Do subnets in AD/Sites & Serverices affect TCP/IP routing informat

AlliedSupremeCommander

or a better question might be: Do I need to tell Sites and Services what
my network REALLY looks like or can I tell S&S how I want my network to be
treated?

Background:
2 Sites, Fishkill and Cold Springs have been connected via VPN over the
internet with firewall appliances on each end. Each location has a T1 that is
used for web traffic and the VPN between sites.

Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
DC's that replicate over the VPN. A bridgehead server at each location
communicates to the other site via IP and then RPC locally. The firewall
appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD DNS
is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
coldsprings.internal.acme.com.

Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
10.0.1.0/24

We're now upgrading data lines and have procured a 10 meg layer 2 pipe
from Fishkill to Cold Springs. This connection plugs right in to out main
switches each location, no VLAN tagging. It has no other traffic on it, it's
not a shared internet connection it is just for our internal traffic. It's
not routed, push a frame in and it pops out the other side.

With this connection plugged in at both ends, it still does not get used
obviously for traffic going from one site to another, the default route does
get used. That's because 10.0.0.1/24 is on a different subnet than
10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.

Now if I change the mask of all the my devices to a /16 or 255.255.0.0 and
take down the VPN they could all talk to each other just fine over the 10 meg
pipe.They would all be on the same subnet connected over a not too terribly
slow connection.

It would still be best if XP Pro clients in Fishkill used the DC's in
their location and Cold Springs used their DC's with fail over between the
two sites.

What is the best approach for AD S&S with this sort of network change? Do
I make no changes at all in S&S so the closet DC are used in the correct
order despite the fact that the actual network subnetting has changed?

I suppose I could setup fishkill.internal.acme.com and
coldsprings.internal.acme.com and from what I've read this can be a metric
used in determining the closest DC to use. Then put them all in the same site
but I would like to keep seperate sites in S&S if it ok. But sites are not
supposed to share subnets.


What do you think? Is it ok to trick S&S a little and tell it that
10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?

Thanks,
Bill

Herb Martin

No. Not at all.

"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?

You MAY tell Sites and Services how you want your network to be treated but
this is almost always either identical to the "real" network or at least
functionally
equivalent.

> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>

Herb Martin

No. Not at all.

"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?

You MAY tell Sites and Services how you want your network to be treated but
this is almost always either identical to the "real" network or at least
functionally
equivalent.

> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>

Nick Dewitte

This setup will cause the replication traffic be the same however if you
change the subnet mask on your devices they have no way of determining which
site they belong to and they can try any dc to log on to even the ones in a
different site.
You could configure your bridgehead servers to run RRAS and keep your subnet
setup as is. It does create a single point of failure on the bridgehead
server if routing would go down.

WKR
Nick Dewitte


"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?
>
> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>

Nick Dewitte

This setup will cause the replication traffic be the same however if you
change the subnet mask on your devices they have no way of determining which
site they belong to and they can try any dc to log on to even the ones in a
different site.
You could configure your bridgehead servers to run RRAS and keep your subnet
setup as is. It does create a single point of failure on the bridgehead
server if routing would go down.

WKR
Nick Dewitte


"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?
>
> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>

AlliedSupremeCommander

Thanks for the replies guys..

It's my understanding the clients will among other things will look for
SRV records in the DNS for a match that is as close as it can resolve to so:

Would a client machine, vinniebagodounuts.fishkill.internal.acme.com look
for the nearest DC and consider server1.fishkill.internal.acme.com a closer
match than server1.coldsprings.internal.acme.com?

Or is it the other way? Does the fact that both the client and it's
nearest DC are both on 10.0.X.0 take presidence over the FQDN? Would a
client in the 10.0.1.0 subnet consider a DC in 10.0.0.0 or a DC in 10.0.1.0
to be equal candidates because of the 255.255.0.0 subnet mask? (I think I
finally found the question I wanted to ask)

Thanks again,
Bill


"Nick Dewitte" wrote:

