Solved

setting Active directory in different subnet

Posted on 2009-04-07
11
776 Views
Last Modified: 2012-05-06


I have my domain controller on one subnet eg: 10.1.1.0 subnet
I have an AD domain named Mydomain.com

in another subnet 10.1.17.0
I create an AD domain with the same Mydomain.com, using it for Lab

between the 2 subnets the Default gateway IP is 10.1.17.1

My workstation is on subnet 10.1.1.0, and would like to be able to remote to 10.1.17.0 subnet and work with DCs in the Lab.
But I don't want the DCs to be able to replicate anything to the 10.1.1.0 subnets because the production AD is there and as I mentionned has the same name as the Lab domain (Mydomain.com)

I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.

Correct?

Thanks

0
Comment
Question by:jskfan
  • 6
  • 5
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090075
All you need to do is remote into the other domain controller by IP address (not DNS name as it wouldn't resolve correctly), and when prompted, use a user account on the other domain. This will not create any link between the two domains, and you don't need to change your computer's IP address.
So if your lab domain controller is on 10.1.17.10, go Start | Run | mstsc - enter this IP address, and then login with a user from the lab domain.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090098
This is assuming that the router is currently routing traffic between the two networks. If you can ping the other domain controller by IP address, you're good.
Your two domains are essentially unaware of each other, and provided you ensure they are both looking at their own DNS servers you shouldn't get any problems.
0
 

Author Comment

by:jskfan
ID: 24092275
I meant both network have the same domain name, the same DNS zone name , the same administrator account name and password. The only difference between the 2 domains is that they are in 2 different subnets, but the 2 subnets can talk to each other.

I want to make sure that both domains will not replicate.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jskfan
ID: 24092289
forget about this:
<< I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.>>>
0
 

Author Comment

by:jskfan
ID: 24092307
In the DC I put the DG to the VLAN so I can remote from the production network to the LAB and back.
This is where I am too much concerned, I am afraid there will be replication between both identical domains eventhough they are in 2 different subnets, but still can talk to each other.
0
 

Author Comment

by:jskfan
ID: 24092357
Though I thought even if 2 DCs within the same domain but 2 different subnets can't replicate to each other unless you canfigure them to do so in the AD sites and services
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24096962
How did you set the domains up - two seperate installs, but just the same names? Or did you build one DC, make a backup, then restore it to another box? All they two seperate forests - ideally they should be (with no trusts between them).
Providing DNS in both domains is correct, i.e. all the SRV and Host records are pointing to the correct IP addresses, and all clients are pointing to their own DC's DNS, then you should be OK. You can just remote into the other DC, but you will have to do it by IP address, otherwise you'll end up remoting into your own DC as DNS will resolve it to the local DC's IP address.
 
 
0
 

Author Comment

by:jskfan
ID: 24100761
<<How did you set the domains up - two seperate installs, but just the same names>>

Yes
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24105013
OK, then the domain and domain controller Security IDs (SID) will be different. Providing they are two domains in seperate forests, with no trusts between them, then there is no mechanism for the two domains to talk to each other. Basically, if you can't see the other domain in AD Domains and Trusts on one DC, then you're OK.
As long as you have two seperate subnets, and as said before, your DNS setup for each domain is correct, then you should be OK.
Just remote into the other DC from your domain, but log in using a username/password from the other domain.
0
 

Author Comment

by:jskfan
ID: 24114041
when you install the second domain, it will ask if it s the first domain controller in the new forest.
So I think if it's yes that mean 2 forests even with the same domain name will not talk to each other unless there is a trust between them.
I also think you still can install  2 AD Domains with the same name in the same subnet, and they will still be considered as 2 separate forests. Correct?

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24129220
Theoritically you can have two domains running in the same subnet, yes, but having two domains with the same name, on the same subnet, while theoritically possible probably isn't a good idea, even if just to keep your own life simple!
Do bear in mind that you couldn't run DHCP on either domain if they were on the same subnet. You'd end up with machines from one domain getting IP config from the other domain's DHCP server, meaning that they'd be using the wrong DNS servers. Consequently they'd then try to authenticate with the wrong DC, with problems ensuing.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question