Solved

What is the best way to separate a group of users while being able to use AD and DHCP

Posted on 2008-10-13
17
154 Views
Last Modified: 2012-05-05
I would like to separate Accounting Department probably using either VLAN or a router but do not know how users will authenticate on a Windows 2003 network and receive DHCP through the VLAN or router.

Could anyone recommend how I can segregate Accounting while having their computers authenticate to the domain controllers and receiving DHCP, group policy etc...?

Our network is 192.168.1.0/24 and thinking of having Accounting on 192.168.2.0/24.
0
Comment
Question by:katredrum
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 2

Expert Comment

by:Carsontl
ID: 22705157
Create seperate security group OU's for accounting and other users
0
 
LVL 3

Expert Comment

by:razorwoods
ID: 22705162
have you considered just putting a firewall between ' accounting ' and the rest of the office ?  You can allow in / out just the traffic you want and from / to where you want.

0
 
LVL 1

Author Comment

by:katredrum
ID: 22705196
Carsontl, I do not understand what you are suggesting. I do not know how creating security group OU will allow authentication and DHCP requests pass to the VLAN or through the router. Could you please elaborate?

0
 
LVL 3

Expert Comment

by:razorwoods
ID: 22705358
If you're plan is to physically separate ' accounting ' from the rest of the world / office, then you'll need to either firewall it off, or vlan it with route statements upstream at the gateway.  

The issue here is that you want to put a barrier in between this portion network and the rest of the network, however you still need some communication to flow to specific areas for things like DHCP.  So if you want to let it talk to some things and not others a firewall is the easiest thing to do.  If you want to do more complex selective routing you'll need to put those statements in you router to deal with it.

You can't separate networks by applying group OU's.  All that's going to do is set restrictions on the domain.  So for example anyone NOT running windows or caring if they auth the ADC would still be able to see traffic and attempt communication with accounting machines if the only thing you change is OU's.

0
 
LVL 2

Expert Comment

by:Carsontl
ID: 22705367
I misunderstood the question, please disregard.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 22705549
The simple answer is - you can put them in their own network with no problem.  You can put each computer in it's own network and have no problems.  Active Directory authenticates via DNS.  The only thing you need to worry about is making sure you have a DHCP forwarder address on the router so it knows to forward packets from the DHCP server to your new subnet (and of course, create a new scope for the subnet).

But frankly, this is like closing the door while leaving all the windows wide open and thinking your safe.  TCP/IP is designed to be routed - and it's the protocol used for everything Windows - so subnetting does little except create more work for you (unless you're running out of IPs).  What you should be doing is creating security groups and OUs within Active Directory to ensure only authorized users use those systems/have access to the files.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22706345
Thank you all for your responses. Leew, do I need to open ports if I use a router to authenticate users with active directory? You say that it only needs DNS to authenticate so do I need to open only TCP/UDP 53?

I am actually trying to subnet Accounting because they run large queries on the Accounting Database Server and being in the same broadcast domain, my other users are complaining that the network is slow.

I am not so concerned about other domain users accessing Accounting's files as I have configured NTFS permissions on those files. I actually need non-accounting staff to access some files on the Accounting server because they use electronic timesheets that run from the Accounting server.

So I guess what I am really trying to do is create a separate broadcast domain for the accounting department.
0
 
LVL 3

Expert Comment

by:razorwoods
ID: 22706625
Yes you would need to have DNS open from those machines to the ADC.

It's not very likely that your accounting group running ' large queries ' is slowing down a 100/1000 base network.  If you're having network issues I would look at your physical layer first and see what issues you may have.


0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 22706657
If your accounting software is BROADCASTING it's data, then yes, that would be a problem... I would find that SHOCKING - BROADCASTING your accounting information would be like mailing it to all your neighbors for the fun of it.  VERY LITTLE traffic should be being broadcast - I would look at some network analysis - including using Network Monitor (free download from Microsoft) or WireShark (open source network inspection software) and determine if broadcasts are really causing you problems.  I would REALLY be surprised if that were, in fact, your problem.

