Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

All vlans required as subnets in AD Sites & Services?

Posted on 2014-04-04
5
Medium Priority
?
842 Views
Last Modified: 2014-04-08
Hi there

I think this should be a fairly simple one to answer for you guys hopefully. I have a couple years experience of fairly basic AD management and I've come into a small/med size company where the IT manager was running the show on his own for years and has suddenly left so I'm going through the AD infrastructure to get to know the setup and see where improvements can be made.

We have 3 physical sites (main office, small satellite office and DR site), and there are 3 subnets displayed under Sites in AD sites and services representing each. The only thing is that in our main office we have 8 vlans in total, but only the 'server vlan' which hosts the DC's on this site is configured in AD S&S.

My question is, should I add the other 7 vlans we have into the AD S&S subnets? Everything seems to work without them being there, I just can't remember if it's best practice to add all the other non-DC subnets into there as well? And if that is the case, what's the reason for doing so?

Many thanks

BB
0
Comment
Question by:bananaboots
5 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39977794
The answer sadly (and not helpfully) is "it depends." You've said there are three subnets, but then later imply that there are many more. Multiple VLANs don't necessarily mean multiple subnets, and that architecturally can be important.

AD sites allow various features to be distinct geographically instead of forcing that to be represented buy multiple domains in a forest or by abusing OUs in ADUC.

So in some instances, defining each VLAN as a separate sore can actually introduce inefficiencies. In others, they are essential to making sure queries on those VLANs don't get routed unnecessarily across the WAN.

There are just too many variables to answer this question a forum.
0
 

Author Comment

by:bananaboots
ID: 39978108
Hi, thanks for the response.

Sorry, let me clarify..... we have 3 physical sites

The 2 'other' small sites each have a total of one single subnet only that everything sits on i.e. every PC sits on the same single subnet as the single DC in each of those 2 sites.

Our head office building has 8 vlans: 192.168.1.x to 192.168.8.x

192.168.8.0/24 is our server vlan and contains the DC's. This is the one subnet that is displayed in in S&S with reference to the head office.

I don't know if this is any more helpful in terms of answering the original question? As to whether I should add 192.168.1.0/24 thru 192.168.1.7/24 which are for PC's only.

Sorry if I've not covered anything new here, just checking.

Thanks
0
 
LVL 6

Accepted Solution

by:
Hassan Besher earned 1200 total points
ID: 39979241
yes, you should add all vlans per site under Sites in AD sites and services, to control which AD server they are going to authenticate from if you have multiple AD servers in each site!
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39980035
The question is how many AD sites do you have 1st ?

Do you have separate AD sites representing each of three offices or do you have single site with  Default-first-site-name

If you have only one site, then 1st you need to create TWO more sites representing another physical sites and then add all respective site subnets to AD and latch each subnet to respective site

You can get lots of material \ You tube videos for how to add sites, subnets etc

Mahesh.
0
 

Author Comment

by:bananaboots
ID: 39983429
Thanks Hassan

Mahesh... yes we have 3 separate AD sites representing each office
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question