Avatar of habs1994
habs1994
Flag for United States of America asked on

Active directory site/subnet

I need to create a new site in active directory and that site will use several subnets...
10.4.1.x, 10.4.2.x, 10.4.3.x, and 10.4.4.x.  I was told to use a 24 bit mask which I would assume would be 255.255.255.0.   My question is if the data will only be on the 10.4.1.0 network, do I set up only that subnet for the AD sites and services site?  Thanks.
Internet Protocols

Avatar of undefined
Last Comment
pwindell

8/22/2022 - Mon
SOLUTION
Pr1z

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
pwindell

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
pwindell

ADS&S doesn't care about where the "Data" is (whatever you mean by "data").  ADS&S cares about where the DCs are and where the Member Machines are as it relates to AD membership.  ADS&S regulates the Replication Rate over slow WAN Links (which are the Site "boundaries") and it ensures that when authentication happens,...it happens with the closest DC to the entity requiring the authentication.
habs1994

ASKER
Thanks for the response.  It does make sense to add them all to the site.  We just have not done that to older sites as of yet but will be adding different subnets for management, voice and the like.  Wasn't sure if those types of subnets needed to be added to Active Directory.
habs1994

ASKER
And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
pwindell

And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.


You need them all.  Subnets contain Users and the Sites & Services effects how the best Domain Controller is selected for them to authenticate against.  So there is never really a "good" reason to leave a subset out of the settings.
pwindell

Just don't get carried away with creating networks (subnets) needlessly.  It makes sense for VoIP phones to be physically separated into their own.  But having a "Management" subnet wouldn't typically make sense.  The primary purpose for a subnet is to keep Broadcast Domains small and manageable (typically 200 hosts or less),...so for every 200 hosts figure in a new IP Segment.  Sometimes creating a Segment for security purposes is valid,...but most of the time it isn't that great of an idea because Layer3 & 4 is not the best place for security controls to be put into place (this isn't the 1990's any longer),...the wide range of traffic types that have to be allow between subnets now-a-days for everything to work correctly just often does not leave anything [important] that you can block.

The most important and meaningful security happens at the Application Layer and within the OS (like NTFS permissions),....very little if anything worth doing happens at ACLs on a LAN Router between IP Segments blocking traffic at Layer3 & 4.