Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

Multiple networks, one main DC... How??

I'm going to be creating 6 seperated Class C networks behind a PFSense router/firewall. It will include a couple of VLANs along with a couple of native networks. My question is this; How can I make all the networks recognize and register with one main PDC. I won't be implementing any more DC's at the current time, and I want to make sure I will be able to do this without messing up our current Domain somehow. Thanks for your responses!
0
knox203
Asked:
knox203
  • 4
  • 4
1 Solution
 
kzabbottSenior Systems AdministratorCommented:
I've only got 4 separated Class C networks but this works just fine.  You just need to define your lookup zones in your DNS and make sure that your DHCP Server (does your Router/Firewall handle the DHCP?)  and any static IPS you may assign in the different LANS all point to your DC for DNS.  You also need to open the appropriate ports on the firewall (TCP and UDP 53, I believe) so all of your LANS can access the DC for DNS.

I don't want to preach here, but if you are running WIndows 2000 or 2003 Active Directory, I would strongly urge you to create a second Active Directory Integraged DC (in the same primary net as your existing DC); having that single point of failure with such a network structure is simply begging for trouble.  Even if you throw Win 2K3 on an old P III or PIV box, it will still be a good backup to have.

Good luck with this!

Zachary
0
 
knox203Author Commented:
Thanks for the response,kzabbott! I should have clarified, the PDC handles DNS, DHCP, and WINS. I will be forwarding DHCP in my firewall from the PDC. I'll create new scopes for each new network. Thanks for the advice about the secondary DC. I will look into that soon!
0
 
knox203Author Commented:
By the way,kzabbott, what exactly do you mean by "define the lookup zones in DNS"? Could you clarify, please?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
kzabbottSenior Systems AdministratorCommented:
Sorry, I should have been more specific.  

On your DC, open DNS
You should see:
Forward Lookup Zones
Reverse Lookup Zones

I am assuming with the one DC that you only have one domain to worry about, so you only need the one Forward Lookup zone is fine.  But you probably want a Reverse Lookup Zone for each of your separate subnets:
192.168.10.x
192.168.20.x
192.168.30.x
192.168.40.x
192.168.50.x
OR whatever internal numbering scheme you choose to use.  Just right-click Revers Lookup Zones and select New Zone, then follow the bouncing cursor...  ;-)
0
 
knox203Author Commented:
Awesome, thanks, so after setting up and verifying all this, 192.168.6.8 should be able to talk to 192.168.1.10 (PDC) ? What about firewall rules? Does anything need to be done to get all these separate networks to talk to each other?
0
 
kzabbottSenior Systems AdministratorCommented:
re: Firewall rules, YES, you definitely have to open your open your firewall so that all the different subnets can access all the various services/ports on your DC; if you do not, things will not work correctly.  Since you only have the one DC and you are using it for everything, you need to be sure to open up all the applicable ports for DNS, DHCP, WINS, AD Authentication - all the services you want your DC to provide.

As an aside, you probably already know this, but you'll need to create separate DHCP scopes for each of your separate subnets, too!  You might want to allow your Firewall to do the DHCP if it can - that takes one service off your already overworked DC!

You'll probably want to create port-groups, then just open the group.  On my Cixco PIX it looks something like this:

object-group service dc_server_ports2 tcp
  port-object eq 88
  port-object eq 135
  port-object eq ldaps
  port-object eq 3268
  port-object eq 3269
  port-object eq 445
  port-object eq ldap
  port-object eq domain

Yours will have more , since you have more services you need to offer (DHCP, WINS) which I have hosted on other machines, and you'll probably need to create a UDP port group, too.

Sorry, but I don't know your specific appliance or its software, so you will need to post a sparate question in a different forum if you need assistance with that.

0
 
knox203Author Commented:
Thanks for all your help, kzabbott!
0
 
kzabbottSenior Systems AdministratorCommented:
My pleasure!  Good luck with your project, and if you value your network, get that second DC online as soon as you can possibly afford to do so!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now