IP addressing for a branch site
Hope I can get some feedback -
Basically have one branch site with two Cisco routers, needing a site-to-site vpn - the branch site will have a DC.
Question is: If i have site 1 (main site) with an ip addressing scheme of for example 10.10.10.0/24... what would be the best ip addressing setup for the branch site?
Would it be best to do a split DHCP scope and keep the branch site in the 10.10.10.0/24 range?
Basically have one branch site with two Cisco routers, needing a site-to-site vpn - the branch site will have a DC.
Question is: If i have site 1 (main site) with an ip addressing scheme of for example 10.10.10.0/24... what would be the best ip addressing setup for the branch site?
Would it be best to do a split DHCP scope and keep the branch site in the 10.10.10.0/24 range?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Microsoft says it is fine to run a domain controller as a virtual machine as long as you follow their recommendations. pwindell is correct with his list.
http://support.microsoft.com/kb/888794
Microsoft changed their tune about running DC's as VM's after Hyper-V came out.
http://support.microsoft.com/kb/888794
Microsoft changed their tune about running DC's as VM's after Hyper-V came out.
Hyper-V can have problems starting up if no DC is present,...so at least one DC,...preferably the one with the PDC Role,...remain a true physical machine. I have not experienced the problem myself because I don't use Hyper-V,...but there have been "horror stories".
I prefer VMWare myself.
Also, I would second the recommendation to have at least one physical box as a domain controller.
Some companies run all of their domain controllers as virtual machines, but it doesn't cost that much for a 1U box when it is your entire enterprise directory structure at stake.
Also, I would second the recommendation to have at least one physical box as a domain controller.
Some companies run all of their domain controllers as virtual machines, but it doesn't cost that much for a 1U box when it is your entire enterprise directory structure at stake.
I prefer VMWare as well. :-)
ASKER
it's just one physical in the branch office - two at the main (one physical/one virtual).
i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.
After adding a scope such as 10.10.11.0/24 on the branch DHCP server... (with the branch router and DC getting the same subnet 10.10.11.0/24 assignments) - then i'm guessing i need to add all routers to each DHCP scope in both locations (003 router setting - ex: 10.10.10.1 and 10.10.11.1) and then adding each DNS server (006 DNS Servers)?? is that correct?
not sure what to do in DNS settings.. any points in the right direction?
thanks for all your input
i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.
After adding a scope such as 10.10.11.0/24 on the branch DHCP server... (with the branch router and DC getting the same subnet 10.10.11.0/24 assignments) - then i'm guessing i need to add all routers to each DHCP scope in both locations (003 router setting - ex: 10.10.10.1 and 10.10.11.1) and then adding each DNS server (006 DNS Servers)?? is that correct?
not sure what to do in DNS settings.. any points in the right direction?
thanks for all your input
Dear,
if you have 10.10.10.x/24 in your HO you can have any network and any subnet in your Branch (Your router should support)
if you have Two DC (Regardless Virtual or Physical) in your HO make sure you use Ad Integrated DNS... DNS will be automaticlly replicated but,,,,,, you need to make one subnet in Reverese lookup zone under HO DNS console after setting your DC @ Branch (please see below)
in my LAB senario i have 10.10.10.x/22 subnet and branch has 192.168.168.x/24 subnet.
once you setup DNS above way, all Branch hosts A records will be in parent domain.local orcom DNS Folder and PTR records for both subnets will be in reverse lokup zone seprate subneted folder
Apart from all above i would suggest you use Branch DC as Branch DHCP server.
if you have 10.10.10.x/24 in your HO you can have any network and any subnet in your Branch (Your router should support)
if you have Two DC (Regardless Virtual or Physical) in your HO make sure you use Ad Integrated DNS... DNS will be automaticlly replicated but,,,,,, you need to make one subnet in Reverese lookup zone under HO DNS console after setting your DC @ Branch (please see below)
in my LAB senario i have 10.10.10.x/22 subnet and branch has 192.168.168.x/24 subnet.
once you setup DNS above way, all Branch hosts A records will be in parent domain.local orcom DNS Folder and PTR records for both subnets will be in reverse lokup zone seprate subneted folder
Apart from all above i would suggest you use Branch DC as Branch DHCP server.
i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.
