Second DHCP Scope

isaackhazi used Ask the Experts™
We have a Server 2008 machine acting as a DHCP server. Currently our DHCP scope is between to Our default gateway address (Fortigate 80C Firewall/Router) is 192.168.0.X and subnet mask is, DNS address is

This scope was enough for us, until of late, when we require more devices to be connected to our network. Therefore I created a new scope of the same DHCP server for leasing extra addresses between to Since the IP address and default gateway has to be of the same subnet, I gave 192.168.1.X (subnet mask: as a secondary IP address to the same LAN port on our Fortigate firewall. I am able to ping the firewall with this new IP address from anywhere within our network. So on the new DHCP scope, i gave this new 192.168.1.X as the default gateway address, the DNS server address i gave the same old address.

I deactivated the old scope and tried to connect a few computers onto our network. They were unable to get IP addresses from the new scope. Could you please help figure out what i am doing wrong here? Or is there some additional steps to be done that i'm not aware of? please help.

also, all of our main servers like exchange server, sql server are all on
Once i get the new DHCP scope working, will the PCs connecting to this newly leased ip  addresses starting with have any problem connecting to the above mentioned server with the address ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sorry but the 3rd octet in a is crucial. .0 and .1 are different networks and unless routed, will not work.


so in this case, what should the third octet be?


you should first decide your requirement in terms of number of host IP required and then adjust the subnet mask.

for your help I am including a link which helps you quickly calculate the subnet just give it a go and you should be able to create the scope with larger number of host IP.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

You will have to move from a class C to a class B to get more IP addresses, or set up another routed vlan etc. The means that the only IP's that are on the same network are the ones whose first 3 octets match. In this case the 3rd would have to be 0 to be able to talk to each other. Unless you VLAN and route them


so if i change the subnet mask of both the existing and the new scope to and change the subnet mask of all servers and firewalls to, will everything work perfectly? or would there be more for me to consider beyond the ones i mentioned?


or would i have to change my IP address to start with and too?


if such is the case, can i route these two networks using the same firwall/router that i have? changing static addresses of servers may result in some complications where the static ip was hard-coded somewhere.

so what is my other option? how do i route the two new networks?

Changing the subnet mask from to on all equipment in  your network should work. Please note you have to test it before implementing in your production environment.


but wont i have to change my IP address to start with 128 to 191, instead of 192, since this subnet will be class B? according to this website:
you are talking about a LOT of work changing your Subnetting...a Class C would need to be changed to a class B to get more addresses across the board. I wouldnt change ANY IP's of production servers until ALL this is worked out and only if needed.
Try putting a conditional forwarder in your DNS to the other server on the other subnet.


if it is best to change to class B considering the long run, i'll try and populate where all static addresses require change. we have about 200 PCs/Laptops connected on DHCP. so no need to change anything there besides the DHCP subnet mask entry and then removing all existing leases and thus re-leasing new DCHP parameters to client computers. We have about 9 servers in total with static addresses and some printers/multifunction machines and some routers/firewalls/switches with static addresses. i manage the 2 exchange 2010 servers across 2 sites. i dont think there will be much changes if IP is changes as long as both the exchange servers are able to ping and find one another. i will check with our SQL administrator to see if there are places where he has hard coded server addresses. Once i change all the IP addresses to class B addresses with subnet mask, dont you think everything will continue to function as they should? Cant all this be done over a weekend at both sites? the main site (where i work) is the larger office with around 200 PCs with 7 servers, and the second site with 2 servers and 20 PCs which I believe can be controlled remotely with their own AD/DNS, DHCP and exchange 2010 server. I dont think i need to change anything there as they have plenty of time and wouldnt immediately require a shift from class C to class B addressing.

What do you think?

please let me know if there are more to consider.

thanks for all the help so far and would welcome more ideas if i'm not seeing the entire picture yet.


also, i wont have to change the IP addresses of any of the servers/routers/printers, etc, just their subnet masks, right?
Here is what I'd recommend:

Starting with the original configuration:

Change the subnet mask on the gateway and DHCP server to  
This will double the size of the subnet which is likely fine for your situation if I understand it.

Most things will continue to "just work" after this change.  Yet, I would make the other changes expeditiously.

Now go around and change the subnet mask for all the computers and devices with static manually-entered addresses.  But, leave the addresses alone.

Finally, go to the DHCP server and increase the upper end of the scope to something like  This will leave some margin from to .254 without having to mess with DHCP and existing leases at some point in the future when there's a need for more static addresses, etc.

This is straightforward and simple and should not cause undue troubles.

The network address will remain unchanged at
The broadcast address will change to
The usable adddresses will change from -
to -
that's an increase of 255 addresses.


the trouble with that approach is i have devices set on static IP addresses from to and then our VPN DHCP allotment is from to and some other devices using static IP addresses from to

that is the reason our current DHCP scope for client PCs/Laptops are set from to

And therefore, I cannot increase it straightaway to as you say without removing all the static allotment in between.

could you please explain why i cannot just change every device and DHCP settings to subnet mask ? and then just make a new scope for to ?

this way, as the company grows, if there is a need for a new subnet, i can then have adequate new scopes created, cant i?

also, since we already have another site with IP range 192.168.5.XXX which I have been forwarding through your firewall to our private link which connects directly to that site, will this arrangement require any kind of adjustment?


what is the reason you suggest just moving to subnet ? why allow only 2 subnets instead of using and getting more?


but if i'm moving to Class B addressing with subnet or, wont i still have to change all ip addresses (static and DHCP) to start with 128.168.X.X or something like that instead of 192.168.X.X ?

either way it is a lot of change, as someone mentioned, but if i make sure all devices have their IPs changes to class B IP addresses and the subnet mask changed to, and if i make sure i correct the IP addresses wherever they are hard-coded (in applications, routing tables, etc), it should work well right?
Well, it's easy and it's effective.  You don't have to change any of the existing addresses!  Only the subnet masks.  So all those assignments can stay put.