> This setup will cause the replication traffic be the same however if you
> change the subnet mask on your devices they have no way of determining which
> site they belong to and they can try any dc to log on to even the ones in a
> different site.
> You could configure your bridgehead servers to run RRAS and keep your subnet
> setup as is. It does create a single point of failure on the bridgehead
> server if routing would go down.
>
> WKR
> Nick Dewitte
>
>
> "AlliedSupremeCommander" < m>
> wrote in message news:...
> >
> > or a better question might be: Do I need to tell Sites and Services what
> > my network REALLY looks like or can I tell S&S how I want my network to be
> > treated?
> >
> > Background:
> > 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> > internet with firewall appliances on each end. Each location has a T1 that
> > is
> > used for web traffic and the VPN between sites.
> >
> > Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> > DC's that replicate over the VPN. A bridgehead server at each location
> > communicates to the other site via IP and then RPC locally. The firewall
> > appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> > DNS
> > is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> > coldsprings.internal.acme.com.
> >
> > Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> > 10.0.1.0/24
> >
> > We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> > from Fishkill to Cold Springs. This connection plugs right in to out main
> > switches each location, no VLAN tagging. It has no other traffic on it,
> > it's
> > not a shared internet connection it is just for our internal traffic. It's
> > not routed, push a frame in and it pops out the other side.
> >
> > With this connection plugged in at both ends, it still does not get used
> > obviously for traffic going from one site to another, the default route
> > does
> > get used. That's because 10.0.0.1/24 is on a different subnet than
> > 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
> >
> > Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> > and
> > take down the VPN they could all talk to each other just fine over the 10
> > meg
> > pipe.They would all be on the same subnet connected over a not too
> > terribly
> > slow connection.
> >
> > It would still be best if XP Pro clients in Fishkill used the DC's in
> > their location and Cold Springs used their DC's with fail over between the
> > two sites.
> >
> > What is the best approach for AD S&S with this sort of network change? Do
> > I make no changes at all in S&S so the closet DC are used in the correct
> > order despite the fact that the actual network subnetting has changed?
> >
> > I suppose I could setup fishkill.internal.acme.com and
> > coldsprings.internal.acme.com and from what I've read this can be a metric
> > used in determining the closest DC to use. Then put them all in the same
> > site
> > but I would like to keep seperate sites in S&S if it ok. But sites are not
> > supposed to share subnets.
> >
> >
> > What do you think? Is it ok to trick S&S a little and tell it that
> > 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
> >
> > Thanks,
> > Bill
> >
>
>

AlliedSupremeCommander

Thanks for the replies guys..

It's my understanding the clients will among other things will look for
SRV records in the DNS for a match that is as close as it can resolve to so:

Would a client machine, vinniebagodounuts.fishkill.internal.acme.com look
for the nearest DC and consider server1.fishkill.internal.acme.com a closer
match than server1.coldsprings.internal.acme.com?

Or is it the other way? Does the fact that both the client and it's
nearest DC are both on 10.0.X.0 take presidence over the FQDN? Would a
client in the 10.0.1.0 subnet consider a DC in 10.0.0.0 or a DC in 10.0.1.0
to be equal candidates because of the 255.255.0.0 subnet mask? (I think I
finally found the question I wanted to ask)

Thanks again,
Bill


"Nick Dewitte" wrote:

> This setup will cause the replication traffic be the same however if you
> change the subnet mask on your devices they have no way of determining which
> site they belong to and they can try any dc to log on to even the ones in a
> different site.
> You could configure your bridgehead servers to run RRAS and keep your subnet
> setup as is. It does create a single point of failure on the bridgehead
> server if routing would go down.
>
> WKR
> Nick Dewitte
>
>
> "AlliedSupremeCommander" < m>
> wrote in message news:...
> >
> > or a better question might be: Do I need to tell Sites and Services what
> > my network REALLY looks like or can I tell S&S how I want my network to be
> > treated?
> >
> > Background:
> > 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> > internet with firewall appliances on each end. Each location has a T1 that
> > is
> > used for web traffic and the VPN between sites.
> >
> > Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> > DC's that replicate over the VPN. A bridgehead server at each location
> > communicates to the other site via IP and then RPC locally. The firewall
> > appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> > DNS
> > is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> > coldsprings.internal.acme.com.
> >
> > Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> > 10.0.1.0/24
> >
> > We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> > from Fishkill to Cold Springs. This connection plugs right in to out main
> > switches each location, no VLAN tagging. It has no other traffic on it,
> > it's
> > not a shared internet connection it is just for our internal traffic. It's
> > not routed, push a frame in and it pops out the other side.
> >
> > With this connection plugged in at both ends, it still does not get used
> > obviously for traffic going from one site to another, the default route
> > does
> > get used. That's because 10.0.0.1/24 is on a different subnet than
> > 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
> >
> > Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> > and
> > take down the VPN they could all talk to each other just fine over the 10
> > meg
> > pipe.They would all be on the same subnet connected over a not too
> > terribly
> > slow connection.
> >
> > It would still be best if XP Pro clients in Fishkill used the DC's in
> > their location and Cold Springs used their DC's with fail over between the
> > two sites.
> >
> > What is the best approach for AD S&S with this sort of network change? Do
> > I make no changes at all in S&S so the closet DC are used in the correct
> > order despite the fact that the actual network subnetting has changed?
> >
> > I suppose I could setup fishkill.internal.acme.com and
> > coldsprings.internal.acme.com and from what I've read this can be a metric
> > used in determining the closest DC to use. Then put them all in the same
> > site
> > but I would like to keep seperate sites in S&S if it ok. But sites are not
> > supposed to share subnets.
> >
> >
> > What do you think? Is it ok to trick S&S a little and tell it that
> > 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
> >
> > Thanks,
> > Bill
> >
>
>

