Solved

Active Directory Site and Services DMZ Subnet Placement

Posted on 2010-09-15
3
1,145 Views
Last Modified: 2012-05-10
I have a network with three sites, SiteA, SiteB, and SiteC.  There is a site created within ADS&S for each location and the domain controllers are in their geographical site with replication setup on an hourly basis.  The fourth site in the organization is the Default-First-Site-Name, it has no Domain Controllers in the site.  The sites are all connected via mesh and IP Subnets are configured and assigned to the site as dictated by IP configuration at those sites.  

The organization also has Exchange Server in a DMZ.  The DMZ subnet is in the Default-First-Site-Name Site.  The DMZ physically resides in SiteA.  I am problems with Exchange Services starting.  It looks like the problem is that the server is trying to connect to Domain Controllers in any site and timing out when going to SiteB or SiteC Domain Controllers.

There are also two site links within ADS&S.  One is a created domain specific link that contains sites A,B and C.  The other is the DEFAULTIPSITELINK that contains all sites including the Default-First-Site-Link.  The Cost and Replication time is the same on these site links as 100 and 60 minutes.

I am thinking of moving the DMZ subnet to the site SiteA and am anticipating this will cause it to always communicate with the Domain Controllers in SiteA.
Can you see any issues with me moving the DMZ subnet to SiteA?

I am also wondering if I should change the cost on the DEFAULTIPSITELINK so the domain specific link is the lowest cost.

Config Breakdown in Directory Sites and Services:

SiteA = Subnet 192.168.1.0/24 and server DCSiteA
SiteB = Subnet 192.168.2.0/24 and server DCSiteB
SiteC = Subnet 192.168.3.0/24 and server DCSiteC
Default-First-Site-Name = Subnet 95.86.76.90/28  and no Domain Controllers.

Any supported documentation links would be appreciated.

Thanks.

0
Comment
Question by:daxatviyu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Accepted Solution

by:
woolnoir earned 250 total points
ID: 33682998
Moving the DMZ range to site A is probably a good option.. you may want to ensure that firewall rules exist to allow the exchange server to communicate with the DC in site A but other than that you should be file.

this guide (http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4#tm ) has some good ideas about DMZ usage within AD - best practises etc. Most of it probably wont be usefull but worth a read non the less.
0
 
LVL 5

Assisted Solution

by:richy92
richy92 earned 250 total points
ID: 33683018
I would move the DMZ subnet to make it part of Site A if there are no DCs in the default site then it should try other sites but it would be better to have the subnet for the DMS in the site it actually resides in.

I don't see any issues with moving the DMZ subnet into a different site, you can always move it back at a later date.

I did wonder if the firewall in the DMZ is blocking the connection from the exchange server - I also wondered about routing - can you ping the DC in site A from the Exchange server ?

also can you ping the DCs in the other siotes from the exchange server ? - I am not 100% sure but I would think that exchange should use a DC from another site if it cant find one in the same site/subnet
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33683489
what you have planned is a good option and looks is required as well
and i do not anticipate issues while doing this or  as results of this action

exchange server was not placed at the right area at the first place ..
exchange and AD are closely related so it it better if you have exchange and dc and prefreably GC in the same site
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question