Subnet definition in AD Sites & Services

[Steve]

Please help wit a clarification; Server IP address
172.26.1.181/24 Subnet defined in AD Sites & Services is
172.26.0.0/16. To me, these are 2 different subnets and
each needs to be defined in AD S&S. Was informed that with
the current entry of 172.26.0.0/16 will catch everything
beginning with 172.26.. Hmmm! Please help!

Steve

 

[Tony Yuhas [MSFT]]

Hi Steve,

The subnets in ADSS are listed in {subnet}/{significant
bits} format. That is, the 'sigbits' section defines an
IP space that client IPs fall into.

To understand this, consider the subnet as a 32 digit
binary number instead of a collection of four octet
numbers:

172.26.1.181 -> 10101100 00011010 0000001 10110101

When you classify this as only having 24 sigbits, (as in
172.26.1.181/24), you are denoting that everything after
the 24th bit is to be included in this bucket:
10101100 00011010 0000001 ********

Thus 172.26.1.181/24 is equivalent to 172.26.1.0/24.
Which is where the unfamiliar notation comes from.

If we apply this to your example subnets:
172.26.1.0/24 --> 10101100 00011010 0000001 ********
172.26.0.0/16 --> 10101100 00011010 ******** ********

Subnet routing is assigned on a 'most specific match'
algorithm. For example, if you assigned "172.26.0.0/16"
to SITE-A and "172.26.1.0/24" to SITE-B, you would find
that the behavior is hierarchal. That is, this
IP, "172.26.1.99" would route to SITE-B, but the very
similar IP, "172.26.2.99" would route to SITE-A.

Hope this helps,
Tony Yuhas
Microsoft
Active Directory Tools

 

[Herb Martin]

Please help wit a clarification; Server IP address
172.26.1.181/24 Subnet defined in AD Sites & Services is
172.26.0.0/16. To me, these are 2 different subnets and
each needs to be defined in AD S&S. Was informed that with
the current entry of 172.26.0.0/16 will catch everything
beginning with 172.26.. Hmmm! Please help!

The second (172.26.0.0/16) is inclusive of the first subnet, so if you
use them on the SAME site then the first, smaller subnet is redundant.

If you use it on another Site definition, it's "longer" or "more specific"
mask takes precedence for that subset of addresses.

It works pretty much the same as (most) routing tables do: Longer match
is used.

 

[Herb Martin]

I guess the question is if someone defines the subnet
172.26.0.0/16 in AD S&S and assigns it to a site, will
that be a catch-all for all subnets starting with 172.26
in that site even though servers on 172.26.1.0/24 subnets
are not explicitly defined in AD S&S? To me they are two
different subnets.

Yes -- note that no net is ever "explicitly defined" in the sense
of the phrase above. Nets are defined by the length of the mask.

When the mask stops, every address that matches the leftmost
portion is part of "the net."

UNLESS a more specific definition exists in another site (or
another route when routing.)

 

[Herb Martin]

Thanks! I have never been in a company that has had 500+

subnets and always used the example "DHCP scope = subnets
defined". I learned something.

When architecting a network you want (should, must?) to layout your
networks so that summarizing them is easy, e.g.,

R1------R2--192.168.16.0
|------R3--192.168.17.0
|------R4--192.168.18.0
|------R5--192.168.19.0

Pretend that nets from R1 to each of R2-R5 are 192.168.20.0->23.0

Suppose R0 has a connection to R1 and we wish to specify ALL =of these
nets easily and efficiently. (R1 is using 172.16.0.2 on the R0 connection)

Now we have 8 nets, continguous, and starting on a multiple of a power
of 2 which is 8.

We can summarize these nets by writing ONE ROUTE on R0 (equivalent to):

route add 192.168.16.0 mask 255.255.248.0 172.16.02

248 is ends on the 8-bit, so it summarizes the "groups" of 8.