Sites/subnets question

[T0GGLe]

Hi,

I'm getting confused regarding how to set up sites and services
correctly in my environment so wondered if anyone had any tips please?

We have a distributed network with a domain controller at each office,
with two offices that are larger "hubs" where more of our servers are
located (eg exchange, sql servers and so on). We have about 60 offices
in total, with each office having a varying number of
people/workstations at them. We have to have a domain controller at
each office as we're still running a load of machines with windows95/8
and they need WINS.

Now the way it's been set up by my predecessor is to have just one
site that covers the entire company because i guess we have quite fast
links between all our offices (1/2 meg leased lines). However, some of
the domain controllers are quite slow machines. Now I'm getting
confused as how to change this because we think that the reason why
we're getting some slow logons to our citrix farm is because in the
logon process to the servers the client is authenticating with a slow
server on a WAN link whereas we want them to authenticate with a fast
server on a LAN link.

So i propose to have one site covering the major sites (which also
house our farm and dns servers and have faster than normal links
between them than the other offices) and another site covering all the
other offices.

The trouble is that i don't really understand how to implement the
subnet part of sites and services.
You see we have one subnet covering most of the network
(255.255.255.0) but with a different Ip range in each office..and in
the 2 major offices we have multiple subnets and a couple of IP
ranges. There is one router in each office and i guess these are
configured with the relevent IP range for that office.
eg
office 1 - network ID 192.168.105.0 s/n 255.255.255.0
office 2 - network ID 192.168.106.0 s/n 255.255.255.0

Furthermore when you go to add a new subnet in sites and services it
gives you a little example which had confused me even more!
It says:-
example address 10.14.209.14 mask 255.255.240.0 becomes subnet
10.14.208.0/20. Eh? Shouldn't that be 10.14.209.0/20? I understand how
to express the subnet as /20 but how did 209 become 208????

One more thing as well - how can entries here be listed as specific Ip
addresses? Fror example my predecessor has serveral entries which are
specific ip addresses/subnet
eg 192.168.20.112/28

I thought that the form was:-
networkID/subnet

Sorry for so many questions in one post but it's a reflection of my
confusion...i think

 

[Ryan Hanisco]

TOGGLe,

Even with 512K lines between your physical sites you would do well to define
them as separate AD sites as this will allow you to control their
replication schedules and the protocols they use. Within a site, DCs will
use RPC to communicate creating a ton of network chatter and headaches for
your router guys.

You need to DRAW out your physical connectivity and label the speed of
connections. You need to see if you have redundant links, any star
topologies, circles in your network and the like. From there you can plan
and connect the servers to each other appropriately, designating bridgeheads
to share load and configuring metrics to avoid undesirable routes. Also,
you'll want to take into account any Dial on Demand routing that you are
doing and ISDN backups you may have to your normal WAN connectivity.

Think about it carefully, draw or whiteboard, Mage sure you have a GC at
each site if at all possible, and always have a backout plan for anything
you do.

I'll be happy to answer any other more specific questions you might have.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

 

[Cary Shultz [A.D. MVP]]

T0GGLe,

Ryan is correct. I would physically draw out your current set up. Maybe
start with the two bigger offices in the middle as bigger circles and then
draw the other offices as 'smaller' or 'even smaller' or 'way smaller'
circles ( with the size of the circle giving you an idea as to how many
users / computers are in each location ).

I would then also C*L*E*A*R*L*Y draw out the connection speed of the
connection. Are all Offices physically connected to 'large' office?
Meaning, all of the 'remote' offices connect to the 'Hub'. I can envision a
situation where there is a Firewall-to-Firewall VPN from the Hub to all of
the spokes ( aka, 'remote' offices ).

512Kbps is not really that fast. And, when you add the VPN to it then you
are talking about 325 - 350Kbps actually bandwidth available. If you do not
currently have a Firewall-to-Firewall VPN connection then I would strongly
consider it. That is, unless you have private connections to/from the
'Hub'. Then you would not need to worry about the VPN stuff.

Ryan, how many users / computers are in each physical connection? This
could play a role in your design. You can make it such that any office in
which there are fewer than 10 users does not get a DC placed locally but any
office in which there are 10 users or more does get a DC. Then, you would
create a Site for each one of those offices ( er, that does have a Domain
Controller ). For those offices that do not have a Domain Controller
'locally' you could add them as part of an existing Site ( whereby you
simply 'associate' that subnet with the existing Site of your choosing -
well, I am sure that there would be some intelligence to the selection of
'that' Site ).

