Multiple networks, one main DC... How??

Posted on 2007-08-02
Last Modified: 2011-04-14
I'm going to be creating 6 seperated Class C networks behind a PFSense router/firewall. It will include a couple of VLANs along with a couple of native networks. My question is this; How can I make all the networks recognize and register with one main PDC. I won't be implementing any more DC's at the current time, and I want to make sure I will be able to do this without messing up our current Domain somehow. Thanks for your responses!
Question by:knox203
    LVL 5

    Accepted Solution

    I've only got 4 separated Class C networks but this works just fine.  You just need to define your lookup zones in your DNS and make sure that your DHCP Server (does your Router/Firewall handle the DHCP?)  and any static IPS you may assign in the different LANS all point to your DC for DNS.  You also need to open the appropriate ports on the firewall (TCP and UDP 53, I believe) so all of your LANS can access the DC for DNS.

    I don't want to preach here, but if you are running WIndows 2000 or 2003 Active Directory, I would strongly urge you to create a second Active Directory Integraged DC (in the same primary net as your existing DC); having that single point of failure with such a network structure is simply begging for trouble.  Even if you throw Win 2K3 on an old P III or PIV box, it will still be a good backup to have.

    Good luck with this!


    Author Comment

    Thanks for the response,kzabbott! I should have clarified, the PDC handles DNS, DHCP, and WINS. I will be forwarding DHCP in my firewall from the PDC. I'll create new scopes for each new network. Thanks for the advice about the secondary DC. I will look into that soon!

    Author Comment

    By the way,kzabbott, what exactly do you mean by "define the lookup zones in DNS"? Could you clarify, please?
    LVL 5

    Expert Comment

    Sorry, I should have been more specific.  

    On your DC, open DNS
    You should see:
    Forward Lookup Zones
    Reverse Lookup Zones

    I am assuming with the one DC that you only have one domain to worry about, so you only need the one Forward Lookup zone is fine.  But you probably want a Reverse Lookup Zone for each of your separate subnets:
    OR whatever internal numbering scheme you choose to use.  Just right-click Revers Lookup Zones and select New Zone, then follow the bouncing cursor...  ;-)

    Author Comment

    Awesome, thanks, so after setting up and verifying all this, should be able to talk to (PDC) ? What about firewall rules? Does anything need to be done to get all these separate networks to talk to each other?
    LVL 5

    Expert Comment

    re: Firewall rules, YES, you definitely have to open your open your firewall so that all the different subnets can access all the various services/ports on your DC; if you do not, things will not work correctly.  Since you only have the one DC and you are using it for everything, you need to be sure to open up all the applicable ports for DNS, DHCP, WINS, AD Authentication - all the services you want your DC to provide.

    As an aside, you probably already know this, but you'll need to create separate DHCP scopes for each of your separate subnets, too!  You might want to allow your Firewall to do the DHCP if it can - that takes one service off your already overworked DC!

    You'll probably want to create port-groups, then just open the group.  On my Cixco PIX it looks something like this:

    object-group service dc_server_ports2 tcp
      port-object eq 88
      port-object eq 135
      port-object eq ldaps
      port-object eq 3268
      port-object eq 3269
      port-object eq 445
      port-object eq ldap
      port-object eq domain

    Yours will have more , since you have more services you need to offer (DHCP, WINS) which I have hosted on other machines, and you'll probably need to create a UDP port group, too.

    Sorry, but I don't know your specific appliance or its software, so you will need to post a sparate question in a different forum if you need assistance with that.


    Author Comment

    Thanks for all your help, kzabbott!
    LVL 5

    Expert Comment

    My pleasure!  Good luck with your project, and if you value your network, get that second DC online as soon as you can possibly afford to do so!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now