Solved

Windows 2012 R2 AD: can 2 sites be on the same subnet?

Posted on 2014-03-19
1
615 Views
Last Modified: 2014-03-19
OS: Windows 2012 R2

Can 2 sites be on the same subnet?  The main site subnet is 192.168.0.0/21   Site to site VPN is enabled between sites.  In Sites and Services both sites would be on the same subnet.  

Thanks
0
Comment
Question by:quadrumane
1 Comment
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39941306
I am not sure why you'd ever even try this. The primary function of sites and services (or the sites portion at least) is to provide context for AD functions, such as finding the a domain controller on the local LAN instead of accidentally reaching across a slow WAN link. And it does so by subnets. If you have one big flat subnet (even with a VPN link) then you might as well have one site, as the benefit would be gone either way since you don't have subnets identified in sites and services for AD to perform queries against.

With that said, even with a site-to-site VPN, you wouldn't normally have one flat subnet, even if you took the sites and services component out of the equation. A site-to-site connection (either by router or by a computer dedicated to terminating the VPN tunnel) still has to know whether to route the traffic over the VPN tunnel or not. Otherwise you'd end up with the situation where a NetBIOS broadcast occurs over the LAN, hits the VPN device, the VPN device passes it on, the remote network rebroadcasts the traffic, it boucnes around a switch and comes back to the remote end of the VPN tunnel, and that passes it back to the local VPN device....and back and forth infinitum. Broadcast storm.

Basic routing rules still apply (for VPN *or* non-VPN traffic.) The VPN device would decide if the traffic was intended for a remote destination based on subnet of the packet. You'd usually put each end of the VPN tunnel on a separate subnet, and the VPN tunnel itself would declare static routes connecting the two subnets with a high enough affinity to supercede internet traffic. Thus you get full connectivity, avoid broadcast traffic going over the VPN (that's a good thing) and, unless you also have a firewall shaping the *type* of traffic that goes over the VPN, anything that supports TCP/IP still works. Such as fileshare (SMB) traffic, SMTP, RPC, MAPI, Outlook Anywhere, Autodiscover, Network Discovery, NTP, and on and on.

Putting the two ends of the VPN on the same subnet provides no benefit in 99.99999% of the networking scenarios, and unless the site-to-site VPN devices are doing something *very* non-standard (not a good idea), it often actually causes problems. So once you make that adjustment, it makes the whole issue of forcing AD Sites and Services trying to have two sites on the same subnet a moot point. You'd never do so.

So unless there is a significant part of your topology that you left out of your network, hopefully that addresses your question...if not perhaps in the way you expected.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question