Solved

Windows 2012 R2 AD: can 2 sites be on the same subnet?

Posted on 2014-03-19
1
608 Views
Last Modified: 2014-03-19
OS: Windows 2012 R2

Can 2 sites be on the same subnet?  The main site subnet is 192.168.0.0/21   Site to site VPN is enabled between sites.  In Sites and Services both sites would be on the same subnet.  

Thanks
0
Comment
Question by:quadrumane
1 Comment
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39941306
I am not sure why you'd ever even try this. The primary function of sites and services (or the sites portion at least) is to provide context for AD functions, such as finding the a domain controller on the local LAN instead of accidentally reaching across a slow WAN link. And it does so by subnets. If you have one big flat subnet (even with a VPN link) then you might as well have one site, as the benefit would be gone either way since you don't have subnets identified in sites and services for AD to perform queries against.

With that said, even with a site-to-site VPN, you wouldn't normally have one flat subnet, even if you took the sites and services component out of the equation. A site-to-site connection (either by router or by a computer dedicated to terminating the VPN tunnel) still has to know whether to route the traffic over the VPN tunnel or not. Otherwise you'd end up with the situation where a NetBIOS broadcast occurs over the LAN, hits the VPN device, the VPN device passes it on, the remote network rebroadcasts the traffic, it boucnes around a switch and comes back to the remote end of the VPN tunnel, and that passes it back to the local VPN device....and back and forth infinitum. Broadcast storm.

Basic routing rules still apply (for VPN *or* non-VPN traffic.) The VPN device would decide if the traffic was intended for a remote destination based on subnet of the packet. You'd usually put each end of the VPN tunnel on a separate subnet, and the VPN tunnel itself would declare static routes connecting the two subnets with a high enough affinity to supercede internet traffic. Thus you get full connectivity, avoid broadcast traffic going over the VPN (that's a good thing) and, unless you also have a firewall shaping the *type* of traffic that goes over the VPN, anything that supports TCP/IP still works. Such as fileshare (SMB) traffic, SMTP, RPC, MAPI, Outlook Anywhere, Autodiscover, Network Discovery, NTP, and on and on.

Putting the two ends of the VPN on the same subnet provides no benefit in 99.99999% of the networking scenarios, and unless the site-to-site VPN devices are doing something *very* non-standard (not a good idea), it often actually causes problems. So once you make that adjustment, it makes the whole issue of forcing AD Sites and Services trying to have two sites on the same subnet a moot point. You'd never do so.

So unless there is a significant part of your topology that you left out of your network, hopefully that addresses your question...if not perhaps in the way you expected.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question