New domain, new subnet

Justin Smith
Justin Smith used Ask the Experts™
on
Ok Experts, this should be an easy one.  Enterprise AD and Networking deffinately aren't my specialties.

We are planning on deploying several "sandbox environments" that are used for development purposes.  We would like to host these in their own AD forest and put them on a seperate subnet from our corporate LAN.  All of the environments are virtual (running on a single hyper-v host) and will be running Server 2008 (some R2).  

I'm not entirely sure about the best way to do this.  I planned on standing up a Server 2008 domain controller, creating a new forest (dev.corp.net), and putting them on 192.168.110.0 /24 subnet (our internal is 192.168.108.0 /23).  I would then create a one way trust between the dev forest and our internal forest (int.corp.net).  Sound ok so far?

How do I handle the routing between the subnets?  Would it be better to also stand up an RRAS server to do this, or should I use our hardware router (which has an empty port/interface)?  If I use the hardware router, do I need to take a dedicated cable from the empty port and connect it to the switch our host will be plugged into?  We have a router and two switches (connected via fibre), one switch has our office workstations and the other switch has our servers.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
or should I create a VLAN on my server switch (say 5 ports), connect one port in that VLAN to an empty port on my router, and assign that router port a 192.168.110.1 address?  then i would connect my host server to a VLAN port?  i'm so bad at networking.
Why should you create trust between production and dev.
Create a independent AD forest for dev, use any of the hardware router to do the routing between dev - prod subnet. Create a gateway server (jump server, will used to access two different environemnt using either windows TS or CItrix). access to the dev should be restricted by either gateway or dev AD.
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
Reason for the trust would be so my developers can access the sandboxes with their internal AD accounts.  What purpose would the TS gateway serve?
Top Expert 2012

Commented:
You can actually create VLANs within Hyper-v take a look.

http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/03/10/vlan-settings-and-hyper-v.aspx

Why not create new domain trees within your current domain forest which will setup the trusts for you.
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
not sure how the hyperv vlans would actually play out in my situtation.  I don't fully understand how i could use them.

I figured on just making a seperate forest since the domain will be controlled by mostly developers and there will be some clients that will have access to it.  
Top Expert 2012

Commented:
You can create VLANs to seperate your VMs.
ok. first i would like to understand your need here.
do the sandbox envioorment communicate with  the production ?

If the answer is NO

i would make them different forests lilke.. mydomain1.com  .. if you need one more  mydomian2
where you production is mydomain  (they will be completely isolated in their own virtual networks )

if you need the sandbox enviorment to communicate with  productions what all services  will likely be common ?


Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
They don't need to communicate other than the fact that I would like to be able to use internal AD accounts to access the sandbox environments.  It would be a one way trust.  These sandboxes are strictly for development/POC's.  Our developers will pretty much have full command of the entire environment.  

I was kinda looking for an Expert to tell me how they do it in their environment, if they have a similar situation.  I'm planning on, and have already started, putting them on their own subnet/VLAN, and their own AD forest.
Top Expert 2012
Commented:
This is what I do I keep the test systems seperated fully from each other I allow the developers to login into their tests systems with RDP that is hosted on Hyper-v. The point of test environments you don't want to allow any access between your production and test environments.
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
How exactly did you implement hosted RDP?  Is that a new TS function in 2008?  Do you keep that in the Test subnet as well?
Top Expert 2012

Commented:
Create a different subnet.

What I do is create a VM add the services I want installed like AD. I create a user on the test system then give this user access to RDP so the user can RDP into the system then they can run test, create software, and etc
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
Yeah that's pretty much what I do now, except the test boxes are members of our internal domain.  That's what will be changing.

But you said you use hosted RDP.....is through a new TS function?
Top Expert 2012

Commented:
Don't know what you mean by hosted RDP what I meant was that you give RDP access to the Hyper-v Host or Hyper-v VM.
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
Ok.  I thought you meant you hosted an RDP application using TS Gateway.  Which I've thought about, but would like to see it in action first.  Thanks everyone for the input.
Justin SmithSr. System Engineer
Top Expert 2012

Author

Commented:
more detail/follow up would have been nice

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial