One of the common misunderstandings I see working with organizations and their Active Directory deployments is with regard to subnet definitions in Active Directory. This discussion came up recently on the ActiveDir.org mailing list so I thought I would write up a quick summary of how this works.
Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to the subnet/site definitions in Active Directory at all. Second, Active Directory will match the most specific subnet. This means that if you have defined two subnet objects in Active Directory – 10.1.0.0/16 and 10.1.2.0/24 and a client with an IP of 10.1.2.5, it will match the second subnet object.
One of the common events that fills up the event log on domain controllers in large organizations is NetLogon warning #5807. There are a couple scenarios where this happens – one is when the AD administrators simply don't define any subnets to go along with their site objects. The second one and also the more common one is that the team that runs AD tends not to talk to the group that provisions subnets on the network. In large organizations subnets tend to come and go at sites all over the place, and while it would be nice to get all this data keyed into Active Directory at that time it's often not very plausible. The solution that I use and recommend is to define very broad reaching super nets at my hub sites. Given a simple hub and spoke with one hub, I would associate 10.0.0.0/8 with the hub site. This guarantees me that any client coming from any 10.0.0.0 IP will match a subnet in AD. 172.16.0.0/12 space is also pretty common in organizations – especially for VPNs, DMZs, etc. I'll usually associate this with my hub site as well.
Now the question becomes what if you have a more distributed hub & spoke topology like the one below?
Ideally the WAN comes with a well designed subnet model and it becomes easy to associate the local supernets with the hub sites like below:
In this simplified scenario it's easy to associate the specific subnets with their spoke sites, and then associate the /16s with the hubs. For example, I would build 10.3.0.0/16 and assign that to Sao Paolo, 10.1.0.0/16 for Chicago, and 10.2.0.0/16 for London. While I didn't add 10.0.0.0/8 to any of the sites because I know that this organization is only cut out of the three networks listed, if I didn't I would make an executive decision based on where the majority of the clients are and associate that subnet there. In reality sometimes this is difficult to do or not immediately obvious. When it comes time to figure this out, the WAN group or whomever handles the network in an organization will have this information readily available if it exists.
Another cool trick that you can do with subnets in Active Directory is defined host subnets - /32 (or 255.255.255.255) masks. With this in mind you can build a site within a site so to speak. An example I ran into once is an organization which wanted a dedicated site for their Exchange environment – a fairly common scenario. For whatever reason the network folks simply weren't willing to provision a dedicated subnet to this. So, what this organization ended up doing was defining subnet objects for each of their Exchange hosts and dedicated DCs with a /32 mask and associating them to this special Exchange site. You could also create a lag site within a subnet by building a site, site link, and /32 subnets for each of the lag site DCs.
Comments, Trackbacks, & Pingbacks
#1 re: Subnet Definitions in Active Directory
Tuesday, January 30 2007 10:10 PM by Brian Cline#2 re: Subnet Definitions in Active Directory
Wednesday, February 07 2007 6:40 PM by Brian ClineJust came back to this post to say kudos on the /32 trick. I had to use it earlier when one of my remote sites was experiencing 40-minute logon delays. I moved them over to the primary site temporarily so they could log on, and moved a local VM into the affected AD site with a /32 mask so that I could discover what exactly was going on. Good tip.
#3 re: Subnet Definitions in Active Directory
Monday, June 04 2007 5:01 AM by Mike KlineI'm late to the party here but the /32 used with a lag site; man this is why you are an MVP. Good idea.
#4 re: Subnet Definitions in Active Directory
Saturday, November 24 2007 6:08 AM by YannInteresting thread...
Brian, when you said "....I moved them over to the primary site temporarily.." , Do you mean you move the subnets corresponding to the computers that experiencing the 40-minute logon delays to the primary site ?
Thanks for clarification :)
Yann
#5 re: Subnet Definitions in Active Directory
Thursday, July 03 2008 10:23 AM by Paul BergsonOutstanding article, perfectly detailed and diagrammed.
Great job!
#6 re: Subnet Definitions in Active Directory
Tuesday, April 14 2009 3:40 AM by Kampanye Damai Pemilu Indonesia 2009from here i know something that i want to know..
thanks for this usefull informations..
