“ When overlapping IP subnets exist in Active Directory, the IP subnet with the smallest matching subnet mask is used.”
I always think of it the way it is in the book - “AD chooses the most specific subnet defined”. Brian explained it all very succinctly years ago. http://briandesmond.com/blog/subnet-definitions-in-active-directory/ Besides super nets, you can also have the converse, what I call micro-nets with only 1 IP. Hunting down the links, I’m now reminded that Brian called them “defined host subnets” This is useful for testing or isolating machines because you can have a subnet with a single IP and assign to sites as you wish. GlenL from MS is the one that introduced me to the isolation routine when we had him onsite advising us about our 2K8 upgrade a few years ago. He subsequently blogged about it in detail http://blogs.technet.com/b/glennl/archive/2010/08/13/minimizing-risk-during-ad-upgrades.aspx I’ve done that for upgrade testing, isolation scenarios, steering apps to a particular DC or Data Center. It’s a very useful trick to have up your sleeve. We also needed to do it for once a bad *NIX integration stack till they issued a patch, each of the dang things had their own subnet to control AuthN because it broke when they grabbed a GC outside their domain. Also see https://blogs.technet.microsoft.com/askpfeplat/2013/03/27/how-to-create-an-active-directory-subnetsite-with-32-or-128-and-why/ P.S. This reminded me that while Supernets are very cool, be aware that these configurations can cause SCCM grief... depending on how your SCCM people configured it. We have tons of sites/subnets for their DP topology and our people complained at first. Here are some links I had saved about it.. http://social.technet.microsoft.com/wiki/contents/articles/clarification-on-issues-resulting-from-the-use-of-supernets-in-configmgr-2007.aspx https://blogs.technet.microsoft.com/configmgrteam/2013/03/01/when-not-to-use-ip-address-ranges-as-boundaries-in-configuration-manager/ http://infoworks.tv/create-configmgr-boundary-based-on-active-directory-site-and-services-subnet/ And of course, the book http://www.briandesmond.com/blog/active-directory-5th-edition From: [email protected] [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Tuesday, March 22, 2016 5:41 AM To: [email protected] Subject: [NTSysADM] RE: Help a AD Sites Noob out. That’s very cool—not something I’ve seen before. Good luck! -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Monday, March 21, 2016 1:20 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Help a AD Sites Noob out. This looks like a killer migration strategy Bonnie. 10.0.0.0/8<https://urldefense.proofpoint.com/v2/url?u=http-3A__10.0.0.0_8&d=BQQGaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=L7d9e7uDNL8PhJ2QTiFzGRUEdII8nxLUMsF1PCSQFuI&s=WovV2zIVtNnl2OibaOTIvGi7PP5PPbZVCcVzj2cI0Zk&e=> on my current primary site. Then carve out a site and subnet at a time. And next week is spring break, I can test on a building that isn’t even in use. “ When overlapping IP subnets exist in Active Directory, the IP subnet with the smallest matching subnet mask is used.” https://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx<https://urldefense.proofpoint.com/v2/url?u=https-3A__technet.microsoft.com_en-2Dus_magazine_2009.06.subnets.aspx&d=BQMGaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=L7d9e7uDNL8PhJ2QTiFzGRUEdII8nxLUMsF1PCSQFuI&s=g-lAbGk8SGt5NPXueXLxKJu9pvT-ji4Sc5vF3cak7-4&e=> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Friday, March 18, 2016 10:14 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Help a AD Sites Noob out. We used to have to control a lot with ADS&S with a hub-and-spoke topology as well, and what you can do depends on whether your infrastructure can actually communicate fully with all of the available DCs, or if clients in some sites can’t actually talk to others due to filtering. This looks pretty good at explaining some of it: http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.msmvps.com_acefekay_2013_02_24_ad-2Dsite-2Ddesign-2Dand-2Dauto-2Dsite-2Dlink-2Dbridging-2Dor-2Dbridge-2Dall-2Dsite-2Dlinks-2Dbasl_&d=BQMGaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=L7d9e7uDNL8PhJ2QTiFzGRUEdII8nxLUMsF1PCSQFuI&s=jwYBgR8bHl5V0F7Mv1-OvktAzTHvlDiFOmYtJCILOaM&e=> So, if your client machines can’t actually talk to all DCs, they you’ll need to create your own site links and not use the bridging. If your clients CAN actually talk to all of the DCs, then you may be looking at some other underlying problem with AD replication, DNS, or even just timing of doing it all too quickly for the clients (including servers like Exchange) to get the updated information they need. Exchange in particular uses the Microsoft Exchange Active Directory Topology Service to find DCs, so could just need a restart to get updated once the new site information is online—Someone else (MBS?) might have better info on that process. If I was recreating sites right now, I would create the site, create the links, and move the DC object. Then, wait for AD & DNS to fully replicate (and verify replication is working and srv records are showing up correctly) out before reassigning subnets, so that you know clients will be able to get their DC locator information from DNS correctly. Of course at this point, just one site to start with, and watch for Auth services like Exchange as you go =) -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, March 18, 2016 6:40 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Help a AD Sites Noob out. Had all of them in the same Default IP site link. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Coleman, Hunter Sent: Friday, March 18, 2016 9:36 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Help a AD Sites Noob out. Did you create the site links? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, March 18, 2016 7:11 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Help a AD Sites Noob out. Never paid much attention to sites, but now I am going to. I have 12 buildings with dedicated gig fiber back to one of them were the data center is housed. Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to control replication or logon traffic. But now I have a piece of software that is doing a fair number of GC lookups and it would seem that my desktops have decided over the years to all talk to one DC. There are DC’s in each of the five buildings, the 7 smaller ones do not have one. There are currently two all-encompassing subnets, in one site with all the DC’s in that site. So yesterday I decided to make sites. Put in all the subnets for all the buildings, and created 5 sites each with at least one DC, and put the appropriate subnet’s in those sites. It went ugly really fast. Authentication broke enterprise wide, Exchange couldn’t auth and stopped working. For the most part if it involved auth it broke. Nuke the sites and subnets and moved it all back to two /16’s in one site and in about 30 minutes all was well. What did I do wrong?
