1

Some background: We are about to move a customer's server to our facilities, but as that server is a DC, I see some issues with that.

The two sites will be connected with a VPN tunnel. The server will get an IP in the 10.0.0.0/30 (or something similar) subnet, while the clients are in a 192.168.100.X/24 subnet (will be changed from 192.168.1.X/24)

Anything I should think about? Is this some huge operation to do, or is it quite simple?

I think, that as long as the DC remains the primary DNS for the clients, it doesn't really matter what IP it got?

Frederik
  • 3,359
  • 3
  • 32
  • 46
  • Out of curiosity will there still be a DC on the customer site? I am just thinking about login traffic being redirected over the VPN pipe. I just reread the question and it looks like you will be sending DNS traffic as well. Does the DC also do DHCP for the customer? – TopHat Aug 16 '12 at 11:35
  • No, there won't be any DC on the customer site after the server has been moved. Yes, DNS traffic will be sent to the DC too (which will be through the VPN). Right now, the DC does the DHCP, but that is not a problem to change, as I will be putting up some new hardware to control the VPN etc, so that will do the DHCP. – Frederik Aug 16 '12 at 11:46
  • I must be getting old...5 computers? I see no reason for AD or a server at all. – TheCleaner Aug 16 '12 at 14:46
  • @TheCleaner - Centralized management of printers, shares etc. The server also runs some dentist programs, so it is definitely needed. – Frederik Aug 16 '12 at 14:54

2 Answers2

4

You should really consider leaving the DC in the current site. Without a DC at the physical site, you will need to pass all authentication/ DNS/ DHCP traffic across your VPN pipe. If it is slow or down, you will have major issues. Moving it can work and you can tweak where the clients will look for DCs (AD Sites & Subnets MMC), but it's recommended to have a local DC at the physical site.

Out of curiosity, why are you moving the DC? If you are concerned about the security of the DC, you could always replace it with an RODC.

HostBits
  • 11,796
  • 1
  • 25
  • 39
  • You are almost right about the traffic, although I am going to use a local DHCP server instead of the one on the DC. The reason for moving it is because we want it to run on our VMware cluster, instead of the customer's hardware. The amount of traffic (authentication & DNS) won't be that much, as the customer is a small dentist clinic, with only 5 computers. – Frederik Aug 16 '12 at 13:54
  • @FrederikNielsen ah, then with such a small site, it will not likely cause issues to move it. As stated above, check into AD Sites & Subnets MMC to make sure you add the 10.0.10.X/24 subnet to the logical site of that customer. – HostBits Aug 16 '12 at 13:57
  • also my thoughts. For large sites, I would always use at least one local DC. Should I add both the clients subnet and the servers local subnet in the Sites & Subnets MMC? – Frederik Aug 16 '12 at 14:00
  • @FrederikNielsen yes, add both the new Server subnet, and the new Client subnet to the existing Site. – HostBits Aug 16 '12 at 14:05
1

No problem as presented - I would definitely review "Sites and Subnets" afterwards and make sure that reflects the new environment, which will be important if a new DC is added to the customer site instead of the colo.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Thanks for your reply. When reviewing the "Subnets", I see that the current one is there (192.168.1.0) - should I just add the 192.168.100.0/24 and the 10.0.0.0/30 subnets in there? There will not be added any DC on the customer site – Frederik Aug 16 '12 at 13:58
  • Yes, that's my point. Add/remove subnets to reflect reality, and associate them with the correct sites. I know you say that there will be no DCs on the customer site, but that's the *current* plan. Things can change, and you should allow for future changes so that a future admin will not be cursing you out. – mfinni Aug 16 '12 at 14:18
  • When you say "associate them with the correct sites", i want to say, that I only have one site in the AD. Should I have two? There definitely won't be a DC on the customer site, as this is just a small dentist clinic, so no need for that many servers. – Frederik Aug 16 '12 at 14:22
  • You've got one site today, that's the customer site. You're going to have two - the colo and the customer site. Each will have an associated subnet. Only one will have the DC in it. – mfinni Aug 16 '12 at 14:38
  • Okay. Of what importance is it that this is done? I mean, will everything break if it is not done properly, or? – Frederik Aug 16 '12 at 14:46
  • I'm going to repeat my earlier comment, and further suggest that if you're not familiar with these very basic AD concepts, you do some research. *"I know you say that there will be no DCs on the customer site, but that's the current plan. Things can change, and you should allow for future changes so that a future admin will not be cursing you out. "* – mfinni Aug 16 '12 at 15:35
  • I really doubt that things will change regarding the customer site - but anyways, it is a good idea to allow for future changes. I am doing some research - that's why I created this question :-) – Frederik Aug 16 '12 at 16:43