuming with the one DC that you only have one domain to worry about, so you only need the one Forward Lookup zone is fine.  But you probably want a Reverse Lookup Zone for each of your separate subnets:
192.168.10.x
192.168.20.x
192.168.30.x
192.168.40.x
192.168.50.x
OR whatever internal numbering scheme you choose to use.  Just right-click Revers Lookup Zones and select New Zone, then follow the bouncing cursor...  ;-)
0
 
knox203Author Commented:
Awesome, thanks, so after setting up and verifying all this, 192.168.6.8 should be able to talk to 192.168.1.10 (PDC) ? What about firewall rules? Does anything need to be done to get all these separate networks to talk to each other?
0
 
kzabbottSenior Systems AdministratorCommented:
re: Firewall rules, YES, you definitely have to open your open your firewall so that all the different subnets can access all the various services/ports on your DC; if you do not, things will not work correctly.  Since you only have the one DC and you are using it for everything, you need to be sure to open up all the applicable ports for DNS, DHCP, WINS, AD Authentication - all the services you want your DC to provide.

As an aside, you probably already know this, but you'll need to create separate DHCP scopes for each of your separate subnets, too!  You might want to allow your Firewall to do the DHCP if it can - that takes one service off your already overworked DC!

You'll probably want to create port-groups, then just open the group.  On my Cixco PIX it looks something like this:

object-group service dc_server_ports2 tcp
  port-object eq 88
  port-object eq 135
  port-object eq ldaps
  port-object eq 3268
  port-object eq 3269
  port-object eq 445
  port-object eq ldap
  port-object eq domain

Yours will have more , since you have more services you need to offer (DHCP, WINS) which I have hosted on other machines, and you'll probably need to create a UDP port group, too.

Sorry, but I don't know your specific appliance or its software, so you will need to post a sparate question in a different forum if you need assistance with that.

0
 
knox203Author Commented:
Thanks for all your help, kzabbott!
0
 
kzabbottSenior Systems AdministratorCommented:
My pleasure!  Good luck with your project, and if you value your network, get that second DC online as soon as you can possibly afford to do so!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.