5

I have five AWS servers on a public subnet of a single VPC, each with its own elastic IP address. The subnet is 10.0.0.0/24. One server is a Win2016 domain controller. The remaining four are Win2016 members of that domain.

I'd like to reorganize things a bit, placing a number of the servers on a newly created private subnet, providing them outbound Internet access through a NAT Gateway. The new subnet will be 10.0.1.0/24.

Both subnets live in the same VPC in the same availability zone (Northern California).

One of the servers I plan to move to the private subnet will be the domain controller. The domain controller will naturally have a new IP address when it's restarted in the new subnet. My questions are:

How will the member servers know the new IP address of the domain controller? Is it simply a matter of changing their manual DNS entry to point to the address of the new domain controller or is there more to it than that? Note that neither the name of domain nor the domain controller's name is changing. I'm only moving the domain controller to a newly created subnet in the same VPC, so although the DC's IP will change due to being on a new subnet, everything else remains the same.

Are there configuration changes on the domain controller itself that I'll need to make? In researching this, I ran across some scenarios (not quite like mine) where the domain controller's 'Sites and Services' app needed to be tweaked to inform the DC of new subnets associated with the 'site.' Would this apply to me given that I only have one physical site?

Festus Martingale
  • 225
  • 1
  • 7

1 Answers1

4

In order to answer this I am assuming that there is free routing between the two private subnets (10.0.0.0/24 & 10.0.1.0/24).

When DNS servers change IP there are some special considerations. All your DNS servers are probably referenced in at least one host's DNS settings (otherwise, that DNS server is a bit redundant). So if you change the IP of a DNS server then you will need to change the DNS settings on those hosts that reference this server. There is no way around this. This change will either be through static configuration or through DHCP.

Domain Controllers are often (but do not have to be) DNS servers. If you change the IP of a DC you only need to consider the DNS change above and update the DNS settings on affected hosts. The servers will automatically update all other relevant entries in the DNS database for you. The exeption to this is when a host is configured to access a service using a raw IP rather than a DNS address. Generally, this is best avoided without a very specific reason.

The DCs themselves also have DNS settings, of course, and the affected DCs will also need to have their DNS settings updated. Some DCs point to themselves for DNS and there is much debate about the perfect settings for DC DNS settings. If you have used a loopback address like 127.0.0.1 then this will not need updating, but if the DC points to itself with the 10.0.0.0/24 address then this will need changing in its NIC configuration. I would recommend a reboot of the DCs that change IP.

If you are in one physical location and have free routing between the two subnets then you do not need to change from one site to two, and there is very little you need to change in Sites and Services. Just add the second subnet to the list of subnets for the site.

Daniel K
  • 649
  • 1
  • 4
  • 16
  • Thanks, man. Great info. Yes, there's free routing between the subnets, and it looks like the DC's DNS is set to 127.0.0.1 as you predicted. I'll change all the member servers' DNS, move some of them to the new subnet (along with the domain controller), and reboot each one of them, starting with the DC. Thanks again for the help! – Festus Martingale Jun 05 '19 at 23:37