Multiple Subnets with Active Directory

Hi folks!

We have a Windows Server 2008-based Active Directory environment. It's currently configured with all devices in the building on a single subnet (192.168.1.0/24). However, we're getting to the point of running out of available IP addresses. While I could try some stopgap measures such as adjusting DHCP lease times, I really want to find a more permanent solution.

The two options I've considered are either moving to a larger single subnet, or separating the building into two subnets. My first thought was just to increase the subnet size and keep everything together, but I'm worried about increasing the size of our broadcast domain and the potential performance impacts.

Everything now is ultimately feeding back to a SonicWALL TZ-210N router, which does have multiple interfaces and the capability to route between subnets, so I could do that without too much of a headache, but I'm worried about how that will impact Active Directory. In particular, I'm wondering if I'd need a separate domain controller for the new subnet or if it could still deal with the DC on the original subnet. Also, we have lots of servers that get accessed via UNC paths using NetBIOS names (e.g. \\server1), and since NetBIOS traffic doesn't normally get routed, I'm wondering if all our scripts, drive mappings, etc. would just break.

So I'm looking for advice. How would you handle this case, and what do I need to be thinking about?

Thanks,
Ithizar
IthizarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You can proceed with either creating a new Subnet (larger block) or adding an additonal one. In Active Directory you will then be able to add that additional IP Subnet into AD Sites and Services. You can have multiple subnets pointing to a particular site.

AD Sites and Services is a Logical representation of your AD infrastructure. You could physically have 5 sites but in AD sites and services all of those different subnets can be part of the same AD Site.

The subnets basically direct the user to which DC they should be authenticating to. So to answer your question, you do not need to add another site in AD or add another DC for that matter.
0
gt2847cSr. Security ConsultantCommented:
If routing and DHCP options (DNS, domain name, etc) are configured correctly then there shouldn't be any difficulty with adding another subnet.  You would need to make sure that you have either a DHCP server or a DHCP forwarder configured for the new subnet so that clients on the new subnet are able to get IP addresses.  UNC works just fine across multiple subnets with AD so long as your DC and devices are able to publish their Windows records in DNS (Dynamic DNS enabled).  You could also choose to set up a WINS server, but that's not necessary anymore.

A thought, however...  If you're running so many clients that you've run out of a /24 network and you only have one DC, you might consider adding a second one to cover you in case of a problem with your existing DC.  Just adds some piece of mind and allows things to continue functioning if you have to reboot the DC (monthly patching, etc...)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
If you currently only have 1 DC in your AD site it is recommended that you have 2 DC's per site for site resiliancy. This not manditory but I would highly recommend it.

Thanks

Will
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mike KlineCommented:
You could just add the new subnet to your current site

There are also catch all subnets that are commonly used   http://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx

How many DCs do you have now.

Domain controllers are usually put in a new site (if you are using remote sites over a WAN for the most part or a dedicated site for an exchange farm for example)

Thanks

Mike
0
IthizarAuthor Commented:
Thanks folks for all the comments so far.

To answer the question that has come up most often, yes, we do currently have 2 domain controllers for redundancy. However, I didn't know if we would be able to leave those DC's as-is to service the new setup or if we would need to either move one to the new subnet or create a third DC in the new subnet.

So far, if I understand right, I have 3 options:

1. Configure a larger subnet to contain all devices on our network.
2. Configure multiple subnets but have them all be part of one AD site.
3. Configure multiple subnets and have each be an AD site.

Is that correct? Pros and cons to each?

Thanks again.
0
Mike KlineCommented:
I'd go with 1 or 2,

Number 3 just adds more work and management for you.  Replication within a site happens within seconds.  You can setup replication between sites to act the same way but again takes extra work.

Thanks

Mike
0
IthizarAuthor Commented:
Thanks. I'm tending to lean toward number 2 because we've had some performance issues with our network anyway, and I'm thinking that just continuing to increase the size of our subnet and broadcast domain is asking for additional performance issues.

In that configuration (multiple subnets/one site), if I understand correctly I could put a new DC in the new subnet but that's not necessary as long as they are one site. Is that correct? Is there any benefit, performance or otherwise, in that case to having a domain controller in each subnet?
0
gt2847cSr. Security ConsultantCommented:
Assuming the DCs have fixed addresses (and if not, why not), it would be much easier to leave the DCs where they are...  Otherwise you may have a bunch of changes to make in firewall rules, DHCP configurations, etc...
0
gt2847cSr. Security ConsultantCommented:
On the performance portion, the limitation would be how good the routing is on your SonicWall box if that's what you choose to use for routing between the subnets.  If it's not sized properly, that could be a bottleneck on network traffic between your subnets.
0
IthizarAuthor Commented:
That make sense. And, yes, the DC's definitely have static IP addresses. In fact, all of our servers and key network hardware devices do.

So, one last thing, if I can just double-, triple-, and fourple check, in this configuration we are discussing where there will be multiple subnets routed through the SonicWALL, UNC paths such as \\server\share should continue to work as long as DNS is configured properly? The reason I ask is because I saw a post elsewhere that indicated computer names that are not FQDN's (e.g. server vs. server.domain.local) use NetBIOS for resolution, and therefore will not work through a router.

Thanks.
0
IthizarAuthor Commented:
gt2847c: Can you explain what you mean by "sized properly" with regards to routing through the SonicWALL? Thanks.
0
gt2847cSr. Security ConsultantCommented:
Different models have different performance capabilities...  Routing a lot of traffic through an undersized appliance will cause your traffic to bottleneck when being forwarded through the firewall.  I don't have any experience with the SonicWall products, but I have extensive experience with Cisco gear, and the concept is the same.  Firewalls appliances are sized based on features and expected performance.  If you purchase a unit sized for a 30Mb Internet connection and try and route 100 or 1000 Mb traffic through it between subnets (in addition to handling firewall rules for the Internet), the appliance will get overloaded and the network (between subnets or out to the Internet) will be slow.

You will want to make sure that your SonicWall device has sufficient horsepower to forward the expected traffic between subnets and still handle your firewall requirements too...
0
gt2847cSr. Security ConsultantCommented:
As to the UNC question, our corporate network runs without WINS and has many subnets  (over 1000) and multiple DCs (15 or so).  We do have multiple AD sites (5 at last count), but then we have over 500 locations and we distribute the load on the DCs.  UNC short names work just fine.
  The easiest way to assure yourself this is so is to go ahead and configure the new network then place a scratch PC on it and test it.  If it doesn't work, you'll need to do a little troubleshooting, so feel free to open a question and we can assist with finding and fixing the issue...
0
IthizarAuthor Commented:
Thanks so much everyone for all the help! I'm going to split the points because I got so much useful information from each of you.

I'll be tackling this project next week, and I'm sure I'll be back with more questions.

Thanks again,
Ithizar
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.