Solved

windows 2008 r2 Domain Controllers not able to see each other in different Subnets

Posted on 2012-03-15
9
577 Views
Last Modified: 2012-08-14
Hello All,
 
I have a Domain Controller in NY called Server A (192.168.90.5) in the subnet of 192.168.90.0/24. This AD is the Primary of the Domain. I'm running low on IP address in the 90 subnet. within the NY office.  I cannot use super subnetting because the person who engineered this site along with 3 other sites made them like this.

All driven by MPLS:
NY-192.168.90.0/24  (Domain Controller A - 192.168.90.5)
PA-192.168.91.0/24  (Domain Controller B - 192.168.91.5)
CT-192.168.92.0/24  (Domain Controller C - 192.168.92.5)
NJ-192.168.93.0/24   (Domain Controller D - 192.168.93.5)

Super subneting would be the answer for me but requires a lot of work to change all IP device settings and workstations to a new subnet and there’s an overlap in IP address (Since supersubnetting would give me 90 and 91 subnets) that I do not want to risk.  so i figured...maybe  create a new Subnet and attached it to the NY site.

Let call this one 192.168.98.0/23.  My though would be that it would give me 510 address nodes. 192.168.98.0 - 192.168.98.254 and 192.168.99.1 - 192.168.99.254 and i can access along with the 90 subnet.
so this is what i've done so far.

- added another Subnet for the "NY site" in Site and Services - 192.168.98.0/23 and link it to NY.
and waited to sync...

Then i setup a workstation with a subnet address  IP:192.168.98.10,submask: 255.255.254.0 no gateway dns: 192.168.90.5 to see if i can be domained or ping the NY AD at 192.168.90.5...no luck. It didn’t work and nslookup couldn’t find a DNS

So i created a new AD for subnet 192.168.98.0/23 and called it ADsystems.
so this is what i've done..

- Domained an AD (ADsystems) ip address 192.168.90.6, Submask 255.255.255.0, Gateway: 192.168.90.1, DNS:192.168.90.5
- added a Site in Site and Services called "Systems"
- Subnet for the "system" is 192.168.98.0/23 and link it to "System" site.
- changed the Local DNS to itself 192.168.90.6
- Moved the ADsystem object in "NY" within  Site and service to the "System" site.
- Attached the subnet 192.168.98.0/23 to the “System” site and created a link between NY and “Systems”
- Once I saw replication occurring, I then changed the IP address of the new AD (ADsystems) to address 192.168.98.5, Submask 255.255.254.0, No Gateway, DNS:192.168.98.5.
No gateway because the gateway in in the 90 subnet

Once I changed the IP address to the new subnet, the new AD cannot see or ping anything in the 90,91,92 or 93 subnets and replication is failing. I change it back to how I had it before and it works but now not for the 98 subnet.

Am I missing something?  Do I need to setup a VPN between 90 and 98 to see each other even it they are on the same network?
What are my options….anyone?

Thanks
0
Comment
Question by:bootyfreakk
  • 3
  • 3
  • 2
9 Comments
 
LVL 7

Expert Comment

by:raeldri
Comment Utility
your issue is with the subnetmask or lack of default gateway.

192.168.98.0/23 is going to give a usable range of 192.168.98.1 - 192.168.99.254

the machines wont know how to reach 192.168.90.0 network
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 80 total points
Comment Utility
If this is all part of a managed MPLS circuit then that is almost certainly where the issue lies. Changing AD will not give you any additional IP routing, that needs to be configured on your MPLS routers
0
 
LVL 3

Author Comment

by:bootyfreakk
Comment Utility
Why would my gateway be a factor. When both 90 and 98 subnets are at the same NY location. It doesnt need to access a router for anything.

the NY Ad 192.168.90.5 is sitting right next to the ADSystems server 192.168.98.5. why should a router be involed. do i need setup atranslation of some sort,  Vlan on my switch or add an entry to my router for this to work?  (i would perferr not to go that route) would adding an extra ethernet card to the NY AD work?
Im doing this to expand the ip range. since im running low on 90.  I though DNS handled replication.

The other sites i have 91,92 and 93 have been setup this way and it works great.( MPLS and all) why do it locally and it doesnt work. I double checked my setup and i feel im missing something.
0
 
LVL 7

Assisted Solution

by:raeldri
raeldri earned 20 total points
Comment Utility
the subnet mask limits what is seen as "local" anything outside above range is considered remote and would need routed to reach the other subnets
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 80 total points
Comment Utility
This is as I said orriginally down to routing. If its a fully managed MPLS then you need to get your MPLS service provider to provide an additional route and range to you for the extra subnet so that EVERYWHERE knows where to route to.
As explained above, just because two subnets are in the same location, does not mean they can talk to each other. Default gateways and subnets....
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
UNDER NO CIRCUMSTANCES add a second NIC into a DC

Its a night mare and will cause you nothing but problems.
0
 
LVL 3

Author Comment

by:bootyfreakk
Comment Utility
How about some sort of internal rounting system...something i can build, a software or adding a vlan to a port on my switch to do a route from there. is this possible?
0
 
LVL 7

Expert Comment

by:raeldri
Comment Utility
Internal routing is fine do you have your own router outside the MPLS router or a layer3 switch?  Both would work fine for simple routing between subnets
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now