#7 re: Subnet Definitions in Active Directory
Sunday, May 03 2009 1:18 PM by carissa putrithanks for this nice info, it's so useful for me.
#8 re: Subnet Definitions in Active Directory
Monday, May 18 2009 6:47 AM by johnInteresting post, it helps me in my research, thanks!
#9 re: Subnet Definitions in Active Directory
Friday, May 29 2009 11:29 AM by Computer Termsit;s great. this is really what i am looking for. thanks.
#10 re: Subnet Definitions in Active Directory
Saturday, June 20 2009 2:30 PM by Sulumits Retsambewwhat a great info, thanks for informing.
#11 re: Subnet Definitions in Active Directory
Saturday, June 27 2009 1:03 AM by robertInteresting post, thanks for shared
#12 re: Subnet Definitions in Active Directory
Saturday, August 01 2009 8:20 PM by xtcommercethat`s cool, I will cover this.
#13 re: Subnet Definitions in Active Directory
Thursday, August 27 2009 11:52 AM by Rickothanks for this nice info, it's so useful for me.
#14 re: Subnet Definitions in Active Directory
Monday, December 14 2009 2:56 PM by flood picturesGreat explanation, really clear with the pictures.
#15 re: Subnet Definitions in Active Directory
Saturday, January 30 2010 1:58 PM by IndrajithWhy do we need subnetting in Active directory.
#16 re: Subnet Definitions in Active Directory
Monday, March 01 2010 2:49 AM by Thomasthere's a small typo in your article. "172.16.0.0/21 space is also pretty common in organizations".
172.16 is 12 bit masked, not 21 bit.
great article!
-Tom
#18 re: Subnet Definitions in Active Directory
Sunday, June 20 2010 12:41 AM by NathanWe offer the highest quality replica watches from all major designer brands. www.classonewatches.com thanks
#19 re: Subnet Definitions in Active Directory
Sunday, June 20 2010 12:41 AM by NathanWe offer the highest quality replica watches from all major designer brands. www.classonewatches.com thanks
#20 re: Subnet Definitions in Active Directory
Wednesday, June 23 2010 12:03 AM by Benjaminthanks to you
Going green household, Home Energy Savings, Water Conservation, Save Water, Healthy Home, Cut Waste, Zero Waste, Composting www.gogreenonline.com/.../learn
#21 re: Subnet Definitions in Active Directory
Wednesday, June 23 2010 12:04 AM by Benjaminthanks to you
Going green household, Home Energy Savings, Water Conservation, Save Water, Healthy Home, Cut Waste, Zero Waste, Composting www.gogreenonline.com/.../learn
#22 re: Subnet Definitions in Active Directory
Thursday, July 08 2010 5:27 AM by abdul10046thanks to you
Even though springtime is almost over ,pollen and other allergens are still floating around in the air http://airnwaterreviews.com/
#23 re: Subnet Definitions in Active Directory
Thursday, July 08 2010 5:27 AM by abdul10046thanks to you
Even though springtime is almost over ,pollen and other allergens are still floating around in the air http://airnwaterreviews.com/
#24 re: Subnet Definitions in Active Directory
Wednesday, July 21 2010 11:30 PM by msolethanks to you
TraVerus enables you to run a successful business right from the comfort of your home. Whether you are a stay at home mom www.millionairetravelagent.com
#25 re: Subnet Definitions in Active Directory
Wednesday, July 21 2010 11:30 PM by msolethanks to you
TraVerus enables you to run a successful business right from the comfort of your home. Whether you are a stay at home mom www.millionairetravelagent.com
#26 re: Subnet Definitions in Active Directory
February 3, 2007 4:07 PM by Brian Desmond's BlogA comment I received on a previous post on sites and subnets in Active Directory was "what benefit(s)
#27 re: Subnet Definitions in Active Directory
March 14, 2009 9:40 PM by Designing AD for a 3-Tier ApplicationI was chatting with a friend the other day about a design scenario for a typical 3-Tier application that needed Active Directory. Funny this came up because I was just having a similar discussion with another friend last week. Joe covered last week's
Out of curiosity, what benefit(s) does a dedicated Exchange site provide?