• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1183
  • Last Modified:

AD Sites and Services, 2 Sites - single subnet

Hello.

We have a customer who has a main office with 20 servers (3 Domain Controllers) and 150 clients.  They have a 10MB LES10 (Lan Extension) running to a remote DR location where they have 7 servers (1 Domain Controller) running DoubleTake (replication software).

The LES10 is a Telecom supplied "point to point" connection over fibre - it doesn't have routers or anything.

We have been looking at AD Sites and services.  The servers in the Office are on the same subnet as the servers in the DR site.  How can I stop the clients/servers in the main office from going over the 10MB link to the DC at the DR site and instead use one of the 3 on their GB internal LAN.

I have created an AD site called "Office" and the 3 DC's are in that.  I have put the subnet address in and allocated it to this site.  I have created a second AD site called "DRSite" which has the single DC in.

I need to stop the Office servers from using the DR DC's and the DR servers from using the Office DC's.

Can anyone offer any guidance on if it is possible to setup two sites in AD Sites and Services over a single subnet or should we try and stick a router in between and go with seperate subnets?

Many thanks.
0
aleprevost
Asked:
aleprevost
  • 3
  • 2
  • 2
  • +1
4 Solutions
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I thing a router between the sites would be best. No need for any firewall or NAT (obviously).
Put in a router, configure the DR site with a different subnet, and then add that subnet to the second site. That should do it.
0
 
DeanC30Commented:
A subnet can onyl be associated wth one site.  Although a site can have mulitple subnets.
You would need to amend the IP addressing scheme on the 2nd site and as you put it "stick a router" in between.  
0
 
KCTSCommented:
You need to set up at least one subnet per site, ie at least 2 subnets. This is essential if tou are going to limit local trafic to the local site and to enable machines to authenicate with a local domain controller rather than crossing the sites.

When you set-up sites in Active Directory you define the subnets and then associate one or more subnets with a site. See http://www.windowsitpro.com/Articles/ArticleID/13380/13380.html?Ad=1

Of course is you have multiple subnets then you need to route between the two.

Once the sites are defined then, clients will automatically authenticate with the DC in their own site - if one is available.

You may also want to make sure that each site has a DNS server and that clients are set-up to use the server is their own site as their preferred DNS server.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
MSE-dwellsCommented:
This component of AD isn't well understood ... so please keep in mind that AD doesn't truly understand what's going on underneath it with regard to the IP infrastructure; it knows only what you tell it.  To elaborate -- there don't have to be 2 _physical_ subnets segmented by routers to convince AD to use specific DCs.  It is perfectly reasonable to configure AD such that a physically flat subnet is perceived as two logical subnets.  Take this scenario for example -- if you're using one of the classic class B locally administered address ranges, say 172.16.0.0/16, then consider doing the following in order to eliminate this need for the potentially unnecessary introduction of routers -

* assign all devices (DCs, servers, printers, clients, etc) in the main office addresses as follows:
   - address = 172.16. [128 ---> 254] .x
   - mask = 255.255.0.0 (this is intentionally 16 bits)
* assign all computers (DCs, servers, printers, clients, etc) in the DR office addresses as follows:
   - address: 172.16. [1 ---> 127] .x
   - mask = 255.255.0.0 (this is intentionally 16 bits)
* create 17 bit subnet objects and assign them to the AD sites as follows:
   - main office = 172.16.128.0/17 (255.255.128.0)
   - DR office    = 172.16.0.0/17 (255.255.128.0)

... this configuration causes your physically flat network to be perceived by AD as two logical subnets.  

A member computer using the example address 172.16.129.14 will be perceived by AD as being in the main office since the first 17 bits of its address most closely match the subnet object assigned to the main office site object.  Likewise, a computer located physically in the DR site using the example address of 172.16.14.116 will be perceived by AD as being in the DR site since the first 17 bits of its address most closely match the subnet object assigned to the DR office site object.

Now, having said all that, this solution isn't without problems.  DHCP, for example, becomes a more difficult to configure and manage and is sometimes deemed a larger problem than the one we've just tried to solve thereby eliminating this as a potential solution.  

Anyway, hopefully it provided some food for thought and an, albeit potentially short-lived, alternative.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
MSE-dwells, that's pretty neat. Makes complete sense but probably would never thought of that. =)
0
 
DeanC30Commented:
MSE-dwells,  like the theory but just one question;  How will DoubleTake (replication software) communicate with the Live site in order to maintain an uptodate copy of the live data in order to function as a DR site?
If my understanding is correct, once the DR site tries to talk to the Live site, then the redirector will see an address which is not on the same logical subnet, and try to push the traffic out to a gateway, to route to the live environment, with no router in the environment how will it 'talk' to live?

0
 
MSE-dwellsCommented:
Sorry, this isn't meant to sound pedantic -- it's not theory, this is a proven solution ... though cetainly not 'A'-typical.

I'm not experienced with 'Doubletake' and can't speak intelligently to its requirements.  That said, I'm hoping that perhaps you missed a key point in my post -- the only place we define a 17 bit mask is to AD ... all IP-capable devices attached to the network itself are using 16 bit masks and, as such, are capable of determining that a gateway is not required.  If, however, 'Doubletake' relies exclusively on what it's being told by the directory then perhaps 'Doubletake' will indeed dislike this configuration ... seems a little odd to me if that is the case.
0
 
DeanC30Commented:
No apology required.  Thanks for taking the time to reply.  I did miss the *point* but not the point, if you know what I mean.

Note to myself:  Read.  Re-read. Think
 
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now