There isn't any mystery to it. Just give each site a /24 bit RFC Private Address Range and be done with it. If you go with a 192.168 set of addresses just don't go lower than "10" in the 3rd octet to avoid the heavily over-used ranges.
If each site is less than 200 machines that is all you need. If a site grows beyond 200 machines then run two /24 segments at that particular site, which will then allow you up to 510 machines.
It is important that the Site be "routed" between them and not "bridged",...so that broadcasts are not running over the slower WAN links between the Sites.
There isn't any mystery to it. Just give each site a /24 bit RFC Private Address Range and be done with it. If you go with a 192.168 set of addresses just don't go lower than "10" in the 3rd octet to avoid the heavily over-used ranges.
If each site is less than 200 machines that is all you need. If a site grows beyond 200 machines then run two /24 segments at that particular site, which will then allow you up to 510 machines.
It is important that the Site be "routed" between them and not "bridged",...so that broadcasts are not running over the slower WAN links between the Sites.
ASKER
what about going with an RODC and putting in the subnet in AD sites/services?
or a child domain/subnet with a full DC? thoughts?
or a child domain/subnet with a full DC? thoughts?
Depends on the size of the branch and the number of changes being made.
Most instances would be well served with a read-only domain controller if the server is not able to be physically protected.
A full DC is good for your BC/DR plans as long as physical security is not an issue.
Most instances would be well served with a read-only domain controller if the server is not able to be physically protected.
A full DC is good for your BC/DR plans as long as physical security is not an issue.
ASKER
security is no issue for the branch site, currently there is only a T1 at the branch office - approx 15 users - expanding to 30-50 in the coming year.
only thing it will be doing is DFS/file server outside of DNS/AD/DHCP - email is still in the home office, remote clients configured with outlook anywhere.
wondering about bandwidth/replication with a full DC vs the RODC
only thing it will be doing is DFS/file server outside of DNS/AD/DHCP - email is still in the home office, remote clients configured with outlook anywhere.
wondering about bandwidth/replication with a full DC vs the RODC
Replication should not be an issue after the initial copy. About how many objects are in your home office that will need to be replicated?
Once initial replication is completed only changes are replicated. Entire objects are not replicated, only the changes to the specific object are replicated. For example, is a phone number is changed. Only the phone number is replicated, not the user object. This makes replication traffic very small.
Did you say the branch office domain controller will also be performing as a file server? If so, this should change. The file server should be a different server than the domain controller. This cannot be stressed enough, do not do this.
If necessary, purchase a NAS box, such as from QNAP and set up shares on it. But do not allow a domain controller to be used as a file server.
Once initial replication is completed only changes are replicated. Entire objects are not replicated, only the changes to the specific object are replicated. For example, is a phone number is changed. Only the phone number is replicated, not the user object. This makes replication traffic very small.
Did you say the branch office domain controller will also be performing as a file server? If so, this should change. The file server should be a different server than the domain controller. This cannot be stressed enough, do not do this.
If necessary, purchase a NAS box, such as from QNAP and set up shares on it. But do not allow a domain controller to be used as a file server.
ASKER
out of curiosity - why is that?
why not have a DC as a file server?
why not have a DC as a file server?
Security and performance
You don't want users having to wait to login because server resources are used because of file access.
Also, one NTFS mix configuration and a user has full access to the directory structure of your domain controller.
http://www.windowsnetworking.com/articles_tutorials/active-directory-design-considerations-small-networks.html
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/Increasefileserverperformance.html
While it will function to have your domain controller be a file server, it is not a best practice. Your domain controllers hold the keys to the kingdom, so to speak, so why take any unnecessary changes?
You don't want users having to wait to login because server resources are used because of file access.
Also, one NTFS mix configuration and a user has full access to the directory structure of your domain controller.
http://www.windowsnetworking.com/articles_tutorials/active-directory-design-considerations-small-networks.html
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/Increasefileserverperformance.html
While it will function to have your domain controller be a file server, it is not a best practice. Your domain controllers hold the keys to the kingdom, so to speak, so why take any unnecessary changes?
out of curiosity - why is that?
why not have a DC as a file server?
Since this can't be stressed enough, I'll back up awaggoner on that. In addition to security and performance there is also maintenance and dependability. If you use the DC for other roles and something "bad" happens with one of those other roles that could go as far as causing you to have to flatten and reload the machine,...do you really want to flatten the DC? There are also "catch-22's" created by situations such as installing Exchange on a DC when it is not an SBS situation.
