IP addressing for a branch site

Hope I can get some feedback -

Basically have one branch site with two Cisco routers, needing a site-to-site vpn - the branch site will have a DC.

Question is: If i have site 1 (main site) with an ip addressing scheme of for example what would be the best ip addressing setup for the branch site?

Would it be best to do a split DHCP scope and keep the branch site in the range?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The branch site can not use the same ip range of main site since you need a different network address to create site-to-site VPN and make the router work.
You can use something like for the branch network.
Must have different subnets at each site.

Create sites in your active directory so you are taking advantage of the WAN replication settings in AD.

Have at least one domain control at the remote site and 2 in your home site.  Run dhcp and dns on the dc at the remote site.  It would be best if you could have 2 DC's at each site.

You can run the DC's as virtual machines to reduce your hardware requirements.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DCs can be VMs but not recommended.  You can end up corrupting AD very easily.

If you run a DC as a VM then:

1. Never "pause" a DC

2. Never "restore" a DC from a snapshot.

3. DCs should only be restored via Active Directory Restore Mode using a proper Backup/Restore product.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

Microsoft says it is fine to run a domain controller as a virtual machine as long as you follow their recommendations.  pwindell is correct with his list.


Microsoft changed their tune about running DC's as VM's after Hyper-V came out.
Hyper-V can have problems starting up if no DC is present,...so at least one DC,...preferably the one with the PDC Role,...remain a true physical machine.   I have not experienced the problem myself because I don't use Hyper-V,...but there have been "horror stories".
I prefer VMWare myself.

Also, I would second the recommendation to have at least one physical box as a domain controller.

Some companies run all of their domain controllers as virtual machines, but it doesn't cost that much for a 1U box when it is your entire enterprise directory structure at stake.
I prefer VMWare as well.  :-)
AMtekAuthor Commented:
it's just one physical in the branch office - two at the main (one physical/one virtual).

i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.

After adding a scope such as on the branch DHCP server... (with the branch router and DC getting the same subnet assignments) - then i'm guessing i need to add all routers to each DHCP scope in both locations (003 router setting - ex: and and then adding each DNS server (006 DNS Servers)?? is that correct?

not sure what to do in DNS settings.. any points in the right direction?

thanks for all your input
Syed_M_UsmanSystem AdministratorCommented:

if you have 10.10.10.x/24 in your HO you can have any network and any subnet in your Branch (Your router should support)

if you have Two DC (Regardless Virtual or Physical) in your HO make sure you use Ad Integrated DNS... DNS will be automaticlly replicated but,,,,,, you need to make one subnet in Reverese lookup zone under HO DNS console after setting your DC @ Branch (please see below)  DNS
in my LAB senario i have 10.10.10.x/22 subnet and branch has 192.168.168.x/24 subnet.

once you setup DNS above way, all Branch hosts A records will be in parent domain.local orcom DNS Folder and PTR records for both subnets will be in reverse lokup zone seprate subneted folder

Apart from all above i would suggest you use Branch DC as Branch DHCP server.
i will have dns/dhcp at the branch site, not totally clear on how to setup the ip addressing the best way.

There isn't any mystery to it.  Just give each site a /24 bit RFC Private Address Range and be done with it.  If you go with a 192.168 set of addresses just don't go lower than "10" in the 3rd octet to avoid the heavily over-used ranges.

If each site is less than 200 machines that is all you need.  If a site grows beyond 200 machines then run two /24 segments at that particular site, which will then allow you up to 510 machines.

It is important that the Site be "routed" between them and not "bridged",...so that broadcasts are not  running over the slower WAN links between the Sites.
AMtekAuthor Commented:
what about going with an RODC and putting in the subnet in AD sites/services?

or a child domain/subnet with a full DC?  thoughts?
Depends on the size of the branch and the number of changes being made.

Most instances would be well served with a read-only domain controller if the server is not able to be physically protected.

A full DC is good for your BC/DR plans as long as physical security is not an issue.
AMtekAuthor Commented:
security is no issue for the branch site, currently there is only a T1 at the branch office - approx 15 users - expanding to 30-50 in the coming year.

only thing it will be doing is DFS/file server outside of DNS/AD/DHCP - email is still in the home office, remote clients configured with outlook anywhere.

wondering about bandwidth/replication with a full DC vs the RODC
Replication should not be an issue after the initial copy.  About how many objects are in your home office that will need to be replicated?
Once initial replication is completed only changes are replicated.  Entire objects are not replicated, only the changes to the specific object are replicated.  For example, is a phone number is changed.  Only the phone number is replicated, not the user object.  This makes replication traffic very small.

Did you say the branch office domain controller will also be performing as a file server?  If so, this should change.  The file server should be a different server than the domain controller.  This cannot be stressed enough, do not do this.

If necessary, purchase a NAS box, such as from QNAP and set up shares on it.  But do not allow a domain controller to be used as a file server.
AMtekAuthor Commented:
out of curiosity - why is that?

why not have a DC as a file server?
Security and performance

You don't want users having to wait to login because server resources are used because of file access.

Also, one NTFS mix configuration and a user has full access to the directory structure of your domain controller.



While it will function to have your domain controller be a file server, it is not a best practice.  Your domain controllers hold the keys to the kingdom, so to speak, so why take any unnecessary changes?
out of curiosity - why is that?
why not have a DC as a file server?

Since this can't be stressed enough, I'll back up awaggoner on that.  In addition to security  and performance there is also maintenance and dependability.  If you use the DC for other roles and something "bad" happens with one of those other roles that could go as far as causing you to have to flatten and reload the machine,...do you really want to flatten the DC?  There are also "catch-22's" created by situations such as installing Exchange on a DC when it is not an SBS situation.

Installing any other software can be a disaster no matter how "harmless" the thing you installed seems to be.  We are a TV station,...we have a central "clock" in the building that runs off of GPS.  Timing is critical for us.  Now DCs are the Time Source for the Domain so I had the bright idea of installing time cards in the DCs to sync them to the House Clock then all the other machines sync to them,..everything is happy right?  Wrong.

The software that the card runs off of will replace the WIndows Time Service and will shut down the WIndows Time Services.  Unfortunately the DC with the PDC Role requires the Windows Time Service,..without it the Domain "thinks" that the PDC Role is missing,...but that went unnoticed for a while.  Then Daylight Savings Time hit and Windows jumped ahead on hour like it should,...unfortunately so did the house clock so the clocks jumped 2 hours ahead instead of one,...but the client  machine only jumped ahead one hour. Now the Clients and the DC are one hour apart, which is too far for the normal sync to function so they stop attempting to sync with DCs.  Disabling DST in Windows won't work because no you end up with the DC and the Client having conflicting Clock Configuration.

But it gets better,...in my attempts to fix the "time card software" the DCs with the PDC Role got bad "date data" and jumped back to Midnight of Jan. 1st, 1980 while the other DC was still on the current date.   Now all replication just blew its brains out and the Exchange Server (which depends on AD) threw both of its Information Stores into a state called "dirty shutdown" leaving all email dead in the water.  Then since AD is now brain dead all authentication starts failing everywhere,...our firewall which authenticate the internet access by user accounts (it doesn't care what machine you are sitting at) starts to fail.

So now all clients have lost "touch" with the Domain,...replication is a thing of the past,....nothing is authenticating,....email is gone,....and there is no internet access.  Why?  Because I put time cards in the DCs with what seem like a small harmless piece of software.

It took two days of work and several calls to a couple guys in India that I couldn't understand a word they were saying to get everything back to normal.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.