Solved

Windows 2012 R2 AD: can 2 sites be on the same subnet?

Posted on 2014-03-19
1
599 Views
Last Modified: 2014-03-19
OS: Windows 2012 R2

Can 2 sites be on the same subnet?  The main site subnet is 192.168.0.0/21   Site to site VPN is enabled between sites.  In Sites and Services both sites would be on the same subnet.  

Thanks
0
Comment
Question by:quadrumane
1 Comment
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39941306
I am not sure why you'd ever even try this. The primary function of sites and services (or the sites portion at least) is to provide context for AD functions, such as finding the a domain controller on the local LAN instead of accidentally reaching across a slow WAN link. And it does so by subnets. If you have one big flat subnet (even with a VPN link) then you might as well have one site, as the benefit would be gone either way since you don't have subnets identified in sites and services for AD to perform queries against.

With that said, even with a site-to-site VPN, you wouldn't normally have one flat subnet, even if you took the sites and services component out of the equation. A site-to-site connection (either by router or by a computer dedicated to terminating the VPN tunnel) still has to know whether to route the traffic over the VPN tunnel or not. Otherwise you'd end up with the situation where a NetBIOS broadcast occurs over the LAN, hits the VPN device, the VPN device passes it on, the remote network rebroadcasts the traffic, it boucnes around a switch and comes back to the remote end of the VPN tunnel, and that passes it back to the local VPN device....and back and forth infinitum. Broadcast storm.

Basic routing rules still apply (for VPN *or* non-VPN traffic.) The VPN device would decide if the traffic was intended for a remote destination based on subnet of the packet. You'd usually put each end of the VPN tunnel on a separate subnet, and the VPN tunnel itself would declare static routes connecting the two subnets with a high enough affinity to supercede internet traffic. Thus you get full connectivity, avoid broadcast traffic going over the VPN (that's a good thing) and, unless you also have a firewall shaping the *type* of traffic that goes over the VPN, anything that supports TCP/IP still works. Such as fileshare (SMB) traffic, SMTP, RPC, MAPI, Outlook Anywhere, Autodiscover, Network Discovery, NTP, and on and on.

Putting the two ends of the VPN on the same subnet provides no benefit in 99.99999% of the networking scenarios, and unless the site-to-site VPN devices are doing something *very* non-standard (not a good idea), it often actually causes problems. So once you make that adjustment, it makes the whole issue of forcing AD Sites and Services trying to have two sites on the same subnet a moot point. You'd never do so.

So unless there is a significant part of your topology that you left out of your network, hopefully that addresses your question...if not perhaps in the way you expected.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now