Active Directory Site and Services - Question regarding Subnets

Hello Team,

I'm currently cleaning up the sites and services in an Win 2012 AD Server. I do notice that under subnets it lists the subnets of all of our remote offices that used to have Domain Controllers. At this point those remote office still exist but they don't have any domain controllers in site, should I remove the from the subnets list?

Also there are new offices that have been opened without domain controllers and the subnet for those offices is not under the subnets list in AD Sites and Services.

Not sure how to proceed here but I would like to clean this up properly.

Thank you
LVL 2
exTechnologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

In-case if the remote office doesn't have domain controllers using those subnet then it makes sense to remove those. However if you keep it doesn't going to make any impact. For the new offices you can plan creating subnets which the domain controller would be using. Or you can use your existing ones

Thanks
Manikandan
0
exTechnologyAuthor Commented:
Hi Manikandan,

Thank you for the prompt response. Just to clarify, the subnets listed in sites and services are only subnets of sites which have a domain controller correct? If I have sites that don't have domain controllers it would be of best practice to remove the subnet from he subnets list and the site object - after dcpromo has been ran on the demoted server. Is this correct?

Thx.
0
tigermattCommented:
Unless applications are present in the site which depend on site topology information to function (you should know if these exist), you can safely tidy those spurious sites and subnets up and merge them into a single global site for the sites without DCs.

Figure 3.14: https://technet.microsoft.com/en-us/library/cc736820(v=ws.10).aspx.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

The subnet of sites are those which has a domain controller & the applications which are dependent on site topology. However if no domain controller exists then obviously there won't be any applications using the site topology. Hence you can remove the subnets after you demote the AD.

Thanks
manikandan
0
Peter HutchisonSenior Network Systems SpecialistCommented:
The Domain Controller keeps a log of client errors for locating its nearest DC using Subnets and sites.
You can find it in C:\Windows\debug\netlogon.log
0
tigermattCommented:
if no domain controller exists then obviously there won't be any applications using the site topology
Not strictly correct. Windows can still provide site locality information for other applications (even third-party software) which might wish to understand the wider network topology in order to access local resources. Granted, most apps are typically so poorly implemented that to use Sites & Services would be light years ahead of their developers...

the subnets listed in sites and services are only subnets of sites which have a domain controller correct
The sites and subnets defines the PHYSICAL topology of how the various sites in your enterprise are interconnected. You would typically create a separate site for each location in which you wish to achieve some containment of traffic. The subnets are mapped to sites to allow member servers and workstations to automatically determine which site they are situated in. The typical reason for this is to provide locality information to the machines so they communicate with local domain controllers, rather than needlessly sending traffic over slow links to other sites; however, as I note above, other applications can use the information too. You should know if you have tools doing this however.

You can list sites and subnets which do not have a local domain controller; the topology configured in AD Sites & Services will then allow them to locate the closest remote site (in terms of link cost) with which to communicate when they boot up.

If you have a hub & spoke design with your HQ at the hub, and there are no other applications using the site information, then it would be safe to either:

1. Merge all the subnets into a single site (the closest site with DCs) and delete the site objects for the remote sites. This is the recommended action from the documentation I previously linked.
2. Or simply delete the sites and subnets, and have the default behavior apply. This would work if only the HQ site has Domain Controller infrastructure and the remote sites all communicate back with that site.

I have sites that don't have domain controllers it would be of best practice to remove the subnet from he subnets list and the site object - after dcpromo has been ran on the demoted server
If you demote the last Domain Controller in a site, and the above caveats do not apply, then there is no reason to keep the site around, yes.
0
albatros99Commented:
Sites are not only used by AD but  other applications as well (Exchange, SCCM etc). Generally it's best practice to ensure that your AD subnets match your actual network layout.

if you have multiple sites with DC's and you have subnets that are not assigned in AD, your clients may end up using a DC on the other side of the world....

Action plan:
- Verify your list of AD-dependent applications
- Ensure that all subnets are listed in AD Sites and services
- If any are not listed, add them and assign them to the appropriate site
0
Will SzymkowskiSenior Solution ArchitectCommented:
Based on what I have read about removing the Subnets from the Sites that no longer have DC's in them is false. Will your users in the sites still be able to authenticate YES, but this is no longer controlled if you remove these subnets.

Meaning, when you remove the subnet's from AD Sites and Services, users in those sites where the subnets were removed will authenticate to ANY DC in your environment (which you do not want). Depending on the internet connection at the site and also geographical location, your users will experience slow logons if they are authenticating to a DC that is geographically far away.

In this situation what you need to do is the following...
- you need to associate your subnets (that no longer have DC's) to another Active Directory Site (specifically an AD site that is geographically close)

This is needed so that you know where your users are authenticating to. This will also mitigate slow logon times if all of the machines are pointing to an AD site that is close to them.


This also goes for any new Remote Site you have, regardless if it has a DC or not. You need/should add the subnet to AD Sites and Services.

You can check with DC your users are using by running the following command..
set logonserver <press enter>

You should also be referencing DNS to the AD Sites that you assign your subnet to.

As you can see in the screenshot below i have multiple subnets associated to one Default-Site. My DC is using 10.0.0.0 subnet and i have another site (without a DC) using 10.10.10.0 subnet. Both of these Subnets will authenticate against DC in 10.0.0.0/24.

sitesandservices.JPG
Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.