Solved

How do I properly add a secondary DHCP network on a 2003 SBS domain?

Posted on 2010-09-17
12
473 Views
Last Modified: 2012-08-14
Please bear with me as I describe our network.  We have a 2003 SBS machine that hosts our network.  For years we have been using this primary DHCP network scope:

192.168.1.x/255.255.255.0 with 192.168.1.254 as our gateway (Watchguard Firebox x750e).

We have a lot of networked devices on the LAN now and we wanted to move some of them to their own network. We created a secondary scope on DHCP (192.168.2.1 - 192.168.2.254).  We decided move our IP cameras and their host PC to a 192.168.2.x on a 255.255.254.0 subnet.  At first, we just added a second NIC to our PC's and set them to that network, and we were able to add them and remote into our 192.168.2.x pc and cameras.  We didn't really have a second gateway set up but that didn't seem to be an issue since none of the 192.168.2.x devices needed internet access.   We thought it might help to enable the SBS Server's second NIC on the 192.168.2.x network so we did that and plugged it into one of the switches.  Then we noticed that a lot of devices tried to grab a 192.168.2.x address and then couldn't reach anything on the network.  So, we gave static IP's to those devices back on the 192.168.1.x network.  

Here is a basic layout of the starting point of our network:

Main Building:

Server Rack
ISP
|
Watchguard
|
Barracuda Spam Filter
|
HP Procurve Switch - SBS SERVER (hostname server1)
Dell Powerconnect Switch/
Netgear Switch
|
other servers and PC's (hostnames Trend, Cameras, etc.)


From the HP Procurve, we have fiber going to two different buildings (there will be a third building in the next couple weeks).

In one building we just installed some POE cameras.  We have one fiber line going to a transceiver which goes via copper to an unmanaged POE switch.  These cameras were programmed on the 192.168.2.x network.  However, this building already has a PC, network printers and thin clients, all on the 192.168.1.x network.

Everything seemed to work just fine until we created a virtual 2008 server to host Trend Micro Worry Free Business (advanced).  We did this so we could remove Trend Micro from the SBS Server.  However before we could remove Trend Micro from SBS, we had to find a way to MOVE the camera host PC over to the new Trend server. At this point I could RDP into the virtual Trend machine.  I tried to add a second NIC to that VM for the 192.168.2.x network so that I could move the PC that records the POE cameras.  The camera PC did "move" to the Trend server, but I could no longer RDP into that server.  I could ping Trend from Cameras (the pc) but could not ping Cameras from Trend.  The only way I could log in to Trend was through the VM console.

We plan on buying some more managed POE switches next week if necessary.

I was told that we could enable one of the optional ports on our Watchguard to to be the gateway for our 192.168.2.x network.  I can enable it, but I'm not sure how to configure it properly.  

If anyone can help guide our network expansion, we would greatly appreciate it.  Pleaes let me know if I need to provide any more information.

Thank you.  
0
Comment
Question by:BobLeeSwagger
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 3

Expert Comment

by:arweeks
ID: 33706432
There seems to be a few different issues here, and I'm not getting the bit about the camera and trend servers. - might be better as a seperate question with more detail.

I assume SBS supports multiple scopes, but you should just be able to set the firewall up as a router on a different IP range, then set up a DHCP scope for that subnet on your existing DHCP server.  Obviously, you'll need to be sure DHCP traffic is forwarded correctly.

If you go down this path, give it some thought and plan it so the network seperation is logical. Whether it be by location, or by type of device (all the cameras etc on the new net).
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 150 total points
ID: 33706475
Essentially the issue is that DC's don't like to be multi-homed which is what you attempted to do, by configuring the second nic to connect to the other subnet.
If you want a separate subnet for your cameras and what not, you'll need separate switches and routers configured for the other subnet.  You can connect the WAN side of the router with an address on your 1.X network...and then the LAN side on 2.X
Disable the second SBS nic.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33706523
I fail to see why you need two subnets?
SBS supports a maximum of 75 clients so I assume you have 170 or more IP's available ( 254-75-SBS-router-printers). Splitting up the network the way you are trying to do does not really improve security or would there be any noticeable performance enhancements, and it complicates the configuration.

Also:
-As Cris states Windows DC's do not handle being multihomed well at all
-SBS has two very specific network configurations, 1 NIC or 2. In the latter it is intended to act as a gateway for the LAN, Not as a multihomed server. SBS is not server Std.
-If you want to have a server with two DHCP scopes you have to have a way of assigning the correct subnet to clients. This is best done with reservations or Class ID's, both of which require additional management

If you need to isolate I would agree with Cris, physically isolate the two networks with their own cabling, switches, DHCP server and Gateway. I believe you can do that with the x750e, but for assistance with the configuration you would be best to post that in the Watchguard Zone.
0
 

Author Comment

by:BobLeeSwagger
ID: 33727906
Ok let's forget about the Trend Micro server for now.  

