Subnet Definitions in Active Directory

One of the common misunderstandings I see working with organizations and their Active Directory deployments is with regard to subnet definitions in Active Directory. This discussion came up recently on the ActiveDir.org mailing list so I thought I would write up a quick summary of how this works.

Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to the subnet/site definitions in Active Directory at all. Second, Active Directory will match the most specific subnet. This means that if you have defined two subnet objects in Active Directory – 10.1.0.0/16 and 10.1.2.0/24 and a client with an IP of 10.1.2.5, it will match the second subnet object.

One of the common events that fills up the event log on domain controllers in large organizations is NetLogon warning #5807. There are a couple scenarios where this happens – one is when the AD administrators simply don't define any subnets to go along with their site objects. The second one and also the more common one is that the team that runs AD tends not to talk to the group that provisions subnets on the network. In large organizations subnets tend to come and go at sites all over the place, and while it would be nice to get all this data keyed into Active Directory at that time it's often not very plausible. The solution that I use and recommend is to define very broad reaching super nets at my hub sites. Given a simple hub and spoke with one hub, I would associate 10.0.0.0/8 with the hub site. This guarantees me that any client coming from any 10.0.0.0 IP will match a subnet in AD. 172.16.0.0/12 space is also pretty common in organizations – especially for VPNs, DMZs, etc. I'll usually associate this with my hub site as well.

Now the question becomes what if you have a more distributed hub & spoke topology like the one below?

 

Ideally the WAN comes with a well designed subnet model and it becomes easy to associate the local supernets with the hub sites like below:

 

In this simplified scenario it's easy to associate the specific subnets with their spoke sites, and then associate the /16s with the hubs. For example, I would build 10.3.0.0/16 and assign that to Sao Paolo, 10.1.0.0/16 for Chicago, and 10.2.0.0/16 for London. While I didn't add 10.0.0.0/8 to any of the sites because I know that this organization is only cut out of the three networks listed, if I didn't I would make an executive decision based on where the majority of the clients are and associate that subnet there. In reality sometimes this is difficult to do or not immediately obvious. When it comes time to figure this out, the WAN group or whomever handles the network in an organization will have this information readily available if it exists.

Another cool trick that you can do with subnets in Active Directory is defined host subnets - /32 (or 255.255.255.255) masks. With this in mind you can build a site within a site so to speak. An example I ran into once is an organization which wanted a dedicated site for their Exchange environment – a fairly common scenario. For whatever reason the network folks simply weren't willing to provision a dedicated subnet to this. So, what this organization ended up doing was defining subnet objects for each of their Exchange hosts and dedicated DCs with a /32 mask and associating them to this special Exchange site. You could also create a lag site within a subnet by building a site, site link, and /32 subnets for each of the lag site DCs.

Posted Tuesday, January 30 2007 11:00 AM by Brian Desmond | 19 Comments
Filed under: Tagged as: ,

Comments, Trackbacks, & Pingbacks

#1 re: Subnet Definitions in Active Directory

Tuesday, January 30 2007 10:10 PM by Brian Cline

Out of curiosity, what benefit(s) does a dedicated Exchange site provide?

#2 re: Subnet Definitions in Active Directory

Wednesday, February 07 2007 6:40 PM by Brian Cline

Just came back to this post to say kudos on the /32 trick. I had to use it earlier when one of my remote sites was experiencing 40-minute logon delays. I moved them over to the primary site temporarily so they could log on, and moved a local VM into the affected AD site with a /32 mask so that I could discover what exactly was going on. Good tip.

#3 re: Subnet Definitions in Active Directory

Monday, June 04 2007 5:01 AM by Mike Kline

I'm late to the party here but the /32 used with a lag site; man this is why you are an MVP.  Good idea.

#4 re: Subnet Definitions in Active Directory

Saturday, November 24 2007 6:08 AM by Yann

Interesting thread...

Brian, when you said "....I moved them over to the primary site temporarily.." , Do you mean you move the subnets corresponding to the computers that experiencing the 40-minute logon delays to the primary site ?

Thanks for clarification :)

Yann

#5 re: Subnet Definitions in Active Directory

Thursday, July 03 2008 10:23 AM by Paul Bergson

Outstanding article, perfectly detailed and diagrammed.

Great job!

#6 re: Subnet Definitions in Active Directory

Tuesday, April 14 2009 3:40 AM by Kampanye Damai Pemilu Indonesia 2009

from here i know something that i want to know..

thanks for this usefull informations..

#7 re: Subnet Definitions in Active Directory

Sunday, May 03 2009 1:18 PM by carissa putri

thanks for this nice info, it's so useful for me.

#8 re: Subnet Definitions in Active Directory

Monday, May 18 2009 6:47 AM by john

Interesting post, it helps me in my research, thanks!

#9 re: Subnet Definitions in Active Directory

Friday, May 29 2009 11:29 AM by Computer Terms

it;s great. this is really what i am looking for. thanks.

#10 re: Subnet Definitions in Active Directory

Saturday, June 20 2009 2:30 PM by Sulumits Retsambew

what a great info, thanks for informing.

#11 re: Subnet Definitions in Active Directory

Saturday, June 27 2009 1:03 AM by robert

Interesting post, thanks for shared

#12 re: Subnet Definitions in Active Directory

Saturday, August 01 2009 8:20 PM by xtcommerce

that`s cool, I will cover this.

#13 re: Subnet Definitions in Active Directory

Thursday, August 27 2009 11:52 AM by Ricko

thanks for this nice info, it's so useful for me.

#14 re: Subnet Definitions in Active Directory

Monday, December 14 2009 2:56 PM by flood pictures

Great explanation, really clear with the pictures.

#15 re: Subnet Definitions in Active Directory

Saturday, January 30 2010 1:58 PM by Indrajith

Why do we need subnetting in Active directory.

#16 re: Subnet Definitions in Active Directory

Monday, March 01 2010 2:49 AM by Thomas

there's a small typo in your article. "172.16.0.0/21 space is also pretty common in organizations".

172.16 is 12 bit masked, not 21 bit.

great article!

-Tom

#17 re: Subnet Definitions in Active Directory

Sunday, March 07 2010 3:53 PM by Brian Desmond

Tom-

Fixed - great catch, thanks!

#18 re: Subnet Definitions in Active Directory

February 3, 2007 4:07 PM by Brian Desmond's Blog

A comment I received on a previous post on sites and subnets in Active Directory was "what benefit(s)

#19 re: Subnet Definitions in Active Directory

March 14, 2009 9:40 PM by Designing AD for a 3-Tier Application

I was chatting with a friend the other day about a design scenario for a typical 3-Tier application that needed Active Directory. Funny this came up because I was just having a similar discussion with another friend last week. Joe covered last week's

Leave a comment