One network, two domains

  • Thread starter Thread starter Wowbagger
  • Start date Start date
W

Wowbagger

Guest
In the building there is one physical network and one Windows (2000?) server
that serves up DHCP assignments, handles the gateway and so forth. For most
people in the building they use this domain and all is well.

There is another group of people in the building with their own 2003 server.
Aside from the physical wiring, DHCP and gateway they have absolutely
nothing to do with the domain that everybody else uses. The few exceptions
above aside, there is absolutely zero resource sharing between this group
and the existing domain.

They would like to set up their own domain, active directory, sharepoint and
other services. The 2003 server is already configured to provide DNS
services to people within the group, but AD can't be installed until the box
is promo'ed to a domain controller.

Will having two domain controllers on the same network pose any problems as
long as all of the users on the local network using the new domain (on the
2003 box) perform DNS queries on the 2003 box first?
 
Re: One network, two domains

It would be fine apart from the fact that the DNS requirements would be
different so you could not fully use DHCP for the second Domain. You would
have to use static addressing or you would have to remove DNS from the *all*
Scopes and assing DNS manually for everybody. If you look in the TCP/IP
Config of any Windows machine you can see that you can use DHCP but still
statically assign DNS.

But personally I'd only want to "mess" with static settings on one domain
rather than every single machine plus the modification to the Scopes. So I
would leave the first Domain alone and not mess with it, then statically
assign the TCP/IP specs of the clients of the second domain.

Better yet,...I would probably create a second IP Segment (it ain't hard to
do) for the second domain and avoid the whole mess. Buy a Layer3
Switch,...split the switch ports down the middle with a pair of VLANs, move
the patch cables to the correct "side" of ports to be in the correct
segment,...and go with it. Hang additional Layer2 switches off of the
correct VLAN'ed group of ports to extend if you need more ports. The
Switch/Router won't require any additional routing at this point and it will
certainly be *handy* to have to make future routing decisions in one central
location as your needs change. The Firewall Device will need a Static Route
added to it to tell it to use the Layer3 Switch (the LAN Router) as the path
to get to the opposite subnet.

This Layer3 Switch/Router setup will also give you the extremely simple
means of access control between the two Segments/Domain using ACLs on the
router,...this is probably something else you will want to do in the future.
Always think of the future,..always take advantage of reasons to buy new
equipment to better the network design, those opportunities may not happen
often,..and this could be one of those justifyable reasons to buy the Layer3
Switch/Router.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



"Wowbagger" <Wowbagger~~> wrote in message
news:%23VNSos71IHA.1768@TK2MSFTNGP03.phx.gbl...
> In the building there is one physical network and one Windows (2000?)
> server that serves up DHCP assignments, handles the gateway and so forth.
> For most people in the building they use this domain and all is well.
>
> There is another group of people in the building with their own 2003
> server. Aside from the physical wiring, DHCP and gateway they have
> absolutely nothing to do with the domain that everybody else uses. The
> few exceptions above aside, there is absolutely zero resource sharing
> between this group and the existing domain.
>
> They would like to set up their own domain, active directory, sharepoint
> and other services. The 2003 server is already configured to provide DNS
> services to people within the group, but AD can't be installed until the
> box is promo'ed to a domain controller.
>
> Will having two domain controllers on the same network pose any problems
> as long as all of the users on the local network using the new domain (on
> the 2003 box) perform DNS queries on the 2003 box first?
>
>
 
Re: One network, two domains

"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:%23QR8l671IHA.5512@TK2MSFTNGP06.phx.gbl...

> It would be fine apart from the fact that the DNS requirements would be
> different so you could not fully use DHCP for the second Domain. You would
> have to use static addressing or you would have to remove DNS from the
> *all* Scopes and assing DNS manually for everybody.

This won't be a problem - there's only a dozen machines or so that I'll have
to mess with.

> But personally I'd only want to "mess" with static settings on one domain
> rather than every single machine plus the modification to the Scopes. So
> I would leave the first Domain alone and not mess with it, then statically
> assign the TCP/IP specs of the clients of the second domain.

Don't even have a choice about that one - the first domain is 100% out of my
control. Can't do a thing with it.

> Better yet,...I would probably create a second IP Segment (it ain't hard
> to do) for the second domain and avoid the whole mess.

Not hard to do, and if I had any kind of power over the networking of the
building then I'd get a gig-e switch for my group and start to upgrade the
machines to the faster NICs as needed. When I find a gig-e switch on sale
for $150 or so I'll probably pull the trigger on that, but don't expect to
see those prices for another 18 months or so. The gig-nics are showing up
on sale for $20 once in a great while so prices are still slowly coming
down.
 
