Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple subnets on a single domain


  • Please log in to reply
11 replies to this topic

#1 hispaladin

hispaladin

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 10 May 2013 - 11:47 AM

Here is my situation, I have a main network at our main office with a Sonicwall TZ200 router that connects to 8 remote locations via VPN that have sonicwall tz100 routers.  Each remote location has its own subnet and the router at the location is handing out the IP addresses.  We want to keep them on their own sub nets and still bring them into the domain.  So far I haven't done anything to get this started as I want to know what I am doing before I get started and possibly screw something up.  I am fairly sure that it is doable and would not be all that hard but if I just start going for it and don't know what I am doing first it could cause me some real headaches.  I know that it will require some routing policies and probably some other policies to get everything to talk correctly.  Where should I start?



BC AdBot (Login to Remove)

 


#2 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:07:16 PM

Posted 10 May 2013 - 03:41 PM

each location should have local unique subnet in private ip address space.
 
interconnect using VPN
 
usually done using IPSEC vpn.
 
start with main location, and one remote
 
then follow with others when the first is running ok.

"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#3 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 13 May 2013 - 08:47 AM

Well that much is already done.  All the locations are on their own sub nets and they are all connected using VPN.  I know the connection is good as all the locations can hit the server using the local IP address it just requires the credentials be entered when the drive is connected, which is not that big of a deal but we are looking to bring them into the domain. I can also hit any remote location machine using its local IP.  The connection isn't the problem, I am just wanting to know if there will be a problem getting to the domain through the VPN.  I know that if I want to hit the server I can't use the server name (\\servername\share) I have to use the IP and share (\\192.168.1.1\share).  Will this cause a problem when trying to connect to the domain?



#4 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:07:16 PM

Posted 13 May 2013 - 02:03 PM

If you can't access the server by using the server name then you might want to get the dns situation resolved first before you start connecting to the domain.


"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#5 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 13 May 2013 - 03:51 PM

Right, now one question I have is how do I do this without pointing all dns requests through the vpn?  If I can avoid it I would rather not point all internet access through the vpn or even having to point all the locations to the main office for dns.  Would this be the case or can I just tell it to look through the vpn when it needs to (I hope what I am asking makes sence)?



#6 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:16 PM

Posted 13 May 2013 - 05:48 PM

You need to program your VPN Routers for your DNS server and the Other subnets. Have ALL your computers Assigned either through DHCP or Static your DNS server's address.   When the computers are members of the Domain the DNS server stores the DNS records for all the computer names in its Domain , Domain users log into a computer and they are authenticated by the Domain controller and granted or Denied permissions set by Group policy.  When a DNS request  is generated it is sent to your DNS server if the Name does not lie on your network its forwarded to an outside DNS server (generally your ISP or Google public DNS). You Do not have to Route all Internet Traffic over the VPN when the DNS is resolved by your DNS server the VPN Router will recognize what traffic needs to be routed over the VPN by its IP address. This is why EACH router needs to have Static routes entered for the Subnets. I maintain a Large network that has that setup however I didn't program it. 


Edited by Sneakycyber, 13 May 2013 - 05:53 PM.

Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#7 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 14 May 2013 - 08:02 AM

Sneaky, Can I set the router to use the DNS server on the main network rather set each machine?  Also when I set it to look at the server should I set that as the number 1 server and still list the outside DNS servers or just point it to the internal DNS and leave the rest blank?  Please understand my situation, I have kinda been dropped into a network and am being asked to set it up with VPN connections (which I have gotten done already) and now we are looking to bring the locations into the domain.  I am learning a lot of this as I go, but I have a fundamental knowledge of networking.  

Also, I have routing policies set to route traffic through the VPN if it is directed to the main network sub net.



#8 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 15 May 2013 - 08:08 AM

Ok, I was really over complicating this.  I got the sub net to join no problem.  All I had to do was point the remote location router's DNS #1 to the main office DC\DNS and join.  Thanks for all the pointers guys, I think I was making it harder because I thought I would have to make changes to the server.  Oh and just in case, I have read a lot of other articles about this and many people say to put a DC at the location but there are only two workstations at each location so it wouldn't be worth putting a DC at each.  I just listed the main office DNS as DNS #1 and the ISP's DNS servers as #2 and #3.  Thanks again everyone



#9 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:16 PM

Posted 15 May 2013 - 05:56 PM

Thanks for posting your solution, I honestly didn't know the best or easiest way to do it off the top of my head. I would have had to either see how one of my network is set up or check one of my books.


Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#10 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 16 May 2013 - 08:02 AM

Ok, now I have another question that is still related to this.  I have the network connected to the domain but I also have a single machine at each location that is on the DMZ and I don't want it to have any access to the main office network.  I have the router pointing all the machines to the main office DC for DNS #1 but I don't want all the traffic from the farmer machine (the one in the DMZ) to get sent to the DC so I set up a firewall rule to block all traffic from the DMZ to the VPN which would effectively prevent the farmer machine from sending DNS requests to the DC but it is not using the #2 or #3 DNS servers in the list, it just will not connect to any websites.  If i shut off the firewall rule to block it from the VPN then everything works fine.  Any ideas or help on this?  I can't really just set the DNS for the farmer machine static to point to the ISP DNS as any other devices that get connected to the DMZ they will not be able to connect to the internet either.  As it stands I am going to make a firewall rule to allow DNS traffic to pass through so that I still have a security in place to keep that machine away from the network but I would really like to keep the DNS traffic separate also.



#11 hispaladin

hispaladin
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of a corn field
  • Local time:06:16 PM

Posted 16 May 2013 - 09:52 AM

Ok, I got the answer on the Sonicwall forums.  In a sonicwall (and possibly other routers) you can set a seperate set of DNS servers for each port that has its own DHCP scope.  So since the DMZ has  its own DHCP scope I can set it to use its own set of DNS servers.  



#12 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:16 PM

Posted 16 May 2013 - 05:38 PM

:thumbup2:


Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users