Jorge de Almeida Pinto [MVP - DS]

nope...sites and subnets are used to locate services on servers that are
near as possible by the client that requests the service

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->
BLOG (RSS-FEEDS)-->
------------------------------------------------------------------------------------------
* How to ask a question -->
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?
>
> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>

Jorge de Almeida Pinto [MVP - DS]

nope...sites and subnets are used to locate services on servers that are
near as possible by the client that requests the service

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->
BLOG (RSS-FEEDS)-->
------------------------------------------------------------------------------------------
* How to ask a question -->
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"AlliedSupremeCommander" < m>
wrote in message news:...
>
> or a better question might be: Do I need to tell Sites and Services what
> my network REALLY looks like or can I tell S&S how I want my network to be
> treated?
>
> Background:
> 2 Sites, Fishkill and Cold Springs have been connected via VPN over the
> internet with firewall appliances on each end. Each location has a T1 that
> is
> used for web traffic and the VPN between sites.
>
> Fishkill is 10.0.0.0/24 and Cold Springs is 10.0.1.0/24. Both sites have 2
> DC's that replicate over the VPN. A bridgehead server at each location
> communicates to the other site via IP and then RPC locally. The firewall
> appliance does the routing from 10.0.1.0 to 10.0.0.0 and back again. AD
> DNS
> is setup as internal.acme.com, there is NO fishkill.internal.acme.com or
> coldsprings.internal.acme.com.
>
> Sites and Services has 2 sites: Fishkill 10.0.0.0/24 and Cold Springs
> 10.0.1.0/24
>
> We're now upgrading data lines and have procured a 10 meg layer 2 pipe
> from Fishkill to Cold Springs. This connection plugs right in to out main
> switches each location, no VLAN tagging. It has no other traffic on it,
> it's
> not a shared internet connection it is just for our internal traffic. It's
> not routed, push a frame in and it pops out the other side.
>
> With this connection plugged in at both ends, it still does not get used
> obviously for traffic going from one site to another, the default route
> does
> get used. That's because 10.0.0.1/24 is on a different subnet than
> 10.0.1.1/24 so off the packet goes to the default route, the firewall/VPN.
>
> Now if I change the mask of all the my devices to a /16 or 255.255.0.0
> and
> take down the VPN they could all talk to each other just fine over the 10
> meg
> pipe.They would all be on the same subnet connected over a not too
> terribly
> slow connection.
>
> It would still be best if XP Pro clients in Fishkill used the DC's in
> their location and Cold Springs used their DC's with fail over between the
> two sites.
>
> What is the best approach for AD S&S with this sort of network change? Do
> I make no changes at all in S&S so the closet DC are used in the correct
> order despite the fact that the actual network subnetting has changed?
>
> I suppose I could setup fishkill.internal.acme.com and
> coldsprings.internal.acme.com and from what I've read this can be a metric
> used in determining the closest DC to use. Then put them all in the same
> site
> but I would like to keep seperate sites in S&S if it ok. But sites are not
> supposed to share subnets.
>
>
> What do you think? Is it ok to trick S&S a little and tell it that
> 10.0.0.0 and 10.0.1.0 are on 2 different subnets when they're really not?
>
> Thanks,
> Bill
>