Server 2019 - Active Directory

**techsxge** · 08-19-2022, 04:10 PM

Re: Server 2019 - Active Directory

Originally posted by rthonpm

The easiest thing in this instance would have been to keep the AD environment behind its own router and setting up the VOIP system off the ISP modem/router. You'd then just have to make sure that the cabling for the phones was clearly distinguished from the computer connections. If you needed a server on the AD side to talk to the VOIP system, you could always dual home it by having an IP on both networks and letting the firewall profiles of Domain and Private filtre your traffic accordingly, or even just allowing the specific ports needed for the system.

You may have been able to make things easier by just increasing the 192.168.0.x network to a 192.168.0.0/23 so that both your 192.168.0.x and 192.168.1.x IP's were valid for the new network. It's easier to change a subnet mask and DHCP to 255.255.254.0 than futzing around with DNS. For some of my customers, I have a 23 network setup just to give them a full block of 250+ static and dynamic addresses.

Sent from my Pixel 6 Pro using Tapatalk

The issue with this is cyber security: If i got access to one of your network segments i can somewhat easily take over your DC and you are pretty much fcked. You'd need to setup a very strict firewall rule for the communication between the two subnets. I have seen a couple businesses going down on their superb big net

**techsxge** · 08-19-2022, 04:14 PM

Re: Server 2019 - Active Directory

Originally posted by BillyCarpenter

Let's start from the beginning.

Double Nat is a new thing for me. And I'm not 100% sure that putting the VOIP system on a different VLAN would solve the double nat problem the VOIP company asked me to clear up.

As to the problem I was having. I think I was clear in that after I changed subnets, I could not open "users and computers" in Active Directory.

PS - I'm gonna have to think about the VLAN suggestion that you made. That would have been much easier than what I went through.

Can you just not open it in terms of you click on it and nothing happens or do you perhaps get an error like "The specified domain either does not exist or could not be contacted."

Also i dont get why the phone system needs to be on a specific subnet. I mainly use tiptel systemand after setup you can switch the subnet to whatever you like and i am quite sure that is standard for all phone systems by now.

EDIT:
Oh and you mentioned you changed the DC#s Hostname, make sure to change the DNS of it accordingly.

**techsxge** · 08-19-2022, 04:24 PM

Re: Server 2019 - Active Directory

Another thing:
Have you made sure to check the health of the DC before changing the subnet on it? Command for it is "dcdiag"
Also health check the DNS Service: "dcdiag /test:dns /v"
Do you get authentication problems in logs? Maybe your FSMO roles got corrupted.
And you need to add the new subnet to AD Sites and Service, this is important.

Last thing i could think of is a local firewall rule on the DC that doesnt allow traffic on any other IP/subnet, might want to check that too

**rthonpm** · 08-19-2022, 04:33 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

The issue with this is cyber security: If i got access to one of your network segments i can somewhat easily take over your DC and you are pretty much fcked. You'd need to setup a very strict firewall rule for the communication between the two subnets. I have seen a couple businesses going down on their superb big net

All depends on the risk profile. In most instances, I'm just setting up a workaround until the customer's network team gets things in place for a permanent fix, or I'm waiting for my network engineer to get onsite and I need to keep things running.

There are also plenty of other compensating controls that can be put in place that it wasn't worth drilling into with a thousand foot view post.

Sent from my Pixel 6 Pro using Tapatalk

**BillyCarpenter** · 08-19-2022, 05:19 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

Can you just not open it in terms of you click on it and nothing happens or do you perhaps get an error like "The specified domain either does not exist or could not be contacted."

Also i dont get why the phone system needs to be on a specific subnet. I mainly use tiptel systemand after setup you can switch the subnet to whatever you like and i am quite sure that is standard for all phone systems by now.

EDIT:
Oh and you mentioned you changed the DC#s Hostname, make sure to change the DNS of it accordingly.

Initailly, when I tried to open users and computers nothing happened. I left and returned a few hours later and it was open. So, it would open but it took a loooooong time. I cleared that up.

I'm fairly new and inexperienced when it comes to Windows Server.

Anyway, everything is working fine now. This was good experience for me. You never learn unless you try new shit.

With that being said, I don't fully understand everything you're talking about. Feel free to break it down. I find it interesting.

**BillyCarpenter** · 08-19-2022, 05:30 PM

Re: Server 2019 - Active Directory

Originally posted by rthonpm

The easiest thing in this instance would have been to keep the AD environment behind its own router and setting up the VOIP system off the ISP modem/router. You'd then just have to make sure that the cabling for the phones was clearly distinguished from the computer connections. If you needed a server on the AD side to talk to the VOIP system, you could always dual home it by having an IP on both networks and letting the firewall profiles of Domain and Private filtre your traffic accordingly, or even just allowing the specific ports needed for the system.

How exactly would that be set up? The way it was set up, there was no cabling from the ISP router to the patch panel. The 2 routers (ISP & Linksys) were connected via WAN ports and all PC's were connected to the LinkSys router.

The only way I can think to make your scenario work is to create a seperate VLAN for the phones and set up another DHCP pool to assign addresses in ISP range.

