Announcement

Collapse
No announcement yet.

IP subnets over lapping in active directory?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IP subnets over lapping in active directory?

    How active directory will behave incase of overlapping IP subnets configured in Active Directory sites and services

    For example:

    --------------------------------------------------------------------------------------
    Site name Subnet
    ---------------------------------------------------------------------------------------

    US 10.10.192.0/19(10.10.192.1-10.10.223.254)
    LON 10.10.204.0/22 (10.10.204.1 - 10.10.207.254)

    ---------------------------------------------------------------------------------------

    In the above case both the sites Subnets are overlapping. (LON is having a IP subnet which is sub set of US IP subnet)

    In this scenario, when a machine boots from LON site, how it will decide to which site it will belongs and nearest domain controller

    In my environment, i could able to see that machines from LON site are getting authenticated with domain controllers in US. Is it an expected behavior?

    Thanks!
    Last edited by charlsteve; 29th June 2007, 15:07.

  • #2
    Re: IP subnets over lapping in active directory?

    I don't understand how the two subnets overlap when the IP range of one is 10.10.192.x to 10.10.223.x and the other one is 149.77.204.x to 149.77.207.x??

    Is this a typo? If so, and the latter is 10.10.204.x to 10.10.207.x, then yes, this will cause problems with Site Boundaries. The two subnets need to be distinct from each other, otherwise the KCC and ISTG will be unable to figure ou which clients are in which subnet (and therefore which site).

    I would suggest configuring your subnets differently such that they both have unique and distinct (sets of) network ID's. For instance:

    US - - - - 10.10.192.0/24
    LON - - - 10.10.193.0/24

    This not only makes them distinct, they have the same subnet mask which will make them easier for humans to understand intuitively. Obviously if you need more hosts then back off the subnet mask a little; but ensure that the network IDs remain unique.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: IP subnets over lapping in active directory?

      Thanks for the reply.

      >Is this a typo?

      Yes it is

      Anyways i am planning to change the subnets to make them unique

      Is there any specific procedure for changing this? or straight away i can delete and create subnets. Also let me know if need to take any precautions

      >>In my environment, i could able to see that machines from LON site are getting authenticated with domain controllers in US. Is it an expected behavior?

      I am curious to know how it will behave when there is a overlapping subnet.

      Thanks!

      Comment


      • #4
        Re: IP subnets over lapping in active directory?

        Like I said, with an overlapping subnet, a client will not know what site it's in. So it will choose a domain controller based upon the one which answers first. Also, if there are overlapping DHCP scopes, then theoretically a client in either site could pick up an IP address from DHCP which is actually in the other site... and t will then log on via the domain controller in its site.

        To change your subnets, first you need to plan - because it's not simple. I would keep the larger site exactly as it is and change the smaller; however its a big job because all the network devices (routers, switches etc) will need changing; DHCP/DNS will need changing; WINS; etc etc etc. Unfortunately I don't believe that you have any real choice; it has to be done.

        As regards DHCP, you should create a new scope for the new network but dont activate it until the new IP address scheme "goes live" on the network. Then, it's simply a case of deactivating the old scope(s) and activating the new.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: IP subnets over lapping in active directory?

          I don't want to change any physical subnets. But in AD i want to divide US subnet into two parts (so that i can exclude LON subnet)

          My plans is to divide 10.10.192.0/19 into two subnets 10.10.192.0/21 and 10.10.200.0/22. And i will assign these two individual subnets to US site and i will delete 10.10.192.0/19 subnet from US site. Now my two new subnets will cover entire US Subnets site and will not overlap with LON subnet

          With this, all US workstations should get authenticated to US DC and LON workstations to LON DC.

          Please let me know if i am thinking in wrong way

          NOTE: From US DHCP we have excluded this LON subnet already and configured LON Subnet in LON DHCP. Its working

          Thanks!

          Comment


          • #6
            Re: IP subnets over lapping in active directory?

            I would not use different subnet masks... with a 21 bit subnet mask, 192 and 200 are on different networks anyway:


            1111 1111 * 1111 1111 * 1111 1000 * 0000 0000 = 255.255.240.0 (21 bits)
            0000 1010 * 0000 1010 * 1100 0000 * 0000 0000 = 10.10.192.0
            0000 1010 * 0000 1010 * 1100 1000 * 0000 0000 = 10.10.200.0


            So you don't need different masks.

            I would therefore use a 21 bit subnet mask and two subnets SO:

            10.10.192.0/21 and 10.10.200.0/21

            This will separate them nicely and also keep London unique. (with a 20 bit mask in the US, London is on a different network with its 204-207 scheme)


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: IP subnets over lapping in active directory?

              I am confused with your earlier

              Can you tell me which subnet I need to assign to US and which one to LON?

              Comment


              • #8
                Re: IP subnets over lapping in active directory?

                If devide 10.10.192.0/19 into 10.10.192.0/21 and 10.10.200.0/21, then i am finding any use(it is not excluding LON subnet, still 10.10.200.0/21 subnet contains US and LON subnets)

                Correct me if i am wrong

                Comment


                • #9
                  Re: IP subnets over lapping in active directory?

                  Hi Tom, did u get a chance to look at my latest post?

                  Thanks!

                  Comment


                  • #10
                    Re: IP subnets over lapping in active directory?

                    Oops sorry you're right of course... slap another 3 bits on the subnet mask and you have a 24 bit mask; that will definitely exclude London.

                    Sorry for confusions and delays...


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: IP subnets over lapping in active directory?

                      Thanks Tom. Hope changing subnets over week ends will not produce any issues.

                      ~Sitaram

                      Comment

                      Working...
                      X