Inherited SBS 2003 Prem - Cohabit on phyical LAN with another SBS 2003 Prem Domain?

Discussion in 'Windows Small Business Server' started by Alan, Oct 4, 2006.

  1. Alan

    Alan Guest

    Hi All,

    I am about to 'inherit' an SBS 2003 Prem machine and associated domain
    workstations (cohabiting office space) for which I will become the
    domain admin.

    If possible I would like to plug that server and the workstations into
    my existing physical LAN, but set it up as a totally independent
    domain and different subnet (we are currently 10.0.0.0/24 so I am
    thinking perhaps 10.0.1.0/24).

    Will that work? I understand that I cannot have two SBS 2003 Prem
    servers in a single domain, but I am thinking that my plan means I
    would have (logically) separate domains even though on the same
    physical LAN.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 4, 2006
    #1
    1. Advertisements

  2. You could put two NICs in each SBS server, then attach them to a common
    router, and run them as separate domains.

    However, the problem may be forwarding the ports used by the services that
    both domains may require (email, RWW, OWA, VPN, etc. | ports 25, 443, 1723,
    4125, etc.). I believe 4125 can be changed this in the registry of the
    server to a different port, and Exchange (port 25) can be setup to use an
    alternate port. But 1723, 443 and other ports are "hard-coded" and can only
    be forwarded to a one IP.

    There are routers that allow dual Internet access and may be useful (albeit
    that means another broadband account).

    Internet
    |
    Router --- SBS2 External NIC = SBS2 Internal NIC - Switch - Domain2
    Workstations
    |
    SBS1 External NIC
    ||
    SBS1 Internal NIC
    |
    Switch
    | | | |
    Domain1 Workstations
     
    Merv Porter [SBS-MVP], Oct 5, 2006
    #2
    1. Advertisements

  3. Alan

    Alan Guest

    Hi Merv,

    I hadn't considered the port forwarding issue.

    Both servers are currently in single NIC configuration.

    It appears that the new server actually uses POP3 (!) to collect email
    so that is not an issue.

    We only have 25 and 1723 open on the firewall to our existing SBS, so
    that just leaves 1723. If they are using RDP then problem solved,
    since we do not allow a direct RDP session through the firewall (has
    to tunnel inside a VPN and that can only connect to our Win Server
    2003 TS machine). I could port forward 4125 to their server to
    probably any internal IP in their subnet.

    Thanks,

    Alan.

    PS: I have another interesting issue on this new SBS 2003 Prem box,
    but I'll start another thread for that!
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb




    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 5, 2006
    #3
  4. Hi Alan,

    How do you plan to isolate the two SBS servers using single NICs and a
    common router/firewall? One of the SBS servers will shut down when it
    detects the other. That's why I suggested dual NICs in each (which will
    isolate the servers).
     
    Merv Porter [SBS-MVP], Oct 5, 2006
    #4
  5. Alan

    Alan Guest

    I am probably misunderstanding what 'isolate' means / requires.

    Do they have to be physically isolated?

    I was hoping that, if they are different unrelated domains, and
    different subnets, then they would be isolated from each other (in a
    logical sense but not physically).

    Am I mistaken? If so, I can reconfigure one or both with dual NICs (I
    was planning on doing ours that way at Xmas anyway), but if I an get
    away with it for three months, that would be good too.

    Upon reflection, the LAN side address of a single router cannot
    (presumably) be both (say) 10.0.0.254 and 10.0.1.254. Therefore, I
    have a problem right there.

    If I go with the dual NICs, then I guess the WAN side NICs on the two
    SBS machines could be, say, in the 192.168.0.0/24 subnet with the LAN
    side of the router being 192.168.0.254 (say).

    Thanks,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 5, 2006
    #5
  6. Whoops. Cancel that. The SBS servers won't be in the same domain, so the
    second SBS server should not shut down. DHCP may be a problem though.

    --
    Merv Porter [SBS-MVP]
    ============================

     
    Merv Porter [SBS-MVP], Oct 5, 2006
    #6
  7. Sorry, I just sent a post to correct myself. The servers should be able to
    coexist on the same physical network, but isolating at least one of them
    with a dual NIC configuration may make administration a bit easier. This
    would allow you to run full DHCP service behind the dual NIC server for it's
    workstations. The external NIC of SBS2 would be in the same subnet as SBS1
    and the router.

    --
    Merv Porter [SBS-MVP]
    ============================


     
    Merv Porter [SBS-MVP], Oct 5, 2006
    #7
  8. Merv, SBS will only shutdown if the 2nd SBS is in the same domain. ie. you
    can have two SBS 'internal' on the same ethernet segment as long as each is
    in it's own domain. The two can even share IP space (subnet).

    The problem(s) with such a setup are to do with DHCP/DNS, only one of the
    servers can supply DHCP services. This is fine for workstations attached to
    that server but when you start thinking about the interaction between DHCP
    and AD DNS, client PC setup for the workstations attached to the 2nd domain
    gets awry. It's _way_ down my list of priorities but one day I may have a
    look at authorising two such SBS's to each other allowing either to supply
    DHCP (at random letting whichever DHCP decides to shutdown do so) and
    causing DNS records on both to be updated However, there's a bug in this
    too. DHCP supplies the AD DNS name to DHCP clients, the best option I can
    think of to resolve this (counting that each server _may_ supply DHCP) is to
    remove this option and set the workstations manually, this goes further and
    you suddenly reach a point where it's all too much of a headache and you may
    as well shutdown DHCP on both and rely fully on manual IPConfig of all PC's
    (Servers and Workstations).

    Take it further and my thoughts lead to 'Sell the 2nd SBS and run both
    companies from one server.', it's cleaner, simpler, easier.

     
    SuperGumby [SBS MVP], Oct 5, 2006
    #8
  9. BWAHAHAHA, shouldda realised you'd catch yourself.

    :)

    Ideally you'd completely seperate the networks, run both SBS dual NIC with a
    routable subnet on the ISP connection, they share bandwidth but get distinct
    public IP's.

     
    SuperGumby [SBS MVP], Oct 5, 2006
    #9
  10. Alan

    Alan Guest

    Hi SuperGumby,

    I agree and that is probably where we will end up if we all get along
    well, but it will take a while for everyone to become comfortable with
    each other and I don't want to have to undo that kind of thing if it
    doesn't work out!

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 5, 2006
    #10
  11. Alan

    Alan Guest

    Hi Merv,

    We have about 20 workstations, and the other party has less than 10,
    so I could manually assign static IPs and turn off DHCP on both SBS
    machines?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb



     
    Alan, Oct 5, 2006
    #11
  12. Hi Alan,

    Yes, you can do that (as SG concluded in his post). For myself, I think I
    would still prefer dual NICs in each server, full DHCP by each SBS server,
    and isolated networks. (Easier to administer and troubleshoot, depending on
    your needs). I've got this set up at one of my clients: an SBS 2003
    Standard (training lab) and SBS 2003 Premium (business network), both with
    dual NICs. Been running fine for 2 years now.

    --
    Merv Porter [SBS-MVP]
    ============================

     
    Merv Porter [SBS-MVP], Oct 5, 2006
    #12
  13. Alan

    Alan Guest

    Hi Merv,

    I do agree - and it will be the aim over time, but I need to do
    something quick and dirty (but also safe and reliable!) in the shorter
    term while things are settling down.

    Thanks for your help - I really appreciate it.

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 6, 2006
    #13
  14. Alan

    Alan Guest

    This post repeated above - don't bother replying here.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 6, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.