You mentioned a Citrix Farm. Do your users in the remote offices connect to
the Citrix Farm to use the applications that they need to get their work
done? Meaning, at the computer where in their specific office do they sit
down and HAVE to log on to the Citrix Farm to get any work done -OR- can
they sit down at their computer, log on to the domain and do their work (
i.e, all of the applications that they need are installed locally )? Where
am I going with this? Well, if they need to log onto the Citrix Farm to get
their work done and none of the applications that they need to use are
installed locally - probably not the case - then this could change things
for you. Dumb terminals - such as those from HP or Wyse or any of the
others - might be a really good idea. "MIGHT" being the key word. There is
not really enough information here.....And the fact that they have a lot of
WIN9x systems ( probably on old hardware - which has probably depreciated
already so your Finance guys will not have a cow! ) could add to your
argument about getting new 'computers' - whether they be Thin Clients or
actual PCs.

As to your question about the Site and the IP Address given: I have always
entered the IP Address as 192.168.10.0 and then the subnet mask as
255.255.255.0 so I am not sure why he or she entered in a specific IP
Address. I would think that entering a specific IP Address is due to being
uninformed about how this works. Not sure what his/her thought process was
when he/she did this.

Okay, this is a lot of information to digest.

Have fun!

Cary

 

[Andrew Mitchell]

(e-mail address removed) (T0GGLe) said

One more thing as well - how can entries here be listed as specific Ip
addresses? Fror example my predecessor has serveral entries which are
specific ip addresses/subnet
eg 192.168.20.112/28

I thought that the form was:-
networkID/subnet

What they have entered looks fine. That just refers to a network address of
192.168.20.112, with useable IP addresses starting at 192.168.20.113 and
ending with 192.168.20.128, with a subnet mask of 255.255.255.240

You don't have to start your subnet at a 0 (zero) address.

 

[Cary Shultz [A.D. MVP]]

Looks like I jumped the gun and did not do my subnetting like a good little
boy. So, who is the 'uninformed' one now? ;-)

Cary

 

[Ken B]

Believe it or not, one of my Windows networking teachers tried to teach me
that the network wire (the actual physical wire) has an IP address, which
would be different from the ip address of the host connected to it. ... and
the subnet, that's something way different.... "but you don't need to know
about that" was what I was told :x

Ken

 

[Enkidu]

Furthermore when you go to add a new subnet in sites and services it
gives you a little example which had confused me even more!
It says:-
example address 10.14.209.14 mask 255.255.240.0 becomes subnet
10.14.208.0/20. Eh? Shouldn't that be 10.14.209.0/20? I understand how
to express the subnet as /20 but how did 209 become 208????

With a 255.255.240 netmask the subnet can contain 4096 hosts, The IP
address range that contains 10.14.209.14 runs from 10.14.209.0 to
10.14.223.255. The reason that it must be 208 is that this address has
all the host bits zero - a subnet must have this. If the subnet
started from 209 one of the host bits would not be zero which you
can't have.

I use a freeware IP address calculation tool from Famatech called,
funnily enough "Advanced IP Address Caclulator".

Another way to think about it, if you reduce the netmask by one bit
you are combining two of the original networks into one. Reducing the
netmask by one is doubling the number of possible hosts. This extra
bit is either 0 or 1. Obviously the new subnet must start from zero.
If you start from 10.14.209.0, the default class C subnet of the
10.14.209.14 host, you will find that the very first step, from /24 to
/23 forces the 10.14.209.14 into the 10.14.208.0/23 subnet.

Cheers,

Cliff

 

[Enkidu]

(e-mail address removed) (T0GGLe) said



What they have entered looks fine. That just refers to a network address of
192.168.20.112, with useable IP addresses starting at 192.168.20.113 and
ending with 192.168.20.128, with a subnet mask of 255.255.255.240

You don't have to start your subnet at a 0 (zero) address.

Well, in a way you do. The binary form of the subnet address *always*
ends with .....000000 and the subnet ranges from ..00000
to ....111111 depending on the number of bits in the netmask.

In this particular case the binary version of the netmask is
1111...11110000. This forces the last octet of the subnet address to
be 0, 16, 32, . . ., 80, 96, 112, 128, . . . All have zeros in the
right most 4 bits of the binary version of the last octet using the
/28 mask.

The examples above, of course, result in a network address that is not
zero in the last octet for /28 subnets but the last octet of the
network address must correspond with the 0th available address in that
subnet.

The last octet of the subnet chosen is 112 which is 01110000 in
binary. Note that the last four bits are zero. For any IP address, the
binary form of the network address that contains the address MUST
always contain zeros for all the rightmost zeros in the netmask that
is being applied. This is what forces the network address to
10.14.208.0 in the example that the OP quoted.

Cheers.

Cliff

 

[Ryan Hanisco]

Yeah,

It really helps to know subnetting and the CIDR/ VLSM rules for subnetting.
Just remember the number after the slash is the number of network bits in
your subnet. There are loads of subnet calculators out there to help, but
its a good idea to memorize the common ones.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services