Windows Vista Tips
Home Register Members Search Windows Vista Tips File Database Links
Member Login:

Windows Vista Tips > Newsgroups > Windows Server > Active Directory > Sites-Services Network segregation question

Reply
Thread Tools Display Modes

Sites-Services Network segregation question

 
 
Mark Z.
Guest
Posts: n/a

 
      05-18-2010
We have 2 domains (W2k3 native), each with 2 DCs:
CORPORATE.COMPANY.NET (2 DCs: CORPDC1 and CORPDC2)
RETAILSTORES.COMPANY.NET (2 DCs: RETAILDC1 and RETAILDC2)

All are in the same site (SITE-HQ) and were assigned 6 subnets:
10.176.0.0/14
10.180.0.0/16
10.181.0.0/16
10.182.0.0/15 **
10.184.0.0/14 **
10.188.0.0/14

All are on the DEFAULTIPSITELINK (same site link).

A firewall is now in place between the 6 subnets (the subnets with the '**'
are now firewalled)

I need to move RETAILDC2 behind the firewall (it will fall under subnet
10.184.0.0/14) and allow it to only replicate with RETAILDC1 that will remain
in the 10.181.0.0/16 network, all while still allowing RETAILDC1 to replicate
to CORPDC1 and CORPDC2.

To accomplish this, I need to do this:
1. Create a new site for RETAILDC2, called SITE-RETAIL-HQ, move RETAILDC2 to
this site, and assign subnets 10.182.0.0/15 and 10.184.0.0/14 to this site.
That takes care of clients behind the firewall only to authenticate to
RETAILDC2.

2. Create another site for RETAILDC1, because I can only limit replication
from site-to-site with site links. So I make SITE-RETAILCORP-HQ, and put
RETAILDC1 in this site. SITE-RETAILCORP-HQ is NOT in DEFAULTIPSITELINK.

3. I put SITE-RETAILCORP-HQ in the DEFAULTIPSITELINK, and make a new site
link called CORPRETAILSITELINK and place the SITE-RETAIL-HQ and
SITE-RETAILCORP-HQ in that - this allows RETAILDC2 in the SITE-RETAIL-HQ site
to only replicate to RETAILDC1 in the SITE-RETAILCORP-HQ.

One problem remains. Clients in the RETAILSTORES.COMPANY.NET behind the
firewall should communicate to the RETAILDC2, which is OK because there are
no CORPORATE.COMPANY.NET clients behind the firewall.

However, RETAILDC1, my only RETAILSTORES.COMPANY.NET DC outside the
firewall, cannot have any subnets assigned to its new site of
SITE-RETAILCORP-HQ because the SITE-HQ already has those subnets assigned.

I have clients on both the CORPORATE.COMPANY.NET and
RETAILSTORES.COMPANY.NET domains outside the firewall, but now the
SITE-RETAILCORP-HQ can't be assigned a subnet, and this site has the only DC
(RETAILDC1) outside the firewall for the RETAILSTORES.COMPANY.NET domain.

Now what?
 
Reply With Quote
 
 
 
 
Florian Frommherz [MVP]
Guest
Posts: n/a

 
      05-18-2010
Howdie!

Am 18.05.2010 21:00, schrieb Mark Z.:
> I have clients on both the CORPORATE.COMPANY.NET and
> RETAILSTORES.COMPANY.NET domains outside the firewall, but now the
> SITE-RETAILCORP-HQ can't be assigned a subnet, and this site has the only DC
> (RETAILDC1) outside the firewall for the RETAILSTORES.COMPANY.NET domain.
>
> Now what?

Create a subnet for that single DC if necessary - use the subnet IP of
the DC with the suffix /32. That creates an IP for only that specific IP.

Cheers,
Florian
 
Reply With Quote
 
Paul Bergson [MVP-DS]
Guest
Posts: n/a

 
      05-19-2010
Also, make sure you have bridge all sitelinks disabled. Since you don't
have complete network connectivity to all sites.

Also check out an article I have on firewalled off dc's at:
http://www.pbbergs.com/windows/articles.htm
Firewall Ports Needed For Replication

Next I would make sure the Firewalled each dc's on the other side of the
firewall aren't advertising that they can service everyone. Check out an
article on this, also on my website.
Prevent DC's from registering Service Records


--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com Twitter - @pbbergs

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Florian Frommherz [MVP]" <> wrote in
message news:...
> Howdie!
>
> Am 18.05.2010 21:00, schrieb Mark Z.:
>> I have clients on both the CORPORATE.COMPANY.NET and
>> RETAILSTORES.COMPANY.NET domains outside the firewall, but now the
>> SITE-RETAILCORP-HQ can't be assigned a subnet, and this site has the only
>> DC
>> (RETAILDC1) outside the firewall for the RETAILSTORES.COMPANY.NET domain.
>>
>> Now what?
>
> Create a subnet for that single DC if necessary - use the subnet IP of the
> DC with the suffix /32. That creates an IP for only that specific IP.
>
> Cheers,
> Florian
 
Reply With Quote
 
 
 
Reply

« Backup DNS | Desktop Administrator Accounts »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Preparing for complete network upgrade - clients first question Jaredean Windows Small Business Server 12 01-04-2010 04:41 PM
your computer could not be joined to the domain because the follow takman_777 Windows Small Business Server 4 12-26-2009 08:16 AM
Numerous taskeng entries in task list MGSteve Windows Vista Performance 6 01-16-2008 11:36 PM
Passthrough Network between PDA and PC is never created Patrick Sears ActiveSync 4 10-18-2007 01:55 PM
5342 and 5365 are indeed under an NDA. Kevin John Panzke Windows Vista General Discussion 38 05-04-2006 06:32 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Windows Vista Tips - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59