• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1000
  • Last Modified:

can i add a second ip address/NIC to my domain controllers? (virtual machines)

hello, im trying to find out if there would be a problem with adding another network card to my domain controller and give it a different IP address
the domain controllers im trying to add these adapters to are virtual machines (ESXi)
i dont have a problem adding the ethernet adapters from ESXi but im wondering if adding an additional IP address will cause problems in the domain - does anyone have any experience with this?
we are doing this to separate AD DS traffic (replication, authentication, etc) with management traffic (rdp, etc)
0
jsctechy
Asked:
jsctechy
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Cliff GaliherCommented:
As long as you don't mangle DNS, this will be fine.
0
 
AmitIT ArchitectCommented:
I personally don't recommend to have second NIC on DC's. Also I don't see reason for you to separate the traffic. One NIC should be enough to manage everything. Until there is some other issue you want to share.
0
 
jsctechyAuthor Commented:
we are looking to separate the networks for security reasons, some of the servers that we are adding to the domain will be client facing and we dont want them to have direct access to other domain PCs on the same interface, so each server will have more than 1 network card.
the problem this poses is that some of the servers will be configured to use the default gateway on the NIC thats not part of the network that has access to domain controllers, so we will need to add persistent routes for all the AD networks we are lookign to add anyway- make sense?  BTW i never said it was the right way to do it, just trying to work with what our "infrastructure architect" designed for us.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Drizzt420Commented:
Is there a reason you cant use group policy to impose security on the users/client PC's? Are you saying that your infrastructure architect is demanding that you do it this way? can you provide more detailed details? cuz just from what you've provided the proposed  solution of adding additional NIC's to every DC doesnt make sense to me..
0
 
AmitIT ArchitectCommented:
I agree to Drizzt420, what do you mean by client facing here? Adding on more NIC won't make any difference. I am sure there is some confusion with your infrastructure architect. If you are looking for securing your Domain env. You need to look for DMZ solution or firewall.
0
 
Cliff GaliherCommented:
Actually this is not uncommon in larger environments. Restricting RDP, some WMI, Powershell, etc to a management LAN/VLAN is a fairly standard practice, with limited workstations/management stations also on that VLAN. Again, as long as you aren't mangling DNS, the default bindings for AD services is on all NICs, so an additional NIC (and IP) won't phase it in the least.
0
 
jsctechyAuthor Commented:
Thanks Cliff, a simple answer to my question. Not something I get much of on experts-exchange these days
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now