Solved

setting Active directory in different subnet

Posted on 2009-04-07
11
775 Views
Last Modified: 2012-05-06


I have my domain controller on one subnet eg: 10.1.1.0 subnet
I have an AD domain named Mydomain.com

in another subnet 10.1.17.0
I create an AD domain with the same Mydomain.com, using it for Lab

between the 2 subnets the Default gateway IP is 10.1.17.1

My workstation is on subnet 10.1.1.0, and would like to be able to remote to 10.1.17.0 subnet and work with DCs in the Lab.
But I don't want the DCs to be able to replicate anything to the 10.1.1.0 subnets because the production AD is there and as I mentionned has the same name as the Lab domain (Mydomain.com)

I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.

Correct?

Thanks

0
Comment
Question by:jskfan
  • 6
  • 5
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090075
All you need to do is remote into the other domain controller by IP address (not DNS name as it wouldn't resolve correctly), and when prompted, use a user account on the other domain. This will not create any link between the two domains, and you don't need to change your computer's IP address.
So if your lab domain controller is on 10.1.17.10, go Start | Run | mstsc - enter this IP address, and then login with a user from the lab domain.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090098
This is assuming that the router is currently routing traffic between the two networks. If you can ping the other domain controller by IP address, you're good.
Your two domains are essentially unaware of each other, and provided you ensure they are both looking at their own DNS servers you shouldn't get any problems.
0
 

Author Comment

by:jskfan
ID: 24092275
I meant both network have the same domain name, the same DNS zone name , the same administrator account name and password. The only difference between the 2 domains is that they are in 2 different subnets, but the 2 subnets can talk to each other.

I want to make sure that both domains will not replicate.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:jskfan
ID: 24092289
forget about this:
<< I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.>>>
0
 

Author Comment

by:jskfan
ID: 24092307
In the DC I put the DG to the VLAN so I can remote from the production network to the LAB and back.
This is where I am too much concerned, I am afraid there will be replication between both identical domains eventhough they are in 2 different subnets, but still can talk to each other.
0
 

Author Comment

by:jskfan
ID: 24092357
Though I thought even if 2 DCs within the same domain but 2 different subnets can't replicate to each other unless you canfigure them to do so in the AD sites and services
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24096962
How did you set the domains up - two seperate installs, but just the same names? Or did you build one DC, make a backup, then restore it to another box? All they two seperate forests - ideally they should be (with no trusts between them).
Providing DNS in both domains is correct, i.e. all the SRV and Host records are pointing to the correct IP addresses, and all clients are pointing to their own DC's DNS, then you should be OK. You can just remote into the other DC, but you will have to do it by IP address, otherwise you'll end up remoting into your own DC as DNS will resolve it to the local DC's IP address.
 
 
0
 

Author Comment

by:jskfan
ID: 24100761
<<How did you set the domains up - two seperate installs, but just the same names>>

Yes
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24105013
OK, then the domain and domain controller Security IDs (SID) will be different. Providing they are two domains in seperate forests, with no trusts between them, then there is no mechanism for the two domains to talk to each other. Basically, if you can't see the other domain in AD Domains and Trusts on one DC, then you're OK.
As long as you have two seperate subnets, and as said before, your DNS setup for each domain is correct, then you should be OK.
Just remote into the other DC from your domain, but log in using a username/password from the other domain.
0
 

Author Comment

by:jskfan
ID: 24114041
when you install the second domain, it will ask if it s the first domain controller in the new forest.
So I think if it's yes that mean 2 forests even with the same domain name will not talk to each other unless there is a trust between them.
I also think you still can install  2 AD Domains with the same name in the same subnet, and they will still be considered as 2 separate forests. Correct?

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24129220
Theoritically you can have two domains running in the same subnet, yes, but having two domains with the same name, on the same subnet, while theoritically possible probably isn't a good idea, even if just to keep your own life simple!
Do bear in mind that you couldn't run DHCP on either domain if they were on the same subnet. You'd end up with machines from one domain getting IP config from the other domain's DHCP server, meaning that they'd be using the wrong DNS servers. Consequently they'd then try to authenticate with the wrong DC, with problems ensuing.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD backup 6 54
Installing 3rd Party SSL for enabling LDAP over SSL 13 31
Event 4625 - Account Name: _ 3 25
powershell question need assistance 10 27
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question