By the way, when you subnet, you're not putting up (traditionally speaking) any kind of firewall - you're simply creating a subnet that otherwise stop broadcasts but does not stop or explicitly block ANYTHING so there's no need to worry about ports - typically.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22706662
To clarify, I currently have all users on 192.168.1.0 network that has our Windows 2003 Active Directory Domain Controllers, DNS, DHCP, and Accounting Server.
 
 I am trying to have our Accounting Department be on 192.168.2.0 network with the Accounting Server (one NIC) also on the same network 192.168.2.0. The Accounting server still needs to be on the 192.168.1.0 network using another NIC so other users can access the server to submit their electronic timesheet.
 
 The issue I am having is that I do not know how I can have the Accounting Department authenticate with Active Directory and receive DHCP from the servers on the 192.168.1.0 network.
 
 If I am going to use a router could someone detail on how I should configure this setup?
0
 
LVL 1

Author Comment

by:katredrum
ID: 22706830
leew, I will probably need to deploy a router between the network and not just subnet Accounting or I don't think AD and DHCP will route to 192.168.2.0.

The only other way of doing this is to subnet and in the Domain controller & DHCP server add another card so both servers will be on the 192.168.2.0.

Any ideas?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 22706993
You absolutely need a router - you can't just put everything in a different subnet and expect access (though a layer 3 switch should also be able to handle this.  As for DHCP, you need to configure DHCP forwarding on the routing device - I cannot tell you how to do that as I don't know what equipment you've got and may well have never used your specific equipment.

AND AGAIN, I THINK YOU ARE MAKING A MISTAKE - THIS WILL ALMOST CERTAINLY NOT RESOLVE ANYTHING AND NEEDLESSLY COMPLICATE YOUR NETWORK.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22707542
Leew, thanks for the warning and you may be correct. I will need to think about this...I may even get another switch and have Accounting's computers connect directly to the Accounting server for a day and see if things improve.

In the mean time if anyone else has an idea on how I can segregate the Accounting Dept while keeping the Accounting Server accessible to all users on the network it would be greatly appreciated.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 22708079
I'm curious - have you done ANY diagnostics to validate your current plan as the correct one?  I maintain that - based on fairly significant experience - your plan will likely not work - you would be better off implementing a gigabit switch (if you don't already have one) and gigabit network adapters in the server - POSSIBLY teaming them.

Slow networks can be caused by a WIDE variety of problems from fragmented disks to improperly configured network adapters and switches and several other things in between.  This is why, before you create headaches for yourself and continue to pursue a potentially (probably) useless course of action, you need to properly identify the bottleneck.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22708204
Leew, I am running 2 ProCurve 2810-48G gigabit switches and all cable is CAT5e. I have done some testing but have not found any bottlenecks within the system.

Accounting Server - PowerEdge 2900
CPU, memory, dual Intel Pro 1000 MT NIC Teamed, 4GB RAM, 2x76GB 15K RAID-1 SAS drives, &4x146GB 15K RAID-5 SAS drives. None of these components are even close to being maxed out.

I also used my friends laptop with SolorWinds and did a network performance and the network did not seem to be max out except for our internet connection T-1 (1.54Mbps)

For some reason throughout the day, at no particular time, almost every single computer on the network freezes from a couple seconds to 15 seconds. During this time, in this one instance, I found out that Accounting has quried and ran reports.

This has prompted me to try and segregate Accounting Dept. I am currently trying to eliminate any possible factor. I hope this makes a little more sense.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22848557
Sorry for the late response...this is a hard issue to figure out. I did not segment the department.
So I finally narrowed the slow responses on the network to users copying large files to the server. This even occurs when the user copies the large file to another folder on the same file server. They are using the simple drag and drop from their Windows XP Pro machines. When they do this, all computers terminals freeze up.
Could anyone respond if they had the same issue and know how to resolve this?
0
 
LVL 1

Author Comment

by:katredrum
ID: 23029704
Anyone experience the same...when users copies large files to the server?
0

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now