Creating a second subnet in a domain

Hello,

I have a problem and need assistance.   We have had 1 site for years.  Our IP subnet is 172.16.1.x with a mask of 255.255.0.0

We are setting up a new site this week.   The two sites will be the same domain and connected with a VPN.  We will have a domain controller and file server plus some PCs at the 2nd site.  I would like to keep the 2nd site on a separate subnet, but have some serious questions how to do that.   Would like to use 172.16.2.x as the subnet.  But here is my problem.   I want devices on both subnets to be able to access devices on the other subnet.   How do I even begin to set this up?  Do I set up a second address range in my DHCP (running on Windows 2012 Server R12)?  Do I change the network mask?     How do I force devices at the second site to use the .2 subnet? How do I do this correctly?  Need to do this very soon and just not sure what to do.  Please advise.  Thanks.
rstuemkeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rstuemkeAuthor Commented:
Another question is.... should I even do this?  Is there a better way?
DLeaverCommented:
Unless the connection is a dedicated link that is transparent between the sites then the subnet will have to be different (or if you are using network virtualisation, which I very much doubt).  

So setup your new site with the .2 subnet, create the VPN and setup the DC and services.  AD will see this as a separate site and the IP address subnet for this site will need to be defined in AD Sites and Services.

As long as there is no ACL's or port restrictions in place then traffic can flow between these two sites without issue.

Its not a very big task but if you can clarify which bit you are struggling with and I can add more detail

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MasonWexlerCommented:
There are really 2 separate issues here:  physical network AD Site design.  

For the physical network, your current Class B subnet is actually 172.16.x.x so you would need to make the second subnet 172.17.x.x (you could also switch to a Class C subnet mask of 255.255.255.0 and use 172.16.2.x).

AD sites are used to control replication between DCs and help direct clients in selecting a nearby DC to authenticate to, so AD sites should be designed around bandwidth and DC placement, not physical site layout alone.

If you have the bandwidth (e.g., at least a 50 Mb VPN  tunnel) I would consider not placing a DC at the branch and just having one AD site which is a lot easier to manage and you won't need to deal with the 15 minute replication delay.  If your link is slow or unreliable, then you would probably want to place a DC and create an AD site at the branch.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Will SzymkowskiSenior Solution ArchitectCommented:
Some of the things I consider for DC placement are the following...

- Number of users at the site
- Hosting Exchange at the 2nd Site
- Bandwidth at the site
- specific applications that require a DC at the site for performance

Do not put a DC in a Site if below...
- 50 users or less
- 10mbps line or faster
- no exchange hosted
- no specific applicaiton requirements

Put a DC in a Site when
- 50+ users
- 10mbps or less
- hosting exchange in the site
- specific app required a DC for local authentication

I have also created a HowTo for setting up Sites and Services
http://www.wsit.ca/how-tos/active-directory/active-directory-sites-and-services-part-1/

Will.
rstuemkeAuthor Commented:
The plan is to place the DC at the 2nd site as an offsite backup DC.  Perhaps as a RODC.

The internet connection is 100Mb/second thru Comcast fiber.

So if I change the subnet mask to 255.255.255.0 , then I will be able to access the server with 172.16.2.186 configured on its 2nd network adapter?   Ok, does this mask need to be changed everywhere?  or should I just leave it alone and go with the 172.17 subnet?  

I need to do what will be correct but also quick to implement.    reviewing you how to....
MasonWexlerCommented:
I would go with the 172.17.x.x subnet for the second site; otherwise, you would need to change the subnet mask for every machine on the subnet.

I would also go with a writeable DC for the second site.  A RODC could not be used as an offsite backup.

I would also create a new site for the new office mapped to the 172.17.x.x subnet,
rstuemkeAuthor Commented:
Kinda of a site question...... default-first-site-name is the default name of the site.
Can I change this to whatever I want, whenver I want?
rstuemkeAuthor Commented:
Ok I created the new 172.17.1.0/24 subnet for the 2nd site.   Configured one network adapter on this future domain controller on 172.17.1.186, sitting in the first-site office, connected to the 172.16.1.0 LAN  Other network adapter configured at 172.16.1.186.    Still cannot ping the second adapter from another device on the .16 network.  what else do I need to do to allow cross subnet access?
MasonWexlerCommented:
Have you set up the VPN tunnel to route the 2 networks?
rstuemkeAuthor Commented:
firewall and internet not yet operational at other site.   I was hoping to test it at the home site to make sure that the two subnets can communicate.  So far they cannot.    Perplexed???
rstuemkeAuthor Commented:
I shut down the fire wall on the new server and tried to ping 172.17.1.186 which is hard coded into the 2nd adapter but ping still fails from device on 172.16.1.x network.   Have included the new network in the domain GPO allowing access from 172.16.1.0/24 and 172.17.1.0/24   Have set up reverse lookup in DNS for 172.17.1.x subnet.  Have set up 2nd site and 2nd subnet 172.17.1.0/24 and linked it to the 2nd site.   Not sure what else I need to do.   Should I be able to ping a 172.17.1.x IP address from a 172.16.1.x device?   What else do I need?  Please advise.   It is very important to get this working.  Thanks for your help in advance.
MasonWexlerCommented:
The subnet mask restricts network traffic to the subnets forcing communication between the subnets to go through a gateway.  Until you set up the VPN tunnel, packets won't be routed between the 2 subnets.

For testing, you could either set up a VPN tunnel over your internal network to do the routing or temporarily open up the subnet mask to skip routing while you are testing.  Using 2 network adapters doesn't help you unless you want to configure the Windows server as a Router to route the packets.

To skip routing for your testing, all you need to do is change the subnet mask to 255.0.0.0 and that creates a flat network across the 172.x.x.x address range.
Will SzymkowskiSenior Solution ArchitectCommented:
The plan is to place the DC at the 2nd site as an offsite backup DC.  Perhaps as a RODC.

To be quite honest RODC are just added servers you have to manage in your environment and they have limited value based on the use. RODC will also not sever as a backup DC all requests still comes from a W/R DC, unless the passwords are cached.

If you want redundancy put 2 DC's in your HQ and have your remote site use the DNS/AD servers from HQ if the communication is good.

There is really only a need for a DC in a site if you are hosting Exchange or your have a slow WAN or you have a specific applicaiton they requires  a DC for local authentication.

Will.
rstuemkeAuthor Commented:
There will eventually be an Exchange server at the 2nd site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.