Solved

Windows 2012 R2 AD: can 2 sites be on the same subnet?

Posted on 2014-03-19
1
593 Views
Last Modified: 2014-03-19
OS: Windows 2012 R2

Can 2 sites be on the same subnet?  The main site subnet is 192.168.0.0/21   Site to site VPN is enabled between sites.  In Sites and Services both sites would be on the same subnet.  

Thanks
0
Comment
Question by:quadrumane
1 Comment
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39941306
I am not sure why you'd ever even try this. The primary function of sites and services (or the sites portion at least) is to provide context for AD functions, such as finding the a domain controller on the local LAN instead of accidentally reaching across a slow WAN link. And it does so by subnets. If you have one big flat subnet (even with a VPN link) then you might as well have one site, as the benefit would be gone either way since you don't have subnets identified in sites and services for AD to perform queries against.

With that said, even with a site-to-site VPN, you wouldn't normally have one flat subnet, even if you took the sites and services component out of the equation. A site-to-site connection (either by router or by a computer dedicated to terminating the VPN tunnel) still has to know whether to route the traffic over the VPN tunnel or not. Otherwise you'd end up with the situation where a NetBIOS broadcast occurs over the LAN, hits the VPN device, the VPN device passes it on, the remote network rebroadcasts the traffic, it boucnes around a switch and comes back to the remote end of the VPN tunnel, and that passes it back to the local VPN device....and back and forth infinitum. Broadcast storm.

Basic routing rules still apply (for VPN *or* non-VPN traffic.) The VPN device would decide if the traffic was intended for a remote destination based on subnet of the packet. You'd usually put each end of the VPN tunnel on a separate subnet, and the VPN tunnel itself would declare static routes connecting the two subnets with a high enough affinity to supercede internet traffic. Thus you get full connectivity, avoid broadcast traffic going over the VPN (that's a good thing) and, unless you also have a firewall shaping the *type* of traffic that goes over the VPN, anything that supports TCP/IP still works. Such as fileshare (SMB) traffic, SMTP, RPC, MAPI, Outlook Anywhere, Autodiscover, Network Discovery, NTP, and on and on.

Putting the two ends of the VPN on the same subnet provides no benefit in 99.99999% of the networking scenarios, and unless the site-to-site VPN devices are doing something *very* non-standard (not a good idea), it often actually causes problems. So once you make that adjustment, it makes the whole issue of forcing AD Sites and Services trying to have two sites on the same subnet a moot point. You'd never do so.

So unless there is a significant part of your topology that you left out of your network, hopefully that addresses your question...if not perhaps in the way you expected.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Script for Password Expire Notifications 7 69
Microsoft Lync 2013 4 45
WSUS - Win 2012 6 25
Hyper V for Windows Server 2012R2 2 26
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now