Gaston Mbey
asked on
Best practices Design Active directory
Hello gents
i have a question I want to redesign an Active directory ? but there is something that I'm not certain of : Actually I have 2 networks : 192.168 . 6. X where there is One domain Controller and A second Network of 192.168.7.X where there is a Second Domain controller (Domain is the same). I have Servers that are seating in the two domains.
I want to create a domain for the servers only . Is it a recommended practice? I want to create a VLAN dedicated to servers . any Impact on Active directory ?
Rgds
i have a question I want to redesign an Active directory ? but there is something that I'm not certain of : Actually I have 2 networks : 192.168 . 6. X where there is One domain Controller and A second Network of 192.168.7.X where there is a Second Domain controller (Domain is the same). I have Servers that are seating in the two domains.
I want to create a domain for the servers only . Is it a recommended practice? I want to create a VLAN dedicated to servers . any Impact on Active directory ?
Rgds
With a VLAN separating clients and servers brings another question .. how does a client access a server?
ASKER
Hello People
I appreciate your comments. first of all I'm not mixing Subjects . I know that AD is for Authentication . My question is is it a good practice to have a VLAN for Servers and another One for Computers?
And sorry I don't want to create a new domain . I wanted to say a new network.
I appreciate your comments. first of all I'm not mixing Subjects . I know that AD is for Authentication . My question is is it a good practice to have a VLAN for Servers and another One for Computers?
And sorry I don't want to create a new domain . I wanted to say a new network.
If you have a separate network for the domain controllers the computers would still need access to that network to authenticate/access files/etc.
I think the first question is what are the reasons for separating out the server/computers - unless there's a specific reason to do so I don't see any reason to separate the servers to another network.
I think the first question is what are the reasons for separating out the server/computers - unless there's a specific reason to do so I don't see any reason to separate the servers to another network.
You are not seperating Servers from clients with vlan the best practise if you can is to group clients with servers. For example your accounting has a own Terminalserver where alle financial Software is installed on. So it would make sense to seperate them from the rest of the network except of the dc.
Thats the way for vlans. What you can do is the subnetting topic to collect all clients in one and the servers in the other. Thats only cosmetic. It can make sense for example when your dhcp scope is getting to small then it would be a good idea to seperate the clients.
Even think about of ipv6 in your internal network? I know its the future and no need yet but if you want to be the first then its time to do.
Thats the way for vlans. What you can do is the subnetting topic to collect all clients in one and the servers in the other. Thats only cosmetic. It can make sense for example when your dhcp scope is getting to small then it would be a good idea to seperate the clients.
Even think about of ipv6 in your internal network? I know its the future and no need yet but if you want to be the first then its time to do.
recommended practice is that you should have separate vlans for desktops and servers but those should communicate with each other. In AD you can create separate sites based on your subnets/location or map both the subnets to be authenticated within single site.
I think in your current setup you have separate domains which can easily be done with sites and services or subnets in AD
I think in your current setup you have separate domains which can easily be done with sites and services or subnets in AD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All are depending on each other but here does it not make sense to create a new domain.
What you can do instead ist to bring the servers in a own subnet / Vlan and clients etc in a different one. This is depending if you have two locations (cities?) and how they are connected. For VLAN you need special hardware and a way to manage them. Its one to setup and one to manage them. I hope i made it more clear???
At the end you need a concept what you want and how you achieve. In both i can help if you need.