We are in the process of upgrading our 2003 SBS machine and splitting it up into several boxes.  We will have Exchange 2007 by itself.  Then we will need other machines to be dedicated for DC, AD, DHCP, DNS, etc.  However, with a new phone system coming soon, the server project probably won't happen until late October.

Until then, we still run into the issue of the building being connected to the main switch (behind the Firebox) by one fiber line, yet hosting machines on the 192.168.1.x network and the cameras on the 192.168.2.x network.  Would putting a managed switch in that remote building help out or would that single fiber line be a problem?  

RobWill, since we are still running the SBS 2003, what are our options and limitations with its DHCP service?  It allows for more than one scope, so I'm trying to learn what those extra scopes are intended for.  We could try to separate the cameras from the main network, but if the single fiber line is a problem with the idea of physical separation, then we would have to move the Cameras PC over to that building.

We do not NEED the Cameras PC or the cameras themselves to be on the same network, but from a remote management standpoint it would be convenient.

Thank you for your expert advice to everyone who has replied so far.  
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33728949
The problem with multiple DHCP scopes is how are you going to assign an IP from the proper scope to the appropriate device.

Using multiple scopes is not something I am terribly familiar with but you can assign using DHCP reservations, you can use Class ID's, or most often they are used in multi-segment networks where a router forwards the DHCP request to a DHCP relay (the server).

Do you really need DHCP for the cameras anyway? The instances I have seen cameras used they are assigned static IP's. You could even use a $30 router on the camera subnet as a DHCP server, but do not use it as a gateway (i.e. don't connect the WAN cable, and set gateway as the Firebox), you can still set the Firebox as the gateway.

To access the camera PC from the other network you can set up a route on the Firebox to allow connections from one device/PC or multiple to the camera PC. I am sorry but I am not familiar with the Firebox to instruct as to how to configure the route .
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33729043
I still don't get (nor do I think Rob does) why you need to put the Camera's on separte subnet.
And I don't think you want the cameras getting DHCP addresses, so they have a different IP each time.   One of my customers does lock and security work.  when they go out to put cameras in, it's always on the LAN
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 33729446
I'd have to agree, I don't see a need, at least from what you have said so far, for a separate LAN.

I did work on a network this week where the cameras were used for several purposes and completely managed by an outside company. For this reason they preferred to have them completely isolated. In this case there was a web utility that allowed the company to access the "camera PC" if needed. As it turns out this was a good choice as the camera PC was hacked due to a remote management service used by and not properly managed by the camera firm.
0
 

Author Comment

by:BobLeeSwagger
ID: 33730596
I apologize if I'm having a hard time describing our network.  I'm starting to see things in a different light now.  We did set static IP's on the Camera PC and the camera units.  We also set them as reservations within the secondary scope of DHCP on the SBS box.  Was that part unnecessary?

I'd like to understand if I'm reading this correctly.  From the main switch, we have one fiber line to a warehouse where the .1.x clients are AND where the .2.x cameras are.  If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line?  
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 350 total points
ID: 33730822
>>"Was that part unnecessary?" If you made the camera's static, no need to create a reservation, however some folk do that rather than documenting so that all IP in use show up in the DHCP "address leases" list.

>>"If we did set up a router on that side of the fiber transceiver, would we still be able to have the two separate networks AND still be able to manage that second network remotely from the office side of the fiber line? "
Are you referring to my earlier comment about adding a $30 router? If so I was suggesting just using it as an independent DHCP server. It would not perform NAT (firewall features). It would also only work if the networks are already segmented as you cannot add a DHCP server to an SBS network.

To confirm then you have:
                                           |=>x.x.1.x network
Switch => fiber=>switch=>|
                                           |=>x.x.2.x network

In other words all devices are on the same network segment, they just have two IP ranges/subnets?  Why is this necessary?

Yes you can isolate the .2.x network with a NAT router if you like and then still access with RDP, VPN, or another remote access tool as you would over the Internet if you wanted to isolate.

I guess my main question, and I believe Cris's as well is; Why in your configuration do you need 2 subnets?
0
 

Author Comment

by:BobLeeSwagger
ID: 33745454
We haven't hit the 75 client mark yet, but we do have a lot of machines and networked devices that take up a lot of IP's.  We just wanted to separate traffic....and we were running out of IP addresses, which is why we wanted to have a second network.  Anyway, thanks again.  We will try to NAT the cameras and re-simplify the DHCP setup in our SBS box for now.  
0
 

Author Closing Comment

by:BobLeeSwagger
ID: 33745526
Clearly, we need to learn a few things about SBS, DHCP and TCPIP.  It's not so much that we were looking for an answer to a specific problem, as we were looking for guidance, theories, and industry standard practices.  We need to rethink our network design and these experts have set us on the right path.  Thanks again!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33746344
You could increase the size of the subnet if necessary by changing the subnet mask, that is if you are running out of IP's. The default licensing with SBS is users so you can add as many cameras and such as you like. If doing so make sure you use the change server IP and connect to the internet wizards.

Thanks BobLeeSwagger. Good luck with the project.
Cheers!
--Rob
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now