Installing any other software can be a disaster no matter how "harmless" the thing you installed seems to be. We are a TV station,...we have a central "clock" in the building that runs off of GPS. Timing is critical for us. Now DCs are the Time Source for the Domain so I had the bright idea of installing time cards in the DCs to sync them to the House Clock then all the other machines sync to them,..everything is happy right? Wrong.
The software that the card runs off of will replace the WIndows Time Service and will shut down the WIndows Time Services. Unfortunately the DC with the PDC Role requires the Windows Time Service,..without it the Domain "thinks" that the PDC Role is missing,...but that went unnoticed for a while. Then Daylight Savings Time hit and Windows jumped ahead on hour like it should,...unfortunately so did the house clock so the clocks jumped 2 hours ahead instead of one,...but the client machine only jumped ahead one hour. Now the Clients and the DC are one hour apart, which is too far for the normal sync to function so they stop attempting to sync with DCs. Disabling DST in Windows won't work because no you end up with the DC and the Client having conflicting Clock Configuration.
But it gets better,...in my attempts to fix the "time card software" the DCs with the PDC Role got bad "date data" and jumped back to Midnight of Jan. 1st, 1980 while the other DC was still on the current date. Now all replication just blew its brains out and the Exchange Server (which depends on AD) threw both of its Information Stores into a state called "dirty shutdown" leaving all email dead in the water. Then since AD is now brain dead all authentication starts failing everywhere,...our firewall which authenticate the internet access by user accounts (it doesn't care what machine you are sitting at) starts to fail.
So now all clients have lost "touch" with the Domain,...replication is a thing of the past,....nothing is authenticating,....email is gone,....and there is no internet access. Why? Because I put time cards in the DCs with what seem like a small harmless piece of software.
It took two days of work and several calls to a couple guys in India that I couldn't understand a word they were saying to get everything back to normal.
why not have a DC as a file server?
Since this can't be stressed enough, I'll back up awaggoner on that. In addition to security and performance there is also maintenance and dependability. If you use the DC for other roles and something "bad" happens with one of those other roles that could go as far as causing you to have to flatten and reload the machine,...do you really want to flatten the DC? There are also "catch-22's" created by situations such as installing Exchange on a DC when it is not an SBS situation.
Installing any other software can be a disaster no matter how "harmless" the thing you installed seems to be. We are a TV station,...we have a central "clock" in the building that runs off of GPS. Timing is critical for us. Now DCs are the Time Source for the Domain so I had the bright idea of installing time cards in the DCs to sync them to the House Clock then all the other machines sync to them,..everything is happy right? Wrong.
The software that the card runs off of will replace the WIndows Time Service and will shut down the WIndows Time Services. Unfortunately the DC with the PDC Role requires the Windows Time Service,..without it the Domain "thinks" that the PDC Role is missing,...but that went unnoticed for a while. Then Daylight Savings Time hit and Windows jumped ahead on hour like it should,...unfortunately so did the house clock so the clocks jumped 2 hours ahead instead of one,...but the client machine only jumped ahead one hour. Now the Clients and the DC are one hour apart, which is too far for the normal sync to function so they stop attempting to sync with DCs. Disabling DST in Windows won't work because no you end up with the DC and the Client having conflicting Clock Configuration.
But it gets better,...in my attempts to fix the "time card software" the DCs with the PDC Role got bad "date data" and jumped back to Midnight of Jan. 1st, 1980 while the other DC was still on the current date. Now all replication just blew its brains out and the Exchange Server (which depends on AD) threw both of its Information Stores into a state called "dirty shutdown" leaving all email dead in the water. Then since AD is now brain dead all authentication starts failing everywhere,...our firewall which authenticate the internet access by user accounts (it doesn't care what machine you are sitting at) starts to fail.
So now all clients have lost "touch" with the Domain,...replication is a thing of the past,....nothing is authenticating,....email is gone,....and there is no internet access. Why? Because I put time cards in the DCs with what seem like a small harmless piece of software.
It took two days of work and several calls to a couple guys in India that I couldn't understand a word they were saying to get everything back to normal.
If you run a DC as a VM then:
1. Never "pause" a DC
2. Never "restore" a DC from a snapshot.
3. DCs should only be restored via Active Directory Restore Mode using a proper Backup/Restore product.