Active directory site/subnet

habs1994
habs1994 used Ask the Experts™
on
I need to create a new site in active directory and that site will use several subnets...
10.4.1.x, 10.4.2.x, 10.4.3.x, and 10.4.4.x.  I was told to use a 24 bit mask which I would assume would be 255.255.255.0.   My question is if the data will only be on the 10.4.1.0 network, do I set up only that subnet for the AD sites and services site?  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
In your example, using a 24-bit mask you would have to set up 4 subnets to ensure that AD connects the right client to the right DC.  If you are 100% sure that there will be no Windows clients or servers running in the "other" subnets you do not need to set them up ... however, the fact that you have these networks means taht at some point someone will do the unimaginable and connect a device somewhere they shouldn't and expect the normal services.

It doesn't take long to set them up, I would set up the "other" network at the same time.  At least that way when someone does something silly you can predict the result :-)  If the networks are contiguous you could supernet them together.

Hope this helps

Priz
Most Valuable Expert 2011
Commented:
Just add all four Subnets to the Site.  The mask is going to be whatever they really use on the network because you want them to actually represent the network's design.  You just create a Subnet Object for each one in ADS&S. then you add each one to the Site.  It does not "cost" anything to just do it,..so just do it,...and you won't have to worry about it later.

Just remember that a Site Object and a Subnet Object are two different things,...just add the Subnet Objects to whatever Site they are supposed to be in.  It is actually possible during a network re-design that a Subnet can change Sites (although probably rare),...so Subnet Objects can be switched from Site to Site in the ADS&S MMC
Most Valuable Expert 2011

Commented:
ADS&S doesn't care about where the "Data" is (whatever you mean by "data").  ADS&S cares about where the DCs are and where the Member Machines are as it relates to AD membership.  ADS&S regulates the Replication Rate over slow WAN Links (which are the Site "boundaries") and it ensures that when authentication happens,...it happens with the closest DC to the entity requiring the authentication.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Author

Commented:
Thanks for the response.  It does make sense to add them all to the site.  We just have not done that to older sites as of yet but will be adding different subnets for management, voice and the like.  Wasn't sure if those types of subnets needed to be added to Active Directory.

Author

Commented:
And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.
Most Valuable Expert 2011

Commented:
And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.


You need them all.  Subnets contain Users and the Sites & Services effects how the best Domain Controller is selected for them to authenticate against.  So there is never really a "good" reason to leave a subset out of the settings.
Most Valuable Expert 2011

Commented:
Just don't get carried away with creating networks (subnets) needlessly.  It makes sense for VoIP phones to be physically separated into their own.  But having a "Management" subnet wouldn't typically make sense.  The primary purpose for a subnet is to keep Broadcast Domains small and manageable (typically 200 hosts or less),...so for every 200 hosts figure in a new IP Segment.  Sometimes creating a Segment for security purposes is valid,...but most of the time it isn't that great of an idea because Layer3 & 4 is not the best place for security controls to be put into place (this isn't the 1990's any longer),...the wide range of traffic types that have to be allow between subnets now-a-days for everything to work correctly just often does not leave anything [important] that you can block.

The most important and meaningful security happens at the Application Layer and within the OS (like NTFS permissions),....very little if anything worth doing happens at ACLs on a LAN Router between IP Segments blocking traffic at Layer3 & 4.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial