0

While assigning subnets to a single server on a single site, I am not sure which way to properly create the subnet.

Example: If I have a single DHCP Scope of 10.190.8.0/21 (addresses 10.190.8.1 to 10.190.15.254), what would the proper "Best Practice" way be of adding this scope into the Server 2019 AD subnets???

Should I add just a single subnet of 10.190.8.0/21 or should I create 10.190.8.0/24 followed by 10.190.9.0/24 followed by 10.190.10.0/24, etc. until I get to 10.190.15.0/24 ???

What are the repercussions of doing it one way versus the other? If a single subnet would cover it, my major questions would be:

  • will clients in the 10.190.9 thru .15.xxx still be able to communicate and "Find" their AD "Site" correctly?
  • if I use Symantec GHOST v3.3 across this subnet (meaning 200 clients broadcasting at the same time during the ghost session) would there be any issues???

Thanks in advance for your time!!!

Edit:

@law29 - Hopefully the below clears it up. All users have separate logins. Standard textbook AD configuration and login, but we have lots of devices, so the scopes are large to avoid IP exhaustion, especially on wireless devices.

@joeqwerty - We actually have five separate 2019 Domain Controllers on five separate sites:

  • Site #1 DC - IP=10.190.1.18
  • Site #2 DC - IP=10.191.1.11
  • Site #3 DC - IP=10.192.1.13
  • Site #4 DC - IP=10.193.1.10
  • Site #5 DC - IP=10.194.1.15

Site #1 DHCP Scopes:

  • 10.190.8.0/21 - Student Devices (Hardwired)
  • 10.190.30.0/23 - Staff Devices (Hardwired)
  • 10.190.50.0/23 - Maintenance HVAC Devices
  • 10.190.96.0/21 - Wireless Devices

Site #2 DHCP Scopes:

  • 10.191.8.0/21 - Student Devices
  • 10.191.30.0/23 - Staff Devices
  • 10.191.50.0/23 - Maintenance HVAC Devices

Etc, etc. All those DHCP Scopes = our subnets exactly. Each Building routes into an HP 5412 core router using OSPF. Below is a section of what's in our Site 1 HP Core router:

vlan 10
  name "Student-VLAN"
  untagged A11,C10,C12,C22,D9-D10 
  tagged A12,Trk3,Trk5,Trk7-Trk14
  ip address 10.190.8.1 255.255.248.0
  ip igmp
  ip ospf 10.190.8.1 area backbone
  ip pim-sparse
  ip-addr any

vlan 30
  name "Staff"
  untagged A13-A17,A20,C4-C5,C8-C9,C11,C13-C21,D15
  tagged A12,Trk3,Trk5,Trk7-Trk14
  ip address 10.190.30.1 255.255.254.0
  ip igmp
  ip ospf 10.190.30.1 area backbone
  ip pim-sparse
  ip-addr any

So if for example I create a new Subnet in AD S&S on the 10.190.8.0/21 DHCP Scope (or router), would I use a single subnet in AD S&S called 10.190.8.0/21, or would I have to enter 10.190.8.0/24, 10.190.9.0/24, 10.190.10.0/24, etc. ???

I hope I've explained it better.

Law29
  • 3,557
  • 1
  • 16
  • 28
Brian
  • 1
  • Just to be clear: you wish to be able to support up to 2045 DHCP clients? All in the same company, in the same physical space? In a zero-trust environment or with things like file servers open to clients from specific departments? – Law29 Jun 09 '20 at 20:58
  • I think Site#2 is 10.191.8.0/21 and not 10.190.8.0/21, right? Edited (and a lot of other small things to make readable) – Law29 Jun 12 '20 at 22:33

1 Answers1

3

You're mixing a few things together that aren't really directly related.

If all of your domain joined clients are in the 10.190.8.0/21 network then just add that to ADS&S. If at some point you subnet the 10.190.8.0/21 network into /24 subnets and you deploy Domain Controllers in those subnets then you can reconfigure ADS&S accordingly. That being said, ADS&S isn't directly related to your DHCP scope. You put subnets in ADS&S as a means of allowing domain clients to find the DC (and other site aware services) that are closest to them. This also has to do with how your network is routed. If you have a site where domain clients exist but has no DC then you would add that subnet to the site you want them to have an affinity with so as to optimize their network traffic to and from the DC. In general, you want them to have affinity with the site that has the fastest, lowest latency, and most stable/reliable network link.

If you only have a single site and a single DC, then it really doesn't matter how you do it. It's not going to have any effect on anything. All of the domain joined clients are going to communicate with this one DC, no matter what network or subnet they're on.

As far as Symantec Ghost is concerned, that doesn't have any bearing on how you configure ADS&S. One doesn't have any effect on the other. What does matter is how much Ghost traffic you want on your network. If there's a lot of broadcast traffic related to Ghost then you might want to partition your physical network and subnet the 10.190.8.0/21 network to reduce the amount of broadcast traffic on any one subnet. The Ghost broadcast traffic would only be seen on the subnet that the Ghost server is on. If Ghost doesn't use broadcast traffic methods then it doesn't matter. It's just another host on your network.

And finally, the size of the network doesn't determine how much actual broadcast traffic is on the network. A larger network allows for more hosts, and for potentially more broadcast traffic, but if you only have 100 hosts then you only have 100 hosts worth of broadcast traffic, regardless of the size of the network. The network itself doesn't generate traffic, the hosts on the network generate traffic.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172