Splitting domain into 2 subnets

Hi,

I currently have a domain running in a private address space 192.168.x.y

Tomorrow, we want to have two separate address spaces. Let's say 192.168.x
and 10.x.
Between the two subnets I will have routing (on a core Cisco) and a firewall
to filtrate some very specific streams.

At first, the 10.x will only hold workstations.

Will this actually works ?
What kind of troubles may I face ?

What if I move a DC to the 10.x subnet as well ?

Thanks for your input on that question !

--Richard.

Active Directory runs fine in a routed network. Be very careful with a
firewall between internal subnets. Firewalls normally protect your "private"
machines from the outside world (ie they are at the edge of your private
network). Standard firewall settings will almost cetainly stop traffic which
is essential for Active Directory to function.

"Richard M." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I currently have a domain running in a private address space 192.168.x.y
>
> Tomorrow, we want to have two separate address spaces. Let's say 192.168.x
> and 10.x.
> Between the two subnets I will have routing (on a core Cisco) and a
> firewall
> to filtrate some very specific streams.
>
> At first, the 10.x will only hold workstations.
>
> Will this actually works ?
> What kind of troubles may I face ?
>
> What if I move a DC to the 10.x subnet as well ?
>
> Thanks for your input on that question !
>
> --Richard.
>
>

"Richard M." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I currently have a domain running in a private address space 192.168.x.y
> Tomorrow, we want to have two separate address spaces. Let's say 192.168.x
> and 10.x.

Domains are an administrative entity and have nothing to do with topology and
subnets. There is just simply no relationship at all. You can have 20 Domains
on one IP segment,...or you can have 20 IP segments with a single Domain.

> Between the two subnets I will have routing (on a core Cisco) and a firewall
> to filtrate some very specific streams.

That is just asking for trouble. You don't put "NAT Devices" (firewalls) in the
middle of a LAN. That is what LAN Routers are for. LAN Routers can have all the
ACLs you have the stomach to create,...that is no place for a NAT Firewall.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

"Phillip Windell"
> "Richard M."
> > I currently have a domain running in a private address space 192.168.x.y
> > Tomorrow, we want to have two separate address spaces. Let's say
192.168.x
> > and 10.x.
>
> Domains are an administrative entity and have nothing to do with topology
and
> subnets. There is just simply no relationship at all. You can have 20
Domains

So you can move a DC to a different address without any problem. Will I need
to cleanup AD ?
(Thinking about DC dns record in AD).

> on one IP segment,...or you can have 20 IP segments with a single Domain.

[Off topic] : If I have 20 domains on a single IP segment, will I have
troubles with DHCP ?
I mean with DNS updates.
At the same time, I will have only one domain suffix provided by DHCP.
Therefore it has to be overiden on each station.

>
> > Between the two subnets I will have routing (on a core Cisco) and a
firewall
> > to filtrate some very specific streams.
>
> That is just asking for trouble. You don't put "NAT Devices" (firewalls)
in the
> middle of a LAN. That is what LAN Routers are for. LAN Routers can have
all the
> ACLs you have the stomach to create,...that is no place for a NAT
Firewall.

(There is ACL involved too...)

That firewall will be a Cisco Pix. The whole purpose to create two segments
is to segregate streams from 2 subsidiaries. (I focus on Domain, but there
is a lot of other network access such as Internet, VPN, etc)

What I didn't told you is that the 2 Class A & B are themselves subnetted
w/ VLan. And servers are not in the same VLan as the workstations.

Meanwhile, I will provide full access between DCs in each subnet. (Each
will see each other.)
Do I need to enable a station in one segment to be able to reach DCs in the
other segment ?

I am thinking about what happends when you make a DNS query for the domain
(query to resolve "mydomain.net" for instance). It will reply with a list in
a "round robin" order.
Do I am right ?

Thanks,

--Richard.

"Richard M." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> So you can move a DC to a different address without any problem. Will I need
> to cleanup AD ?
> (Thinking about DC dns record in AD).

AD/DNS & WINS will adjust automatically, but there is a lag time. Static
entries will have to be corrected manually. Move DCs one at a time over a
period of time. Get your infrastructure servers moved and taken care of first
(DNS, WINS, DHCP, Mail). Make sure everything keeps working before you move on.
Do it a step at a time.

> [Off topic] : If I have 20 domains on a single IP segment, will I have
> troubles with DHCP ?
> I mean with DNS updates.
> At the same time, I will have only one domain suffix provided by DHCP.
> Therefore it has to be overiden on each station.

Just don't include the Suffix at all in the scope. The Clients don't even have
to have it anyway, but if they do need it, then configure it at the Clients
themselves. Yes this is one reason Domains may "follow" the subnets,..but that
is a convenience thing,..not a requirement

> That firewall will be a Cisco Pix. The whole purpose to create two segments
> is to segregate streams from 2 subsidiaries. (I focus on Domain, but there
> is a lot of other network access such as Internet, VPN, etc)

Right, then what is the PIX for? You create segmets with LAN Routers and run
ACLs on the Routers. The PIX is a NAT-based Firewall,...you don't run NAT
between LAN segments,...you run NAT between a private "autonomous systems" and
the "public" internet.

> What I didn't told you is that the 2 Class A & B are themselves subnetted
> w/ VLan. And servers are not in the same VLan as the workstations.

That is not relevant. The fact that the Servers aren't in the same segment as
the workstations is irrelevant and in larger systems is expected and required
because there are too many machines to fit into one segment,...especially
considering that segments should never have more than 250-300 hosts. Classes
aren't even considered anymore since everything has gone to Classless Addressing
with Variable-Length Subnet Masks. VLans are just a form of segmenting just
like physical segments and there is no destinction between them and a physical
segment when looking at the logical topology design.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------