It's kinda confusing to me. I'm not gonna lie.

**techsxge** · 08-19-2022, 05:34 PM

Re: Server 2019 - Active Directory

Originally posted by rthonpm

All depends on the risk profile. In most instances, I'm just setting up a workaround until the customer's network team gets things in place for a permanent fix, or I'm waiting for my network engineer to get onsite and I need to keep things running.

There are also plenty of other compensating controls that can be put in place that it wasn't worth drilling into with a thousand foot view post.

Sent from my Pixel 6 Pro using Tapatalk

Ok so i guess you are more of a tech "installing" new systems at a customers site and let their IT do the "rest"?
I am looking at this from the IT Peoples point of view as that is what i am doing on a daily base

**techsxge** · 08-19-2022, 05:35 PM

Re: Server 2019 - Active Directory

Originally posted by BillyCarpenter

How exactly would that be set up? The way it was set up, there was no cabling from the ISP router to the patch panel. The 2 routers (ISP & Linksys) were connected via WAN ports and all PC's were connected to the LinkSys router.

The only way I can think to make your scenario work is to create a seperate VLAN for the phones and set up another DHCP pool to assign addresses in ISP range.

It's kinda confusing to me. I'm not gonna lie.

Keep the AD on the Linksys like everything was before and then cable over to the ISP?

**BillyCarpenter** · 08-19-2022, 05:37 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

Ok so i guess you are more of a tech "installing" new systems at a customers site and let their IT do the "rest"?
I am looking at this from the IT Peoples point of view as that is what i am doing on a daily base

This is a non-profit school and they asked me to help them with their network. I give them a break on the pricing. It saves them money and gives me a chance to learn and get experience. And it's only a couple of blocks over from my office.

They don't have an IT dept. I am their IT dept.

**techsxge** · 08-19-2022, 05:37 PM

Re: Server 2019 - Active Directory

Originally posted by BillyCarpenter

Initailly, when I tried to open users and computers nothing happened. I left and returned a few hours later and it was open. So, it would open but it took a loooooong time. I cleared that up.

I'm fairly new and inexperienced when it comes to Windows Server.

Anyway, everything is working fine now. This was good experience for me. You never learn unless you try new shit.

With that being said, I don't fully understand everything you're talking about. Feel free to break it down. I find it interesting.

if you need any help with windows server administration, i can surely try to explain some things to you although i am german and most of the time i use german phrasing for most things so i might not find the correct word for everything

Feel free to drop me a PM tho

And to the slow loading time: Have you rebooted the system? Should've done the trick

**techsxge** · 08-19-2022, 05:42 PM

Re: Server 2019 - Active Directory

Originally posted by BillyCarpenter

This is a non-profit school and they asked me to help them with their network. I give them a break on the pricing. It saves them money and gives me a chance to learn and get experience. And it's only a couple of blocks over from my office.

They don't have an IT dept. I am their IT dept.

That was not directed to you.
But i think thats a good idea, although i'd not want someone who is learning the basics by "try and error" to administrate a school, but cool for you

**BillyCarpenter** · 08-19-2022, 05:43 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

if you need any help with windows server administration, i can surely try to explain some things to you although i am german and most of the time i use german phrasing for most things so i might not find the correct word for everything

Feel free to drop me a PM tho

And to the slow loading time: Have you rebooted the system? Should've done the trick

That's very kind of you. I'm always amazed by the members on here that are willing to help. I appreciate all of your help and if I need anything, I'll be sure to let you know. Thanks.

**BillyCarpenter** · 08-19-2022, 05:47 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

That was not directed to you.
But i think thats a good idea, although i'd not want someone who is learning the basics by "try and error" to administrate a school, but cool for you

Eh, I usually create a system image backup if I'm gonna make any major changes. That way, if something goes wrong, I can put it back the way it was. Thus far, I haven't let them down. Lets keep our fingers crossed. lol

**rthonpm** · 08-19-2022, 05:50 PM

Re: Server 2019 - Active Directory

Originally posted by techsxge

Ok so i guess you are more of a tech "installing" new systems at a customers site and let their IT do the "rest"?
I am looking at this from the IT Peoples point of view as that is what i am doing on a daily base

No. I do servers and workstation support for the most part. I dip my foot into networking, but I don't have the time to really dig into it beyond the basics. I have a network engineer on staff that does most of the heavy lifting on that side since he's got the Cisco and Palo Alto skills.

Want your GPO's and servers set up, I'm your guy. Want your VLAN's and routing done? I've got a guy for that.

Sent from my Pixel 6 Pro using Tapatalk

**BillyCarpenter** · 08-19-2022, 05:51 PM

Re: Server 2019 - Active Directory

PS - Here's a little backstory on how I came to be over their network.

I have a good friend who is an IT professional and he was over their network and I did the the copiers. They somehow managed to piss my friend off and he left them. They had no one.

The man that runs the school asked me if I would do it. I told him that's not what I do. He kept bugging me about it and I told him that I would try to help but I'm new to the world of Windows Server and if I didn't know how to do something, he was gonna have to get someone who could.

That's the story.

Server 2019 - Active Directory

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment