• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

setting Active directory in different subnet



I have my domain controller on one subnet eg: 10.1.1.0 subnet
I have an AD domain named Mydomain.com

in another subnet 10.1.17.0
I create an AD domain with the same Mydomain.com, using it for Lab

between the 2 subnets the Default gateway IP is 10.1.17.1

My workstation is on subnet 10.1.1.0, and would like to be able to remote to 10.1.17.0 subnet and work with DCs in the Lab.
But I don't want the DCs to be able to replicate anything to the 10.1.1.0 subnets because the production AD is there and as I mentionned has the same name as the Lab domain (Mydomain.com)

I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.

Correct?

Thanks

0
jskfan
Asked:
jskfan
  • 6
  • 5
1 Solution
 
bluntTonyCommented:
All you need to do is remote into the other domain controller by IP address (not DNS name as it wouldn't resolve correctly), and when prompted, use a user account on the other domain. This will not create any link between the two domains, and you don't need to change your computer's IP address.
So if your lab domain controller is on 10.1.17.10, go Start | Run | mstsc - enter this IP address, and then login with a user from the lab domain.
0
 
bluntTonyCommented:
This is assuming that the router is currently routing traffic between the two networks. If you can ping the other domain controller by IP address, you're good.
Your two domains are essentially unaware of each other, and provided you ensure they are both looking at their own DNS servers you shouldn't get any problems.
0
 
jskfanAuthor Commented:
I meant both network have the same domain name, the same DNS zone name , the same administrator account name and password. The only difference between the 2 domains is that they are in 2 different subnets, but the 2 subnets can talk to each other.

I want to make sure that both domains will not replicate.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
jskfanAuthor Commented:
forget about this:
<< I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.>>>
0
 
jskfanAuthor Commented:
In the DC I put the DG to the VLAN so I can remote from the production network to the LAB and back.
This is where I am too much concerned, I am afraid there will be replication between both identical domains eventhough they are in 2 different subnets, but still can talk to each other.
0
 
jskfanAuthor Commented:
Though I thought even if 2 DCs within the same domain but 2 different subnets can't replicate to each other unless you canfigure them to do so in the AD sites and services
0
 
bluntTonyCommented:
How did you set the domains up - two seperate installs, but just the same names? Or did you build one DC, make a backup, then restore it to another box? All they two seperate forests - ideally they should be (with no trusts between them).
Providing DNS in both domains is correct, i.e. all the SRV and Host records are pointing to the correct IP addresses, and all clients are pointing to their own DC's DNS, then you should be OK. You can just remote into the other DC, but you will have to do it by IP address, otherwise you'll end up remoting into your own DC as DNS will resolve it to the local DC's IP address.
 
 
0
 
jskfanAuthor Commented:
<<How did you set the domains up - two seperate installs, but just the same names>>

Yes
0
 
bluntTonyCommented:
OK, then the domain and domain controller Security IDs (SID) will be different. Providing they are two domains in seperate forests, with no trusts between them, then there is no mechanism for the two domains to talk to each other. Basically, if you can't see the other domain in AD Domains and Trusts on one DC, then you're OK.
As long as you have two seperate subnets, and as said before, your DNS setup for each domain is correct, then you should be OK.
Just remote into the other DC from your domain, but log in using a username/password from the other domain.
0
 
jskfanAuthor Commented:
when you install the second domain, it will ask if it s the first domain controller in the new forest.
So I think if it's yes that mean 2 forests even with the same domain name will not talk to each other unless there is a trust between them.
I also think you still can install  2 AD Domains with the same name in the same subnet, and they will still be considered as 2 separate forests. Correct?

0
 
bluntTonyCommented:
Theoritically you can have two domains running in the same subnet, yes, but having two domains with the same name, on the same subnet, while theoritically possible probably isn't a good idea, even if just to keep your own life simple!
Do bear in mind that you couldn't run DHCP on either domain if they were on the same subnet. You'd end up with machines from one domain getting IP config from the other domain's DHCP server, meaning that they'd be using the wrong DNS servers. Consequently they'd then try to authenticate with the wrong DC, with problems ensuing.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now