Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 666
  • Last Modified:

Windows 2012 R2 AD: can 2 sites be on the same subnet?

OS: Windows 2012 R2

Can 2 sites be on the same subnet?  The main site subnet is 192.168.0.0/21   Site to site VPN is enabled between sites.  In Sites and Services both sites would be on the same subnet.  

Thanks
0
quadrumane
Asked:
quadrumane
1 Solution
 
Cliff GaliherCommented:
I am not sure why you'd ever even try this. The primary function of sites and services (or the sites portion at least) is to provide context for AD functions, such as finding the a domain controller on the local LAN instead of accidentally reaching across a slow WAN link. And it does so by subnets. If you have one big flat subnet (even with a VPN link) then you might as well have one site, as the benefit would be gone either way since you don't have subnets identified in sites and services for AD to perform queries against.

With that said, even with a site-to-site VPN, you wouldn't normally have one flat subnet, even if you took the sites and services component out of the equation. A site-to-site connection (either by router or by a computer dedicated to terminating the VPN tunnel) still has to know whether to route the traffic over the VPN tunnel or not. Otherwise you'd end up with the situation where a NetBIOS broadcast occurs over the LAN, hits the VPN device, the VPN device passes it on, the remote network rebroadcasts the traffic, it boucnes around a switch and comes back to the remote end of the VPN tunnel, and that passes it back to the local VPN device....and back and forth infinitum. Broadcast storm.

Basic routing rules still apply (for VPN *or* non-VPN traffic.) The VPN device would decide if the traffic was intended for a remote destination based on subnet of the packet. You'd usually put each end of the VPN tunnel on a separate subnet, and the VPN tunnel itself would declare static routes connecting the two subnets with a high enough affinity to supercede internet traffic. Thus you get full connectivity, avoid broadcast traffic going over the VPN (that's a good thing) and, unless you also have a firewall shaping the *type* of traffic that goes over the VPN, anything that supports TCP/IP still works. Such as fileshare (SMB) traffic, SMTP, RPC, MAPI, Outlook Anywhere, Autodiscover, Network Discovery, NTP, and on and on.

Putting the two ends of the VPN on the same subnet provides no benefit in 99.99999% of the networking scenarios, and unless the site-to-site VPN devices are doing something *very* non-standard (not a good idea), it often actually causes problems. So once you make that adjustment, it makes the whole issue of forcing AD Sites and Services trying to have two sites on the same subnet a moot point. You'd never do so.

So unless there is a significant part of your topology that you left out of your network, hopefully that addresses your question...if not perhaps in the way you expected.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now