Yes, you can go beyond if you really want more addresses NOW.

You can go to /16 or starting at  It's up to you.
I just picked because it sounded like your needs were modest.

Either way, you don't need to change the existing address assignments.
I also think that talking "classes" is archaic and there's no need for doing so.  CIDR pretty much covers the entire subject.
I set ours up as
that gave us plenty of addresses for any future growth.
Ranges are- thru
I chose 'ranges' of IP addresses for certain things.

such as:  
any static IP's or DHCP reservations were all in the range. Like servers, printers, switches, etc.
All non static IP's were in the and ranges/scopes. Like workstations, laptops, etc.

Certain special devices, or odd scenarios were in the ranges.

nothing elaborate but somewhat useful.

you mentioned having forwarded to a private link through the firewall. You woulnd't need to change that unless you wanted to keep the traffic separate. If so, use instead. That would give you thru addresses and keep separate.

As a side note, you can also add a 'backup DHCP server' with the same scopes created,  any reservations from the existing one imported to the backup one (with handy dandy scripts it's very easy)... and if the existing DHCP server fails, you can just authorize the backup DHCP server to take over.
I would highly recommend some DHCP reservations if you don't use them already.

I use them for control of certain things.
Like, our business office requires a separate ISP connection. Using the reservations, I can assign them all addresses in the range of thru and then in the firewall create a rule to force all internet traffic in that range to that ISP port.

On my laptops, I can use reservations to assign them IP's and control their usage internally, but when they leave or travel, since they are still on DHCP they can connect to their home networks etc., without intervention.

you can do all of that remotely from your desk.  I use scripts or commands to get the MAC addresses.
I have an excel spreadsheet with all reservations listed and all static IP's listed.


we also have dhcp address reservations for the purpose of web access control on our firewall.

so, could you confirm that i dont have to change the static ip addresses starting with 192 ? because as per most websites i've checked online, class B addresses have to start with 128 to 192, dont they?

so all i have to do is change the subnet mask to ?

The second site connected through the private link is seperate with their own DHCP/AD server, which is on the same domain, but different AD site. I would like to keep that network separate, as it is now. But they should be able to connect with each other. So would you recommend that i change the subnet mask at the second site as well, to if I'm doing so at the main site?

thanks for all the help so far.

Yes you'll be fine using 192 addresses. Lots of folks do it.  I have been using that for 20 years
It'll all be ipv6 one day anyway :)

I recommend using 255-255.252.0 for the mask
That will give a lot of addresses and keep the traffic seperate

Here is a link for you

Even though it shows The when you choose class B you can use

When you choose the mask as notice the address ranges

You will have a lot of host addresses. thru


thank you SeaSenor... it would be great not to change the IP address of the servers... there are a few apps where IP address of servers are hardcoded on each client PC. it would be quite a time-consuming pain to replace all entries. Changing subnet to will give us adequate IP addresses for some time to come. I'll go ahead and do as you say. and also, should i do the same for the second site as well? or should i just statically route in the second site router to route 192.168.0.XXX (already set), 192.168.1.XXX, 192.168.2.XXX and 192.168.3.XXX to the private link connection?


also, would you recommend changing all the subnet masks of all devices during the weekend when no clients are connected, or can they be done one by one during the weekdays without interruption in any service? if so, should i follow any order of changing subnets, like changing AD server, router subnet masks first, then other servers, then DHCP, then printers,etc ?

start with the DNS and AD servers, and any other devices that most people need to connect to.

because....right now those servers are restricted to the range because of the mask. If you start giving people ip addresses outside of that range (like without opening the subnet mask on the servers they won't be able to connect to them.

you should be fine doing this on weekdays. It would be minimal interruption.

as far as the DHCP clients, you will set the new mask in the options of you DHCP scopes.

they will get the new mask automatically... just as they are getting the existing one now.

so you only have to go to the machines/devices with static settings.


thank you SeaSenor... i'm currently compiling a list of all devices with static IP addresses.. so that i dont end up missing something... like the fingerprint door security device... would be funny if we end up locking ourselves in, just by going around changing subnet masks :)

thanks for all the help. once the list is ready, i'll be going around changing subnet masks of all existing devices... i'll leave the case open until everything is done and working properly, so that i maybe able to ask for help incase i come across some unexpected difficulties.

p.s: what about my questions about our second site? would i need to route the new , and on their firewall, to our network?
or instead,
should i change their subnet masks to too?

thanks for all the help.
As i mentioned ..In order to keep the secondary site with ip addresses in the range you will need to make the mask

That is only if you want traffic to flow between the two sites.

If you don't want traffic to flow then use

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial