Solved

Active Directory and Different IP Subnets

Posted on 2009-05-06
16
322 Views
Last Modified: 2012-08-14
My network consists of two sites. One main site in Chicago and Branch Office in DC. I am connecting them via private T1 line. I have two Cisco 2811 routers, one on each side of the T1. Because I have one public class C network spanning both sites, I am using bridging on both routers so there is no QoS configured. I am planning on changing IP structure in my Branch Office to 192.168.2.0 network and leaving my Main Office intact. I am introducing IP routing on the routers to get QoS for voice traffic.

My question is, how would AD Domain Controller act, when it is not on the same subnet as the rest of the Active Directory in the Main Office. This domain controller in Branch office also acts as Global Catalog Server. What do I need to do, besides changing an IP address on this domain controller to get it to talk to AD DC's in Main Office?

Thanks.
0
Comment
Question by:Lev Kaytsner
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
So long as there is IP conectivity between the subnets and they are properly routed then you need not do anything special. Muliple subnets are no problem - the only thing you might need to watch is DHCP since the DHCP broadcast traffic may not cross the subnets - you may need to use a relay agent or emable DHCP braodcasts on the routers.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
As long as DNS replication works you should have no issues, but you WILL need to configure sites and subnets correctly:
http://technet.microsoft.com/en-us/library/cc782048.aspx
is a good article explaining this.
Basically you need to ensure that your branch office is defined as a site containing its local Domain controller - this is configured under Active Directory Sites and Services.
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
I was actually planning on creating a separate DHCP server on remote DC since it's going to have it's own subnet. I am trying to remove all unnecessary traffic from the T1 because I have issues with voice traffic.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Ok in that case there should be no DHCP issues.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
As said - if you really want to minimise network traffic ensure the subnets for the sites are defined correctly, then you *should* only get the synch traffic and whatever data traffic you allow going between sites
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
Thank you for providing so much helpful info.
So, first I would need to create site replication and then change IP structure in the remote site. Otherwise, I won't be able to get to the main site from there.
I have some file sharing, exchange, internet, voice traffic going back and forth.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
You can create the new site now in AD if you like, define the subnet and the like as it is at the moment (add the branch office DC into the site), create the subnet and assign it to the branch office
This way you can test the configuration is working before you commit to the subnet change. Then all you need do is add the new subnet and remove the old when you make the change.
You should also create a new reverse DNS lookup zone for the new subnet now, so that it is ready to be populated before the changeover
You might well be able to assign the NEW subnet to the branch office as well, it just won't be in use
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
I can create the new site, but how would I be able to test it if the new server is not in place?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
You have TWO DCs yes? One at each office? All you do is replicate the existing setup and assign the branch office DC to that site. If you read the article above it does make it very clear how to set this all up (and it is remarkably easy)
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
Thank you so much for your advise. I am going to work on it this afternoon.
0
 
LVL 18

Expert Comment

by:Americom
Comment Utility
If you haven't done any AD site creation, I suggest you take care of the IP subnet change first then create site later, otherwise you would have to update those subnets again.
0
 
LVL 18

Expert Comment

by:Americom
Comment Utility
Also, since you are going to have a DHCP server on each location, you may want to reserve a portion of your IP range for each site from a different site so that client on both sites will be able to obtain IP address from either DHCP servers. This will add a bit of redundancy and of course you need to enable relay agent.
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
So, here is my dilemma. I am going to be at my remote site reconfiguring one of the routers and changing IP schema on the switch, server, workstations. At the same time my CISCO engineer is going to work on my main site, reconfiguring the router there. He has no access to AD.
How can I make changes to my AD remotely while having no connection to my main network? My thought is that I will need some kind of internet connection to be able to VPN into my main network.
0
 
LVL 2

Expert Comment

by:HDanYoo
Comment Utility
on the main site, setup the DHCP with 2 scopes: one for each site. Setup each router to perform the NAT.
As long as your cisco routers are allowing an open traffic between the 2 sites, you don't need to setup a replication.
The only reason to consider when you don't a replication is that you must rely on a reliable T1.
I have a similar setup for a client but the distance between the 2 sites is shorter compare to your case.
0
 
LVL 10

Accepted Solution

by:
Kieran_Burns earned 500 total points
Comment Utility
There are options available to you, but to be frank the VPN option is going to be the best one.
KISS :-) Keep It Simple Stupid ;-)
You could start down the multiple IP addresses on interfaces option but to be frank you're adding a degree of complication you don't need.
0
 

Author Comment

by:Lev Kaytsner
Comment Utility
Thank you everyone for great answers.
Wish me luck.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
PCI scan - CIFS NULL Session Permitted 10 27
Office 365 Azure AD Connect 4 18
ACTIVE DIRECTORY 3 26
Connecting two servers 30 44
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now