Link to home
Start Free TrialLog in
Avatar of habs1994
habs1994Flag for United States of America

asked on

Active directory site/subnet

I need to create a new site in active directory and that site will use several subnets...
10.4.1.x, 10.4.2.x, 10.4.3.x, and 10.4.4.x.  I was told to use a 24 bit mask which I would assume would be 255.255.255.0.   My question is if the data will only be on the 10.4.1.0 network, do I set up only that subnet for the AD sites and services site?  Thanks.
SOLUTION
Avatar of Pr1z
Pr1z
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ADS&S doesn't care about where the "Data" is (whatever you mean by "data").  ADS&S cares about where the DCs are and where the Member Machines are as it relates to AD membership.  ADS&S regulates the Replication Rate over slow WAN Links (which are the Site "boundaries") and it ensures that when authentication happens,...it happens with the closest DC to the entity requiring the authentication.
Avatar of habs1994

ASKER

Thanks for the response.  It does make sense to add them all to the site.  We just have not done that to older sites as of yet but will be adding different subnets for management, voice and the like.  Wasn't sure if those types of subnets needed to be added to Active Directory.
And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.
And going along with the last response, the only subnet of concern should be where the domain controllers and computers reside, so maybe creating only that one would suffice.
Thanks, again.


You need them all.  Subnets contain Users and the Sites & Services effects how the best Domain Controller is selected for them to authenticate against.  So there is never really a "good" reason to leave a subset out of the settings.
Just don't get carried away with creating networks (subnets) needlessly.  It makes sense for VoIP phones to be physically separated into their own.  But having a "Management" subnet wouldn't typically make sense.  The primary purpose for a subnet is to keep Broadcast Domains small and manageable (typically 200 hosts or less),...so for every 200 hosts figure in a new IP Segment.  Sometimes creating a Segment for security purposes is valid,...but most of the time it isn't that great of an idea because Layer3 & 4 is not the best place for security controls to be put into place (this isn't the 1990's any longer),...the wide range of traffic types that have to be allow between subnets now-a-days for everything to work correctly just often does not leave anything [important] that you can block.

The most important and meaningful security happens at the Application Layer and within the OS (like NTFS permissions),....very little if anything worth doing happens at ACLs on a LAN Router between IP Segments blocking traffic at Layer3 & 4.