Adding a second domain.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

What is the best way to add another domain into your existing network?

The current Domain1 (10.10.10.xx) contains four 2k3 servers: AD, Exch, File,
and Web. Everyone is connected to an HP Procurve switch and goes out to the
internet through a PIX firewall. The AD server is also running DNS and DHCP.

We need to add another domian, Domain2 (10.10.11.xx), into our existing
infrastructure. The new domain will have 2 servers: an SBS 2k3 server running
AD, DNS, DHCP, and Exchange, and a 2k File/Web server.

Domain1 needs to be able to access Domain2's File/Web server but Domain2
should not be able to browse or access anything in Domain1.

Is it just a matter of entering the appropriate domian names and ip
addresses on Domain2's servers and then connecting them to the same HP
Procurve switch? Because they are on a different ip address scheme,
10.10.10.xx vs. 10.10.11.xx, there should be not DHCP or any other conflicts
right? Will I need a router to sit between the two domains or will the switch
be enough?
 
If the DHCP servers are connected to the same switch, you won't have any way
of separating the clients. DHCP is broadcast based, and the first DHCP
server that responds to a request will issue the IP address, no knowing or
caring which subnet the computer requesting the address is supposed to be
in. This is also true if you use a router with both interfaces plugged into
the same switch. You will need to physically or logically (VLANs) contain
broadcasts for each subnet. But do you need two domains? or two subnets? You
don't have to have both. You can have two domains in the same subnet. Both
domains will show up in the browser (My Network Places), but domain
membership and permissions will prevent users from different domains from
being able to access resources in the other. If you need one-way permissions
between domains, you can create a one-way trust.

....kurt
 
In
Kurt said:
If the DHCP servers are connected to the same switch, you won't have
any way of separating the clients. DHCP is broadcast based, and the
first DHCP server that responds to a request will issue the IP
address, no knowing or caring which subnet the computer requesting
the address is supposed to be in. This is also true if you use a
router with both interfaces plugged into the same switch. You will
need to physically or logically (VLANs) contain broadcasts for each
subnet. But do you need two domains? or two subnets? You don't have
to have both. You can have two domains in the same subnet. Both
domains will show up in the browser (My Network Places), but domain
membership and permissions will prevent users from different domains
from being able to access resources in the other. If you need one-way
permissions between domains, you can create a one-way trust.
Click to expand...

Note - he can't set up domain trusts since the other network is using SBS.
 
Good point. Missed that. One of the many good reasons to avoid SBS.
....kurt

"Lanwench [MVP - Exchange]"
 
Ya, in a small office that you know will never be growing it's great if you
need exchange.

....kurt

"Lanwench [MVP - Exchange]"
In
Kurt said:
Good point. Missed that. One of the many good reasons to avoid SBS.
...kurt
Click to expand...

It has its uses.
"Lanwench [MVP - Exchange]"
In Kurt <[email protected]> typed:
If the DHCP servers are connected to the same switch, you won't have
any way of separating the clients. DHCP is broadcast based, and the
first DHCP server that responds to a request will issue the IP
address, no knowing or caring which subnet the computer requesting
the address is supposed to be in. This is also true if you use a
router with both interfaces plugged into the same switch. You will
need to physically or logically (VLANs) contain broadcasts for each
subnet. But do you need two domains? or two subnets? You don't have
to have both. You can have two domains in the same subnet. Both
domains will show up in the browser (My Network Places), but domain
membership and permissions will prevent users from different domains
from being able to access resources in the other. If you need
one-way permissions between domains, you can create a one-way trust.

Note - he can't set up domain trusts since the other network is
using SBS.

...kurt

What is the best way to add another domain into your existing
network? The current Domain1 (10.10.10.xx) contains four 2k3
servers: AD,
Exch, File,
and Web. Everyone is connected to an HP Procurve switch and goes
out to the
internet through a PIX firewall. The AD server is also running DNS
and DHCP.

We need to add another domian, Domain2 (10.10.11.xx), into our
existing infrastructure. The new domain will have 2 servers: an SBS
2k3 server running
AD, DNS, DHCP, and Exchange, and a 2k File/Web server.

Domain1 needs to be able to access Domain2's File/Web server but
Domain2 should not be able to browse or access anything in Domain1.

Is it just a matter of entering the appropriate domian names and ip
addresses on Domain2's servers and then connecting them to the same
HP Procurve switch? Because they are on a different ip address
scheme, 10.10.10.xx vs. 10.10.11.xx, there should be not DHCP or
any other
conflicts
right? Will I need a router to sit between the two domains or will
the switch
be enough?
Click to expand...
Click to expand...
Click to expand...
 
In
Kurt said:
Ya, in a small office that you know will never be growing it's great
if you need exchange.
Click to expand...

