Splitting domain into 2 subnets

Discussion in 'Windows Networking' started by Richard M., Feb 19, 2007.

  1. Richard M.

    Richard M. Guest

    Hi,

    I currently have a domain running in a private address space 192.168.x.y

    Tomorrow, we want to have two separate address spaces. Let's say 192.168.x
    and 10.x.
    Between the two subnets I will have routing (on a core Cisco) and a firewall
    to filtrate some very specific streams.

    At first, the 10.x will only hold workstations.

    Will this actually works ?
    What kind of troubles may I face ?

    What if I move a DC to the 10.x subnet as well ?

    Thanks for your input on that question !

    --Richard.
     
    Richard M., Feb 19, 2007
    #1
    1. Advertisements

  2. Richard M.

    Bill Grant Guest

    Active Directory runs fine in a routed network. Be very careful with a
    firewall between internal subnets. Firewalls normally protect your "private"
    machines from the outside world (ie they are at the edge of your private
    network). Standard firewall settings will almost cetainly stop traffic which
    is essential for Active Directory to function.
     
    Bill Grant, Feb 19, 2007
    #2
    1. Advertisements

  3. Domains are an administrative entity and have nothing to do with topology and
    subnets. There is just simply no relationship at all. You can have 20 Domains
    on one IP segment,...or you can have 20 IP segments with a single Domain.
    That is just asking for trouble. You don't put "NAT Devices" (firewalls) in the
    middle of a LAN. That is what LAN Routers are for. LAN Routers can have all the
    ACLs you have the stomach to create,...that is no place for a NAT Firewall.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed (as annoying as they are, and as stupid as they sound), are
    my own and not those of my employer, or Microsoft, or anyone else associated
    with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 20, 2007
    #3
  4. Richard M.

    Richard M. Guest

    "Phillip Windell"
    Domains

    So you can move a DC to a different address without any problem. Will I need
    to cleanup AD ?
    (Thinking about DC dns record in AD).
    [Off topic] : If I have 20 domains on a single IP segment, will I have
    troubles with DHCP ?
    I mean with DNS updates.
    At the same time, I will have only one domain suffix provided by DHCP.
    Therefore it has to be overiden on each station.
    Firewall.

    (There is ACL involved too...)

    That firewall will be a Cisco Pix. The whole purpose to create two segments
    is to segregate streams from 2 subsidiaries. (I focus on Domain, but there
    is a lot of other network access such as Internet, VPN, etc)

    What I didn't told you is that the 2 Class A & B are themselves subnetted
    w/ VLan. And servers are not in the same VLan as the workstations.

    Meanwhile, I will provide full access between DCs in each subnet. (Each
    will see each other.)
    Do I need to enable a station in one segment to be able to reach DCs in the
    other segment ?

    I am thinking about what happends when you make a DNS query for the domain
    (query to resolve "mydomain.net" for instance). It will reply with a list in
    a "round robin" order.
    Do I am right ?

    Thanks,

    --Richard.
     
    Richard M., Feb 20, 2007
    #4
  5. AD/DNS & WINS will adjust automatically, but there is a lag time. Static
    entries will have to be corrected manually. Move DCs one at a time over a
    period of time. Get your infrastructure servers moved and taken care of first
    (DNS, WINS, DHCP, Mail). Make sure everything keeps working before you move on.
    Do it a step at a time.
    Just don't include the Suffix at all in the scope. The Clients don't even have
    to have it anyway, but if they do need it, then configure it at the Clients
    themselves. Yes this is one reason Domains may "follow" the subnets,..but that
    is a convenience thing,..not a requirement
    Right, then what is the PIX for? You create segmets with LAN Routers and run
    ACLs on the Routers. The PIX is a NAT-based Firewall,...you don't run NAT
    between LAN segments,...you run NAT between a private "autonomous systems" and
    the "public" internet.
    That is not relevant. The fact that the Servers aren't in the same segment as
    the workstations is irrelevant and in larger systems is expected and required
    because there are too many machines to fit into one segment,...especially
    considering that segments should never have more than 250-300 hosts. Classes
    aren't even considered anymore since everything has gone to Classless Addressing
    with Variable-Length Subnet Masks. VLans are just a form of segmenting just
    like physical segments and there is no destinction between them and a physical
    segment when looking at the logical topology design.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed (as annoying as they are, and as stupid as they sound), are
    my own and not those of my employer, or Microsoft, or anyone else associated
    with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 21, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.