Announcement

Collapse
No announcement yet.

AD with multiple Vlans

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD with multiple Vlans

    Due legal reasons all IT staff was arrested during building our new network. even I am not technical in IT, I have been responsible about building that network and that is bad news but I know that knowledge is out there on internet I spend few days reading before starting implementations and everything is OK but I face a problem cannot find solution for it on the web.
    1. I decide to set every department in VLan.
    2. Also I will set servers in Vlan.
    3. I decide to use 10.10.0.0 / 22. that due I need more than 520 IP. then I will re-subnet this range to gain required vlans for departments and servers vlan.
    4. Mostly I will re-subnet using /25 to gain 8 subnets starting from 10.10.0.0 / 25 - till - 10.10.3.128 / 25.
    My questions which I cannot get answers for them online:

    1. is it correct to put all servers in specific VLAN !! or there is another recommendation?
    2. as I read in active directory site and service I have to assign each site to proper subnet , so in my case I have only one active directory site, should I assign the large subnet 10.10.0.0/22 , or to assign all small subnets as 10.10.0.0/25 and 10.10.0.128 /25 etc , or to assign both all small subnets combined with the large one ??
    3. DC IP configuration should be with netmask of servers vlan or in the wide one /22 or /25 ??
    4. as I will use ISA2006SE as gateway , ISA internal NIC IP will be corresponding to one of vlans (server vlan) , so even I will configure vlan routing but for ISA as firewall traffic from internal clients in other vlans will be consider as attacks so how these clients in different vlans will use gateway not in their subnets and how ISA will accept their requests!!!

  • #2
    Re: AD with multiple Vlans

    So you are not an IT technical expert and you have responsibility for building a new network after all the previous staff were arrested (what on earth for?)

    I suggest you get some suitable training in the technologies involved, and get a good consultant to set things up initially.

    A lot more information is needed before people can answer any questions:
    How many sites? (and what intersite connectivity)
    How many servers (and what OS and roles)?
    Ditto clients
    What internet connectivity?
    What HA requirements?
    What network infrastructure (vital knowledge if you are using VLANs)?

    In general though, keep things as simple as possible, for your own sanity if nothing else!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: AD with multiple Vlans

      Really, I would hire a consultant if I where you.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: AD with multiple Vlans

        1. in this network we have only one active directory site.
        2. 4 physical servers, I decide to virtualize them using microsoft hyper-v server 2012 and already install on all of them and tested vm creation and connectivity. roles will be active directory using windows 2008R2SE and common roles as file and print, DNS, DHCP, WSUS and antivirus server. I have read about all of them and even tested them on virtual labs.
        3. about 1000 user / computer , in 6 departments.
        4. for this network we have two DSL lines one will connect to cisco router and 2nd will connect to soho router , till we order new cisco router for it . then both will be connected to pix firewall and the network outline will be as , two routers >>> pix >>> ISA server external NIC > >> ISA internal cisco switch " other servers will be connected to the same switch" >>> catalyst core switch >> other cisco switches >>> staff computers.
        5. currently we don't need HA for internet connectivity as we'll test this network for a period before it become production one. and also we didn't oder the hardware load-balancer yet. for internal HA, I will use hyper-v features for that.
        Actually I can determine my questions in the following points:

        1. if I have domain with one active directory site, and inside that site I have multiple vlans, which subnet should I list in AD site and services , each vlan subnet ?? or that subnet which include all them ? or each vlan subnet and that one which include all of them?
        2. if I have ISA server, and clients in multiple vlans, that means they are not in the same subnet with ISA internal IP, so after configuring vlan routing how can I make ISA server itself trust them to accept their requests?

        Comment


        • #5
          Re: AD with multiple Vlans

          4 servers for 1000 users -- seems unlikely
          Do you plan any redundancy of AD?
          (Note also that it is preferred that one of domain controllers (probably the FSMO holder) is physical to allow it to start before the HyperV hosts.)
          If your hosts are Server 2012, why are you using 2008 guests on them?

          HA does not only apply to internet access, but to all server roles.

          Do yourself a favour (and possibly help keep your criminal record clean ) and GET A CONSULTANT
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: AD with multiple Vlans

            Ossian,
            Thanks God , all projects I joined always I end it with saying " mission done".

            1. 4 physical servers each one with multiple Xeon CPU and 32 or 64 GB RAM, actually these servers will be virualized to build core as AD, DNS, DHCP and basic roles, once I finished them and they pass test, we will add another 10 physical servers with the same configurations, but we cannot add them right now cause they are in current production running network.
            2. yes sure I planned for AD redundancy , I will install 3 additional DCs. and yes PDC will be running on physical server I didn't mentioned it in count of servers. In addition to that when you run hyper-v server it starts virtualization service before operating system itself, because the hypervisor run on physical hardware direct on operating systems, take in your consideration I am talking about hypervisor as embedded system not hyper-v as a role in windows server.
            3. my hosts aren't windows server 2012, but there free embedded hypervisor from microsoft called hyper-v server 2012, it is something like vsphere , ESXI 5.1, but free of cost without any limitations in addition to that it provide new and enhanced features more than hyper-v in windows 2008R2, such VM-HA and VM-live migration , feature such hyper-v HA can be combined with infrastructure clustering to gain dual layers of redundancy.
            4. yes I plan for HA for all roles but in phase1, I will implement it for AD via running multiple DCs and DNS services, and for all other roles that will come later with adding the mentioned 10 servers.

            once again my direct technical questions are:
            1. if I have domain with one active directory site, and inside that site I have multiple vlans, which subnet should I list in AD site and services , each vlan subnet ?? or that subnet which include all them ? or each vlan subnet and that one which include all of them?
            2. if I have ISA server, and clients in multiple vlans, that means they are not in the same subnet with ISA internal IP, so after configuring vlan routing how can I make ISA server itself trust them to accept their requests?
            Last edited by new_4_it; 19th January 2013, 23:03.

            Comment


            • #7
              Re: AD with multiple Vlans

              It would be better if you gave us the same information all the time
              Originally you refer to "4 physical servers which you have virtualised"
              Now you have 4 HyperV hosts running multiple virtual servers, plus your physical DC which is (presumably) FSMO holder.

              Also note there is no such thing as a PDC unless you are still using NT4.
              HyperV Server is just Server 2012 with the HyperV role installed -- no other roles are possible, but other than that it will function just the same.

              Finally, be aware that ISA server is an old, now depreciated, product.

              I do not think we really have enough information to answer your questions fully, nor do you have enough skills and experience to implement such a network, but that is (fortunately) not my problem.

              With regards to question 1, AD sites are used to group DCs together, and to help clients locate the most appropriate DC. Since you will have only one site, it will not be necessary to put any subnets in ADSS, but if you are possibly thinking of having more sites in the future, you should make sure all the subnets forming your current site are included.
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: AD with multiple Vlans

                Well, I see loads of questions and don't have time to answer them all.

                First of all ISA is indeed depreciated,but with multiple VLANs you'll might need to configure static routes. This can be needed for multiple devices depending on your network design.
                About the virtualization, did you take into account that you might need shared storage as well?
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment

                Working...
                X