Indeed - and it has RWW (aka Poor Man's Terminal Server) and some other
goodies. Just not good if you know you're going to grow beyond its
boundaries (75 users) or need domain trusts or Exchange Enterprise or have a
clinical aversion to running loads of wizards. I've gotten over the latter,
but it wasn't easy.
...kurt

"Lanwench [MVP - Exchange]"
In
Kurt said:
Good point. Missed that. One of the many good reasons to avoid SBS.
...kurt
Click to expand...

It has its uses.
"Lanwench [MVP - Exchange]"
message

In Kurt <[email protected]> typed:
If the DHCP servers are connected to the same switch, you won't
have any way of separating the clients. DHCP is broadcast based,
and the first DHCP server that responds to a request will issue
the IP address, no knowing or caring which subnet the computer
requesting the address is supposed to be in. This is also true if
you use a router with both interfaces plugged into the same
switch. You will need to physically or logically (VLANs) contain
broadcasts for each subnet. But do you need two domains? or two
subnets? You don't have to have both. You can have two domains in
the same subnet. Both domains will show up in the browser (My
Network Places), but domain membership and permissions will
prevent users from different domains from being able to access
resources in the other. If you need one-way permissions between
domains, you can create a one-way trust.

Note - he can't set up domain trusts since the other network is
using SBS.

...kurt

What is the best way to add another domain into your existing
network? The current Domain1 (10.10.10.xx) contains four 2k3
servers: AD,
Exch, File,
and Web. Everyone is connected to an HP Procurve switch and goes
out to the
internet through a PIX firewall. The AD server is also running
DNS and DHCP.

We need to add another domian, Domain2 (10.10.11.xx), into our
existing infrastructure. The new domain will have 2 servers: an
SBS 2k3 server running
AD, DNS, DHCP, and Exchange, and a 2k File/Web server.

Domain1 needs to be able to access Domain2's File/Web server but
Domain2 should not be able to browse or access anything in
Domain1. Is it just a matter of entering the appropriate domian names
and
ip addresses on Domain2's servers and then connecting them to
the same HP Procurve switch? Because they are on a different ip
address scheme, 10.10.10.xx vs. 10.10.11.xx, there should be not
DHCP or any other
conflicts
right? Will I need a router to sit between the two domains or
will the switch
be enough?
Click to expand...
Click to expand...
Click to expand...
 
clinical aversion to running loads of wizards
I've gotten over the latter, but it wasn't easy.
Click to expand...

Could you send me the address of your therapist :-)

"Lanwench [MVP - Exchange]"
In
Kurt said:
Ya, in a small office that you know will never be growing it's great
if you need exchange.
Click to expand...

Indeed - and it has RWW (aka Poor Man's Terminal Server) and some other
goodies. Just not good if you know you're going to grow beyond its
boundaries (75 users) or need domain trusts or Exchange Enterprise or have
a clinical aversion to running loads of wizards. I've gotten over the
latter, but it wasn't easy.
...kurt

"Lanwench [MVP - Exchange]"
In Kurt <[email protected]> typed:
Good point. Missed that. One of the many good reasons to avoid SBS.
...kurt

It has its uses.


"Lanwench [MVP - Exchange]"
message

In Kurt <[email protected]> typed:
If the DHCP servers are connected to the same switch, you won't
have any way of separating the clients. DHCP is broadcast based,
and the first DHCP server that responds to a request will issue
the IP address, no knowing or caring which subnet the computer
requesting the address is supposed to be in. This is also true if
you use a router with both interfaces plugged into the same
switch. You will need to physically or logically (VLANs) contain
broadcasts for each subnet. But do you need two domains? or two
subnets? You don't have to have both. You can have two domains in
the same subnet. Both domains will show up in the browser (My
Network Places), but domain membership and permissions will
prevent users from different domains from being able to access
resources in the other. If you need one-way permissions between
domains, you can create a one-way trust.

Note - he can't set up domain trusts since the other network is
using SBS.

...kurt

What is the best way to add another domain into your existing
network? The current Domain1 (10.10.10.xx) contains four 2k3
servers: AD,
Exch, File,
and Web. Everyone is connected to an HP Procurve switch and goes
out to the
internet through a PIX firewall. The AD server is also running
DNS and DHCP.

We need to add another domian, Domain2 (10.10.11.xx), into our
existing infrastructure. The new domain will have 2 servers: an
SBS 2k3 server running
AD, DNS, DHCP, and Exchange, and a 2k File/Web server.

Domain1 needs to be able to access Domain2's File/Web server but
Domain2 should not be able to browse or access anything in
Domain1. Is it just a matter of entering the appropriate domian
names and
ip addresses on Domain2's servers and then connecting them to
the same HP Procurve switch? Because they are on a different ip
address scheme, 10.10.10.xx vs. 10.10.11.xx, there should be not
DHCP or any other
conflicts
right? Will I need a router to sit between the two domains or
will the switch
be enough?
Click to expand...
Click to expand...
Click to expand...
 
