How do I properly add a secondary DHCP network on a 2003 SBS domain?

Please bear with me as I describe our network.  We have a 2003 SBS machine that hosts our network.  For years we have been using this primary DHCP network scope:

192.168.1.x/ with as our gateway (Watchguard Firebox x750e).

We have a lot of networked devices on the LAN now and we wanted to move some of them to their own network. We created a secondary scope on DHCP ( -  We decided move our IP cameras and their host PC to a 192.168.2.x on a subnet.  At first, we just added a second NIC to our PC's and set them to that network, and we were able to add them and remote into our 192.168.2.x pc and cameras.  We didn't really have a second gateway set up but that didn't seem to be an issue since none of the 192.168.2.x devices needed internet access.   We thought it might help to enable the SBS Server's second NIC on the 192.168.2.x network so we did that and plugged it into one of the switches.  Then we noticed that a lot of devices tried to grab a 192.168.2.x address and then couldn't reach anything on the network.  So, we gave static IP's to those devices back on the 192.168.1.x network.  

Here is a basic layout of the starting point of our network:

Main Building:

Server Rack
Barracuda Spam Filter
HP Procurve Switch - SBS SERVER (hostname server1)
Dell Powerconnect Switch/
Netgear Switch
other servers and PC's (hostnames Trend, Cameras, etc.)

From the HP Procurve, we have fiber going to two different buildings (there will be a third building in the next couple weeks).

In one building we just installed some POE cameras.  We have one fiber line going to a transceiver which goes via copper to an unmanaged POE switch.  These cameras were programmed on the 192.168.2.x network.  However, this building already has a PC, network printers and thin clients, all on the 192.168.1.x network.

Everything seemed to work just fine until we created a virtual 2008 server to host Trend Micro Worry Free Business (advanced).  We did this so we could remove Trend Micro from the SBS Server.  However before we could remove Trend Micro from SBS, we had to find a way to MOVE the camera host PC over to the new Trend server. At this point I could RDP into the virtual Trend machine.  I tried to add a second NIC to that VM for the 192.168.2.x network so that I could move the PC that records the POE cameras.  The camera PC did "move" to the Trend server, but I could no longer RDP into that server.  I could ping Trend from Cameras (the pc) but could not ping Cameras from Trend.  The only way I could log in to Trend was through the VM console.

We plan on buying some more managed POE switches next week if necessary.

I was told that we could enable one of the optional ports on our Watchguard to to be the gateway for our 192.168.2.x network.  I can enable it, but I'm not sure how to configure it properly.  

If anyone can help guide our network expansion, we would greatly appreciate it.  Pleaes let me know if I need to provide any more information.

Thank you.  
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
>>"Was that part unnecessary?" If you made the camera's static, no need to create a reservation, however some folk do that rather than documenting so that all IP in use show up in the DHCP "address leases" list.

>>"If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line? "
Are you referring to my earlier comment about adding a $30 router? If so I was suggesting just using it as an independent DHCP server. It would not perform NAT (firewall features). It would also only work if the networks are already segmented as you cannot add a DHCP server to an SBS network.

To confirm then you have:
                                           |=>x.x.1.x network
Switch => fiber=>switch=>|
                                           |=>x.x.2.x network

In other words all devices are on the same network segment, they just have two IP ranges/subnets?  Why is this necessary?

Yes you can isolate the .2.x network with a NAT router if you like and then still access with RDP, VPN, or another remote access tool as you would over the Internet if you wanted to isolate.

I guess my main question, and I believe Cris's as well is; Why in your configuration do you need 2 subnets?
There seems to be a few different issues here, and I'm not getting the bit about the camera and trend servers. - might be better as a seperate question with more detail.

I assume SBS supports multiple scopes, but you should just be able to set the firewall up as a router on a different IP range, then set up a DHCP scope for that subnet on your existing DHCP server.  Obviously, you'll need to be sure DHCP traffic is forwarded correctly.

If you go down this path, give it some thought and plan it so the network seperation is logical. Whether it be by location, or by type of device (all the cameras etc on the new net).
Cris HannaConnect With a Mentor Commented:
Essentially the issue is that DC's don't like to be multi-homed which is what you attempted to do, by configuring the second nic to connect to the other subnet.
If you want a separate subnet for your cameras and what not, you'll need separate switches and routers configured for the other subnet.  You can connect the WAN side of the router with an address on your 1.X network...and then the LAN side on 2.X
Disable the second SBS nic.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Rob WilliamsCommented:
I fail to see why you need two subnets?
SBS supports a maximum of 75 clients so I assume you have 170 or more IP's available ( 254-75-SBS-router-printers). Splitting up the network the way you are trying to do does not really improve security or would there be any noticeable performance enhancements, and it complicates the configuration.

