Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain Controller site IP addressing best practices:

Posted on 2014-01-26
8
Medium Priority
?
150 Views
Last Modified: 2015-04-12
When designing a new site, what are the best practices when it comes to IP addressing to allow for easily adding remote sites without having to renumber.

Also what VPN technology works best when adding remote sites.
0
Comment
Question by:elchermans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 23

Accepted Solution

by:
Patrick Bogers earned 2000 total points
ID: 39811199
Hi

All depends on how big your Enterprise is going to get.
Since you expect multiple sites i assume 255 ip address arent cutting the deal so i would say put any private range and give it a /16 subnet.

E.g. 10.0.X.x /16

Here you can use capital X for subsites and small x for branch specific addressess.

VPN, also depends. Do you want branch office users to VPN locally or centrally?
Normally if you share resources between the offices you would setup a site-to-site VPN tunnel.
0
 
LVL 15

Expert Comment

by:cwstad2
ID: 39811370
we have 82 sites and we run on a mix of 192.168.x.x / and 172.x.x.x. The 192 addresses are set  up site to site via a VPN tunnel to the 172. Also on some of the larger sites we have created a supernet to allow for more than the 255 addresses. works well
0
 
LVL 1

Author Comment

by:elchermans
ID: 39811374
cwstad2: What hardware do you use for the VPN tunnel and how is performance through said tunnel?

Also why not use part of 10.0.0.0/8 address space?
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40006367
We've acquired many companies over the years, and there is always a conflict when connecting their subnets to ours, even in a large /8 like the 10-space. 10.10.10.x is a very popular choice I'll have you know :) We basically force them to change their IP's. We used to use a philosophy of Ten-dot-what_#_in_the_us
So 10.6 for Massachusetts, 10.11 for NC, 10.19 for Indiana, etc
http://en.wikipedia.org/wiki/List_of_U.S._states_by_date_of_statehood#Table
Then outside the US, anything in Canada was 10.100, and in EU/Asia etc it was 10.200.
We've kept it up for the most part, we have some weird 10.60, 10.99 but basically each state got it's own /16.
We assimilate any 192.168 or 172.16's into the 10/8, as soon as we can. But sometime you have to have that transition period where you have to terminal service into a box at the other end of the VPN to do your work.
If you use a standard protocol like IPSEC, it won't really matter what VPN device you have, you can partner with hundreds of other manufactures when you both speak the same language. We use Cisco gear, and so does just about everyone we've acquired in the US and abroad.
*Edited to add*
We started using MPLS connections to the remote offices, makes it sooooo much easier to route and setup, look into those kinds of circuits :)
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 40006704
To maintain original network assignment and serve as remote network transparent for external access via VPN, the NAT will come in to proxy. That is a initial thoughts but as best practice the network itself as queried should adhere some rules as well or scaling up and also scaling down. This can extend even to IPv4 to IPv6 consideration for NAT64 or DNS64.

Cisco has a document (pdf) stating some of the best practices.

Page 5 - Do check out the Private addressing section where it advices sparingly used and even temporary NAT functionality to reduce the "renumbering" challenges when network interconnected.

Page 6-7 - Have example on multiplexing IP and share dynamic port assignment is also something to consider as application may varied and exhaustion can come easily if assignment is not thought through. Also remote access use case is shared.
0
 
LVL 37

Expert Comment

by:bbao
ID: 40007426
i would recommend MS official way on IP addresses planning against AD sites.

Creating a Site Design
http://technet.microsoft.com/en-us/library/cc736820%28v=ws.10%29.aspx

Using Catch-All Subnets in Active Directory
http://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question