In
Kurt said:
Could you send me the address of your therapist :-)
Click to expand...

I worked through the psychological torment myself, with the assistance of a
nice bottle of shiraz. It's non-prescription.

"Lanwench [MVP - Exchange]"
In
Kurt said:
Ya, in a small office that you know will never be growing it's great
if you need exchange.
Click to expand...

Indeed - and it has RWW (aka Poor Man's Terminal Server) and some
other goodies. Just not good if you know you're going to grow beyond
its boundaries (75 users) or need domain trusts or Exchange
Enterprise or have a clinical aversion to running loads of wizards.
I've gotten over the latter, but it wasn't easy.
...kurt

"Lanwench [MVP - Exchange]"
message

In Kurt <[email protected]> typed:
Good point. Missed that. One of the many good reasons to avoid
SBS. ...kurt

It has its uses.


"Lanwench [MVP - Exchange]"
in message

In Kurt <[email protected]> typed:
If the DHCP servers are connected to the same switch, you won't
have any way of separating the clients. DHCP is broadcast based,
and the first DHCP server that responds to a request will issue
the IP address, no knowing or caring which subnet the computer
requesting the address is supposed to be in. This is also true
if you use a router with both interfaces plugged into the same
switch. You will need to physically or logically (VLANs) contain
broadcasts for each subnet. But do you need two domains? or two
subnets? You don't have to have both. You can have two domains
in the same subnet. Both domains will show up in the browser (My
Network Places), but domain membership and permissions will
prevent users from different domains from being able to access
resources in the other. If you need one-way permissions between
domains, you can create a one-way trust.

Note - he can't set up domain trusts since the other network is
using SBS.

...kurt

What is the best way to add another domain into your existing
network? The current Domain1 (10.10.10.xx) contains four 2k3
servers: AD,
Exch, File,
and Web. Everyone is connected to an HP Procurve switch and
goes out to the
internet through a PIX firewall. The AD server is also running
DNS and DHCP.

We need to add another domian, Domain2 (10.10.11.xx), into our
existing infrastructure. The new domain will have 2 servers: an
SBS 2k3 server running
AD, DNS, DHCP, and Exchange, and a 2k File/Web server.

Domain1 needs to be able to access Domain2's File/Web server
but Domain2 should not be able to browse or access anything in
Domain1. Is it just a matter of entering the appropriate domian
names and
ip addresses on Domain2's servers and then connecting them to
the same HP Procurve switch? Because they are on a different ip
address scheme, 10.10.10.xx vs. 10.10.11.xx, there should be
not DHCP or any other
conflicts
right? Will I need a router to sit between the two domains or
will the switch
be enough?
Click to expand...
Click to expand...
Click to expand...
 
Thanks for replying, I appreciate your help.

So, if I can create a VLAN on one of the blades of our switch then I can
contain broadcasts from each domain, correct? And once i do that, then each
domain can have it's own dhcp server and independently authenticate their own
respective users, right?

You brought up the subject of not needing both a separate subnet and
separate domain for our scenario. I always thought, incorrectly it seems,
that you need a separate subnet for each domain you add into your
environment. Now, for our environment, do we need another subnet given the
same requirements (each domain having it's own domain name, dns, dhcp, ad
authenticating its own set of users)?

As for SBS not being able to set up trusts, I didn't know that and i'm
dissappinted but not a major stumbling block, we can work around that.

I'm new at this, personnel changes and company directives have conspired to
drop IT responsibility onto my novice lap. Thank you again.
 
If you create VLANs, you can segregate broadcast traffic into one subnet or
the other. You'll need a router to pass traffic between the VLANs if your
switch is not a layer-three switch. Once you do that, you can have a DHCP
server and a DC on each VLAN (and yes, they'll have to be different subnets
in order to route). As far as your question beginning with "Now, for our
environment", I don't know enough about your environment to answer. But from
your original post, you said domain 1 need to be able to access a server in
domain 2 but domain 2 shouldn't be able to access domain 1 at all. This
could be accomplished real easily with routes:

If the Internet router is in the subnet for domain 1, all of the
workstations in domain 1 will use the Internet router as their default
gateway, so they won't have a route to domain 2's subnet. The file server
will have a static route (using the "route add" command in a batch
file/startup script) to the domain 2 subnet via the inter-vlan router.

On the other side, domain 2's clients will have the inter-vlan router as
their default gateway, and the inter-vlan's default route will be the
Internet router. That technically will give domain 2 access to domain 1, but
since domain 1 (all but the file server) doesn't have a route back, no
connections will be made.

You'll have to work around the lack of a trust if the file server is joined
to domain1 by adding local accounts and permissions for users in domain 2.

....kurt
 
Back
Top