?
Solved

Active Directory and Different IP Subnets

Posted on 2009-05-06
16
Medium Priority
?
332 Views
Last Modified: 2012-08-14
My network consists of two sites. One main site in Chicago and Branch Office in DC. I am connecting them via private T1 line. I have two Cisco 2811 routers, one on each side of the T1. Because I have one public class C network spanning both sites, I am using bridging on both routers so there is no QoS configured. I am planning on changing IP structure in my Branch Office to 192.168.2.0 network and leaving my Main Office intact. I am introducing IP routing on the routers to get QoS for voice traffic.

My question is, how would AD Domain Controller act, when it is not on the same subnet as the rest of the Active Directory in the Main Office. This domain controller in Branch office also acts as Global Catalog Server. What do I need to do, besides changing an IP address on this domain controller to get it to talk to AD DC's in Main Office?

Thanks.
0
Comment
Question by:Lev Kaytsner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24315156
So long as there is IP conectivity between the subnets and they are properly routed then you need not do anything special. Muliple subnets are no problem - the only thing you might need to watch is DHCP since the DHCP broadcast traffic may not cross the subnets - you may need to use a relay agent or emable DHCP braodcasts on the routers.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24315165
As long as DNS replication works you should have no issues, but you WILL need to configure sites and subnets correctly:
http://technet.microsoft.com/en-us/library/cc782048.aspx
is a good article explaining this.
Basically you need to ensure that your branch office is defined as a site containing its local Domain controller - this is configured under Active Directory Sites and Services.
0
 

Author Comment

by:Lev Kaytsner
ID: 24315186
I was actually planning on creating a separate DHCP server on remote DC since it's going to have it's own subnet. I am trying to remove all unnecessary traffic from the T1 because I have issues with voice traffic.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 70

Expert Comment

by:KCTS
ID: 24315234
Ok in that case there should be no DHCP issues.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24315259
As said - if you really want to minimise network traffic ensure the subnets for the sites are defined correctly, then you *should* only get the synch traffic and whatever data traffic you allow going between sites
0
 

Author Comment

by:Lev Kaytsner
ID: 24315299
Thank you for providing so much helpful info.
So, first I would need to create site replication and then change IP structure in the remote site. Otherwise, I won't be able to get to the main site from there.
I have some file sharing, exchange, internet, voice traffic going back and forth.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24315375
You can create the new site now in AD if you like, define the subnet and the like as it is at the moment (add the branch office DC into the site), create the subnet and assign it to the branch office
This way you can test the configuration is working before you commit to the subnet change. Then all you need do is add the new subnet and remove the old when you make the change.
You should also create a new reverse DNS lookup zone for the new subnet now, so that it is ready to be populated before the changeover
You might well be able to assign the NEW subnet to the branch office as well, it just won't be in use
0
 

Author Comment

by:Lev Kaytsner
ID: 24315426
I can create the new site, but how would I be able to test it if the new server is not in place?
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24315468
You have TWO DCs yes? One at each office? All you do is replicate the existing setup and assign the branch office DC to that site. If you read the article above it does make it very clear how to set this all up (and it is remarkably easy)
0
 

Author Comment

by:Lev Kaytsner
ID: 24315489
Thank you so much for your advise. I am going to work on it this afternoon.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24315573
If you haven't done any AD site creation, I suggest you take care of the IP subnet change first then create site later, otherwise you would have to update those subnets again.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24315676
Also, since you are going to have a DHCP server on each location, you may want to reserve a portion of your IP range for each site from a different site so that client on both sites will be able to obtain IP address from either DHCP servers. This will add a bit of redundancy and of course you need to enable relay agent.
0
 

Author Comment

by:Lev Kaytsner
ID: 24318709
So, here is my dilemma. I am going to be at my remote site reconfiguring one of the routers and changing IP schema on the switch, server, workstations. At the same time my CISCO engineer is going to work on my main site, reconfiguring the router there. He has no access to AD.
How can I make changes to my AD remotely while having no connection to my main network? My thought is that I will need some kind of internet connection to be able to VPN into my main network.
0
 
LVL 2

Expert Comment

by:HDanYoo
ID: 24321698
on the main site, setup the DHCP with 2 scopes: one for each site. Setup each router to perform the NAT.
As long as your cisco routers are allowing an open traffic between the 2 sites, you don't need to setup a replication.
The only reason to consider when you don't a replication is that you must rely on a reliable T1.
I have a similar setup for a client but the distance between the 2 sites is shorter compare to your case.
0
 
LVL 10

Accepted Solution

by:
Kieran_Burns earned 2000 total points
ID: 24323279
There are options available to you, but to be frank the VPN option is going to be the best one.
KISS :-) Keep It Simple Stupid ;-)
You could start down the multiple IP addresses on interfaces option but to be frank you're adding a degree of complication you don't need.
0
 

Author Comment

by:Lev Kaytsner
ID: 24336159
Thank you everyone for great answers.
Wish me luck.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question