Solved

setting Active directory in different subnet

Posted on 2009-04-07
11
774 Views
Last Modified: 2012-05-06


I have my domain controller on one subnet eg: 10.1.1.0 subnet
I have an AD domain named Mydomain.com

in another subnet 10.1.17.0
I create an AD domain with the same Mydomain.com, using it for Lab

between the 2 subnets the Default gateway IP is 10.1.17.1

My workstation is on subnet 10.1.1.0, and would like to be able to remote to 10.1.17.0 subnet and work with DCs in the Lab.
But I don't want the DCs to be able to replicate anything to the 10.1.1.0 subnets because the production AD is there and as I mentionned has the same name as the Lab domain (Mydomain.com)

I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.

Correct?

Thanks

0
Comment
Question by:jskfan
  • 6
  • 5
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090075
All you need to do is remote into the other domain controller by IP address (not DNS name as it wouldn't resolve correctly), and when prompted, use a user account on the other domain. This will not create any link between the two domains, and you don't need to change your computer's IP address.
So if your lab domain controller is on 10.1.17.10, go Start | Run | mstsc - enter this IP address, and then login with a user from the lab domain.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24090098
This is assuming that the router is currently routing traffic between the two networks. If you can ping the other domain controller by IP address, you're good.
Your two domains are essentially unaware of each other, and provided you ensure they are both looking at their own DNS servers you shouldn't get any problems.
0
 

Author Comment

by:jskfan
ID: 24092275
I meant both network have the same domain name, the same DNS zone name , the same administrator account name and password. The only difference between the 2 domains is that they are in 2 different subnets, but the 2 subnets can talk to each other.

I want to make sure that both domains will not replicate.
0
 

Author Comment

by:jskfan
ID: 24092289
forget about this:
<< I believe if I change my workstation (which is in the 10.1.1.0 subnet) DG to 10.1.17.1 I would be able to get to the Lab network and without fear there would be nothing that can go back from the 10.1.17.0 network to 10.1.1.0 as long as the machines in the 10.1.17.0 subnet will not have a DG configured for 10.1.1.0 subnets.>>>
0
 

Author Comment

by:jskfan
ID: 24092307
In the DC I put the DG to the VLAN so I can remote from the production network to the LAB and back.
This is where I am too much concerned, I am afraid there will be replication between both identical domains eventhough they are in 2 different subnets, but still can talk to each other.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:jskfan
ID: 24092357
Though I thought even if 2 DCs within the same domain but 2 different subnets can't replicate to each other unless you canfigure them to do so in the AD sites and services
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24096962
How did you set the domains up - two seperate installs, but just the same names? Or did you build one DC, make a backup, then restore it to another box? All they two seperate forests - ideally they should be (with no trusts between them).
Providing DNS in both domains is correct, i.e. all the SRV and Host records are pointing to the correct IP addresses, and all clients are pointing to their own DC's DNS, then you should be OK. You can just remote into the other DC, but you will have to do it by IP address, otherwise you'll end up remoting into your own DC as DNS will resolve it to the local DC's IP address.
 
 
0
 

Author Comment

by:jskfan
ID: 24100761
<<How did you set the domains up - two seperate installs, but just the same names>>

Yes
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24105013
OK, then the domain and domain controller Security IDs (SID) will be different. Providing they are two domains in seperate forests, with no trusts between them, then there is no mechanism for the two domains to talk to each other. Basically, if you can't see the other domain in AD Domains and Trusts on one DC, then you're OK.
As long as you have two seperate subnets, and as said before, your DNS setup for each domain is correct, then you should be OK.
Just remote into the other DC from your domain, but log in using a username/password from the other domain.
0
 

Author Comment

by:jskfan
ID: 24114041
when you install the second domain, it will ask if it s the first domain controller in the new forest.
So I think if it's yes that mean 2 forests even with the same domain name will not talk to each other unless there is a trust between them.
I also think you still can install  2 AD Domains with the same name in the same subnet, and they will still be considered as 2 separate forests. Correct?

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24129220
Theoritically you can have two domains running in the same subnet, yes, but having two domains with the same name, on the same subnet, while theoritically possible probably isn't a good idea, even if just to keep your own life simple!
Do bear in mind that you couldn't run DHCP on either domain if they were on the same subnet. You'd end up with machines from one domain getting IP config from the other domain's DHCP server, meaning that they'd be using the wrong DNS servers. Consequently they'd then try to authenticate with the wrong DC, with problems ensuing.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now