Re: One network, two domains



"Wowbagger" <Wowbagger~~> wrote in message
news:OUd0eP81IHA.2064@TK2MSFTNGP05.phx.gbl...
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:%23QR8l671IHA.5512@TK2MSFTNGP06.phx.gbl...
>
>> It would be fine apart from the fact that the DNS requirements would be
>> different so you could not fully use DHCP for the second Domain. You
>> would have to use static addressing or you would have to remove DNS from
>> the *all* Scopes and assing DNS manually for everybody.
>
> This won't be a problem - there's only a dozen machines or so that I'll
> have to mess with.
>
>> But personally I'd only want to "mess" with static settings on one domain
>> rather than every single machine plus the modification to the Scopes. So
>> I would leave the first Domain alone and not mess with it, then
>> statically assign the TCP/IP specs of the clients of the second domain.
>
> Don't even have a choice about that one - the first domain is 100% out of
> my control. Can't do a thing with it.
>
>> Better yet,...I would probably create a second IP Segment (it ain't hard
>> to do) for the second domain and avoid the whole mess.
>
> Not hard to do, and if I had any kind of power over the networking of the
> building then I'd get a gig-e switch for my group and start to upgrade the
> machines to the faster NICs as needed. When I find a gig-e switch on sale
> for $150 or so I'll probably pull the trigger on that, but don't expect to
> see those prices for another 18 months or so. The gig-nics are showing up
> on sale for $20 once in a great while so prices are still slowly coming
> down.
>
>

If you are stuck with running both domains on the same segment, it is
definitely possible as Phillip outlined. You can't run DHCP for the second
domain so you will need to configure them all manually and set them to use
the correct DNS server and gateway. You will also need to make sure that you
do not duplicate any IP addresses which DHCP might hand out. Can you get the
sysadmin of the first domain to reserve a block of IPs in the DHCP scope?
 
Re: One network, two domains


"Wowbagger" <Wowbagger~~> wrote in message
news:OUd0eP81IHA.2064@TK2MSFTNGP05.phx.gbl...
> Not hard to do, and if I had any kind of power over the networking of the
> building then I'd get a gig-e switch for my group and start to upgrade the
> machines to the faster NICs as needed. When I find a gig-e switch on sale
> for $150 or so I'll probably pull the trigger on that, but don't expect to
> see those prices for another 18 months or so. The gig-nics are showing up
> on sale for $20 once in a great while so prices are still slowly coming
> down.

I think you misunderstand what I mean by a Layer3 Switch.

1. It doesn't have anything to do with Gigabit.
2. Most I have seen are 10/100 but 10/100/1000 are getting more popular.
3. $20 might buy the power cord to a Layer3 Switch. The cheaper ones might
be around $500 (guessing) with up in the 1,000's for better ones. We have
about $15,000.00 wrapped up in ours that uses a Chassis/Module design.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Re: One network, two domains

"Bill Grant" <not.available@online> wrote in message news:ehtQvi%

> Can you get the sysadmin of the first domain to reserve a block of IPs in
> the DHCP scope?

Unfortunately, no. I'm 100% on my own with this. Some day I'll be able to
physically separate the two - a switch plus a NAT to bridge between my
segment and everybody else would probably do the trick.
 
Re: One network, two domains

"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:Owbb8sF2IHA.4004@TK2MSFTNGP03.phx.gbl...

> I think you misunderstand what I mean by a Layer3 Switch.

Expensive, especially when I can get a 24 port layer 2 10/100/1000 for $180
+ $50 for a NAT router to bridge between my segment and the rest of the
building.
 
Re: One network, two domains



"Wowbagger" <Wowbagger~~> wrote in message
news:#VnrHYM2IHA.416@TK2MSFTNGP04.phx.gbl...
> "Bill Grant" <not.available@online> wrote in message news:ehtQvi%
>
>> Can you get the sysadmin of the first domain to reserve a block of IPs
>> in the DHCP scope?
>
> Unfortunately, no. I'm 100% on my own with this. Some day I'll be able
> to physically separate the two - a switch plus a NAT to bridge between my
> segment and everybody else would probably do the trick.
>
>
Yes, that would do it. It is possible to run your own "logical" network
in its own IP subnet on the same wire and use NAT. You would use one of your
machines (not the DC) as a NAT router between your network and the existing
network. eg

Gateway router
192.168.1.254
|
Domain 1
192.168.1.x dg 192.168.1.254 config from DHCP
|
192.168.1.253 dg 192.168.1.254
NAT
192.168.31.254 dg blank
|
Domain 2
192.168.31.x dg 192.168.31.254 manual config

All machines are connected to the same switch, but are logically separate
networks because they are in different IP subnets. Domain 2 machines can
reach the Internet via NAT and the gateway router, but Domain 1 cannot see
Domain 2 machines because NAT only routes one way. You only need one IP
from the parent network for the "public" IP of your NAT router.
 
Re: One network, two domains

That would work,...but,...

1. Running NAT in the middle of a LAN isn't such a great idea in general.
It should be normal routing (no NAT) with maybe possibly ACLs on the LAN
Router.

2. You are talking about "home user" equipment that has less
capability/flexability and has a high hardware failure rate compared to
commercial equipment. The old saying, "You get what you pay for" is still
true.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Wowbagger" <Wowbagger~~> wrote in message
news:eM6ecdM2IHA.4476@TK2MSFTNGP06.phx.gbl...
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:Owbb8sF2IHA.4004@TK2MSFTNGP03.phx.gbl...
>
>> I think you misunderstand what I mean by a Layer3 Switch.
>
> Expensive, especially when I can get a 24 port layer 2 10/100/1000 for
> $180 + $50 for a NAT router to bridge between my segment and the rest of
> the building.
>
>
 
Back
Top