Solved

IP addressing for a branch site

Posted on 2012-03-26
17
360 Views
Last Modified: 2012-05-08
Hope I can get some feedback -

Basically have one branch site with two Cisco routers, needing a site-to-site vpn - the branch site will have a DC.

Question is: If i have site 1 (main site) with an ip addressing scheme of for example 10.10.10.0/24... what would be the best ip addressing setup for the branch site?

Would it be best to do a split DHCP scope and keep the branch site in the 10.10.10.0/24 range?
0
Comment
Question by:AMtek
  • 6
  • 5
  • 4
  • +2
17 Comments
 
LVL 2

Assisted Solution

by:CHENGH
CHENGH earned 250 total points
ID: 37766894
The branch site can not use the same ip range of main site since you need a different network address to create site-to-site VPN and make the router work.
You can use something like 10.10.11.0/24 for the branch network.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 250 total points
ID: 37766946
Must have different subnets at each site.

Create sites in your active directory so you are taking advantage of the WAN replication settings in AD.

Have at least one domain control at the remote site and 2 in your home site.  Run dhcp and dns on the dc at the remote site.  It would be best if you could have 2 DC's at each site.

You can run the DC's as virtual machines to reduce your hardware requirements.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37767882
DCs can be VMs but not recommended.  You can end up corrupting AD very easily.

If you run a DC as a VM then:

1. Never "pause" a DC

2. Never "restore" a DC from a snapshot.

3. DCs should only be restored via Active Directory Restore Mode using a proper Backup/Restore product.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37768541
Microsoft says it is fine to run a domain controller as a virtual machine as long as you follow their recommendations.  pwindell is correct with his list.

http://support.microsoft.com/kb/888794

Microsoft changed their tune about running DC's as VM's after Hyper-V came out.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37768552
Hyper-V can have problems starting up if no DC is present,...so at least one DC,...preferably the one with the PDC Role,...remain a true physical machine.   I have not experienced the problem myself because I don't use Hyper-V,...but there have been "horror stories".
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37768565
I prefer VMWare myself.

Also, I would second the recommendation to have at least one physical box as a domain controller.

Some companies run all of their domain controllers as virtual machines, but it doesn't cost that much for a 1U box when it is your entire enterprise directory structure at stake.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37768583
I prefer VMWare as well.  :-)
0
 

Author Comment

by:AMtek
ID: 37769033
it's just one physical in the branch office - two at the main (one physical/one virtual).

i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.

After adding a scope such as 10.10.11.0/24 on the branch DHCP server... (with the branch router and DC getting the same subnet 10.10.11.0/24 assignments) - then i'm guessing i need to add all routers to each DHCP scope in both locations (003 router setting - ex: 10.10.10.1 and 10.10.11.1) and then adding each DNS server (006 DNS Servers)?? is that correct?

not sure what to do in DNS settings.. any points in the right direction?

thanks for all your input
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37770626
Dear,

if you have 10.10.10.x/24 in your HO you can have any network and any subnet in your Branch (Your router should support)

if you have Two DC (Regardless Virtual or Physical) in your HO make sure you use Ad Integrated DNS... DNS will be automaticlly replicated but,,,,,, you need to make one subnet in Reverese lookup zone under HO DNS console after setting your DC @ Branch (please see below)  DNS
in my LAB senario i have 10.10.10.x/22 subnet and branch has 192.168.168.x/24 subnet.

once you setup DNS above way, all Branch hosts A records will be in parent domain.local orcom DNS Folder and PTR records for both subnets will be in reverse lokup zone seprate subneted folder

Apart from all above i would suggest you use Branch DC as Branch DHCP server.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37771287
i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.

There isn't any mystery to it.  Just give each site a /24 bit RFC Private Address Range and be done with it.  If you go with a 192.168 set of addresses just don't go lower than "10" in the 3rd octet to avoid the heavily over-used ranges.

If each site is less than 200 machines that is all you need.  If a site grows beyond 200 machines then run two /24 segments at that particular site, which will then allow you up to 510 machines.

It is important that the Site be "routed" between them and not "bridged",...so that broadcasts are not  running over the slower WAN links between the Sites.
0
 

Author Comment

by:AMtek
ID: 37773940
what about going with an RODC and putting in the subnet in AD sites/services?

or a child domain/subnet with a full DC?  thoughts?
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37773951
Depends on the size of the branch and the number of changes being made.