-As Cris states Windows DC's do not handle being multihomed well at all
-SBS has two very specific network configurations, 1 NIC or 2. In the latter it is intended to act as a gateway for the LAN, Not as a multihomed server. SBS is not server Std.
-If you want to have a server with two DHCP scopes you have to have a way of assigning the correct subnet to clients. This is best done with reservations or Class ID's, both of which require additional management

If you need to isolate I would agree with Cris, physically isolate the two networks with their own cabling, switches, DHCP server and Gateway. I believe you can do that with the x750e, but for assistance with the configuration you would be best to post that in the Watchguard Zone.
BobLeeSwaggerAuthor Commented:
Ok let's forget about the Trend Micro server for now.  

We are in the process of upgrading our 2003 SBS machine and splitting it up into several boxes.  We will have Exchange 2007 by itself.  Then we will need other machines to be dedicated for DC, AD, DHCP, DNS, etc.  However, with a new phone system coming soon, the server project probably won't happen until late October.

Until then, we still run into the issue of the building being connected to the main switch (behind the Firebox) by one fiber line, yet hosting machines on the 192.168.1.x network and the cameras on the 192.168.2.x network.  Would putting a managed switch in that remote building help out or would that single fiber line be a problem?  

RobWill, since we are still running the SBS 2003, what are our options and limitations with its DHCP service?  It allows for more than one scope, so I'm trying to learn what those extra scopes are intended for.  We could try to separate the cameras from the main network, but if the single fiber line is a problem with the idea of physical separation, then we would have to move the Cameras PC over to that building.

We do not NEED the Cameras PC or the cameras themselves to be on the same network, but from a remote management standpoint it would be convenient.

Thank you for your expert advice to everyone who has replied so far.  
Rob WilliamsCommented:
The problem with multiple DHCP scopes is how are you going to assign an IP from the proper scope to the appropriate device.

Using multiple scopes is not something I am terribly familiar with but you can assign using DHCP reservations, you can use Class ID's, or most often they are used in multi-segment networks where a router forwards the DHCP request to a DHCP relay (the server).

Do you really need DHCP for the cameras anyway? The instances I have seen cameras used they are assigned static IP's. You could even use a $30 router on the camera subnet as a DHCP server, but do not use it as a gateway (i.e. don't connect the WAN cable, and set gateway as the Firebox), you can still set the Firebox as the gateway.

To access the camera PC from the other network you can set up a route on the Firebox to allow connections from one device/PC or multiple to the camera PC. I am sorry but I am not familiar with the Firebox to instruct as to how to configure the route .
Cris HannaCommented:
I still don't get (nor do I think Rob does) why you need to put the Camera's on separte subnet.
And I don't think you want the cameras getting DHCP addresses, so they have a different IP each time.   One of my customers does lock and security work.  when they go out to put cameras in, it's always on the LAN
Rob WilliamsCommented:
I'd have to agree, I don't see a need, at least from what you have said so far, for a separate LAN.

I did work on a network this week where the cameras were used for several purposes and completely managed by an outside company. For this reason they preferred to have them completely isolated. In this case there was a web utility that allowed the company to access the "camera PC" if needed. As it turns out this was a good choice as the camera PC was hacked due to a remote management service used by and not properly managed by the camera firm.
BobLeeSwaggerAuthor Commented:
I apologize if I'm having a hard time describing our network.  I'm starting to see things in a different light now.  We did set static IP's on the Camera PC and the camera units.  We also set them as reservations within the secondary scope of DHCP on the SBS box.  Was that part unnecessary?

I'd like to understand if I'm reading this correctly.  From the main switch, we have one fiber line to a warehouse where the .1.x clients are AND where the .2.x cameras are.  If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line?  
BobLeeSwaggerAuthor Commented:
We haven't hit the 75 client mark yet, but we do have a lot of machines and networked devices that take up a lot of IP's.  We just wanted to separate traffic....and we were running out of IP addresses, which is why we wanted to have a second network.  Anyway, thanks again.  We will try to NAT the cameras and re-simplify the DHCP setup in our SBS box for now.  
BobLeeSwaggerAuthor Commented:
Clearly, we need to learn a few things about SBS, DHCP and TCPIP.  It's not so much that we were looking for an answer to a specific problem, as we were looking for guidance, theories, and industry standard practices.  We need to rethink our network design and these experts have set us on the right path.  Thanks again!
Rob WilliamsCommented:
You could increase the size of the subnet if necessary by changing the subnet mask, that is if you are running out of IP's. The default licensing with SBS is users so you can add as many cameras and such as you like. If doing so make sure you use the change server IP and connect to the internet wizards.

Thanks BobLeeSwagger. Good luck with the project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.