Most instances would be well served with a read-only domain controller if the server is not able to be physically protected.

A full DC is good for your BC/DR plans as long as physical security is not an issue.
0
 

Author Comment

by:AMtek
ID: 37773984
security is no issue for the branch site, currently there is only a T1 at the branch office - approx 15 users - expanding to 30-50 in the coming year.

only thing it will be doing is DFS/file server outside of DNS/AD/DHCP - email is still in the home office, remote clients configured with outlook anywhere.

wondering about bandwidth/replication with a full DC vs the RODC
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37774035
Replication should not be an issue after the initial copy.  About how many objects are in your home office that will need to be replicated?
Once initial replication is completed only changes are replicated.  Entire objects are not replicated, only the changes to the specific object are replicated.  For example, is a phone number is changed.  Only the phone number is replicated, not the user object.  This makes replication traffic very small.

Did you say the branch office domain controller will also be performing as a file server?  If so, this should change.  The file server should be a different server than the domain controller.  This cannot be stressed enough, do not do this.

If necessary, purchase a NAS box, such as from QNAP and set up shares on it.  But do not allow a domain controller to be used as a file server.
0
 

Author Comment

by:AMtek
ID: 37774367
out of curiosity - why is that?

why not have a DC as a file server?
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37774482
Security and performance

You don't want users having to wait to login because server resources are used because of file access.

Also, one NTFS mix configuration and a user has full access to the directory structure of your domain controller.

http://www.windowsnetworking.com/articles_tutorials/active-directory-design-considerations-small-networks.html

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/Increasefileserverperformance.html

While it will function to have your domain controller be a file server, it is not a best practice.  Your domain controllers hold the keys to the kingdom, so to speak, so why take any unnecessary changes?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37776615
out of curiosity - why is that?
why not have a DC as a file server?


Since this can't be stressed enough, I'll back up awaggoner on that.  In addition to security  and performance there is also maintenance and dependability.  If you use the DC for other roles and something "bad" happens with one of those other roles that could go as far as causing you to have to flatten and reload the machine,...do you really want to flatten the DC?  There are also "catch-22's" created by situations such as installing Exchange on a DC when it is not an SBS situation.

Installing any other software can be a disaster no matter how "harmless" the thing you installed seems to be.  We are a TV station,...we have a central "clock" in the building that runs off of GPS.  Timing is critical for us.  Now DCs are the Time Source for the Domain so I had the bright idea of installing time cards in the DCs to sync them to the House Clock then all the other machines sync to them,..everything is happy right?  Wrong.

The software that the card runs off of will replace the WIndows Time Service and will shut down the WIndows Time Services.  Unfortunately the DC with the PDC Role requires the Windows Time Service,..without it the Domain "thinks" that the PDC Role is missing,...but that went unnoticed for a while.  Then Daylight Savings Time hit and Windows jumped ahead on hour like it should,...unfortunately so did the house clock so the clocks jumped 2 hours ahead instead of one,...but the client  machine only jumped ahead one hour. Now the Clients and the DC are one hour apart, which is too far for the normal sync to function so they stop attempting to sync with DCs.  Disabling DST in Windows won't work because no you end up with the DC and the Client having conflicting Clock Configuration.

But it gets better,...in my attempts to fix the "time card software" the DCs with the PDC Role got bad "date data" and jumped back to Midnight of Jan. 1st, 1980 while the other DC was still on the current date.   Now all replication just blew its brains out and the Exchange Server (which depends on AD) threw both of its Information Stores into a state called "dirty shutdown" leaving all email dead in the water.  Then since AD is now brain dead all authentication starts failing everywhere,...our firewall which authenticate the internet access by user accounts (it doesn't care what machine you are sitting at) starts to fail.

So now all clients have lost "touch" with the Domain,...replication is a thing of the past,....nothing is authenticating,....email is gone,....and there is no internet access.  Why?  Because I put time cards in the DCs with what seem like a small harmless piece of software.

It took two days of work and several calls to a couple guys in India that I couldn't understand a word they were saying to get everything back to normal.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now