Quite often you don't need to restart the server. You can often just restart the service(s) that are supposed to be running on the server. As an example, I went to a major account for a problem of some people not being able to print. I noticed almost immediately that the computers that could not print did not have a proper IP address. The bsm2 type local IT was too busy trying to determine which router needed to be replaced to talk to a lowly copier tech. He had been working on the problem about 5 hours. The receptionist had the IT supervisor from Seattle call me. I told him what I had noticed. He said he would remote in and restart the DHCP service. 2 minutes later the receptionist made a PA announce for everyone having network problems to reboot their computers.
Ok why did you changed the subnet of your DC in the first place? It would be much better to just create a VLAN for the VOIP Phone System? Phone Systems are known for being a good entry point as there often is weak port filtering so having it in a different net would not even be that bad. You could then use a dect base to "spread" the phone system to all wireless phones.
For double natting issues you should use a custom firewall and not some build in crap from routers.
Also i am confused by what you need help with:
- AD like mentioned in the title?
- Trouble opnening C&U?
- Access to the service router?
Let's start from the beginning.
Double Nat is a new thing for me. And I'm not 100% sure that putting the VOIP system on a different VLAN would solve the double nat problem the VOIP company asked me to clear up.
As to the problem I was having. I think I was clear in that after I changed subnets, I could not open "users and computers" in Active Directory.
PS - I'm gonna have to think about the VLAN suggestion that you made. That would have been much easier than what I went through.
Growth is found only in adversity.
Double NAT situations can cause issues with some services like VOIP systems, but there are ways to overcome it. It usually comes down to latency issues. I've used double NAT in a few situations as a poor man's VLAN, or to just quickly segment traffic. For example, for customer equipment that I bring back to the office to configure or repair, I use a separate wireless router and its Ethernet ports to allow internet traffic while also keeping them entirely separate from my own network, even though both networks are connected to the same modem.
The easiest thing in this instance would have been to keep the AD environment behind its own router and setting up the VOIP system off the ISP modem/router. You'd then just have to make sure that the cabling for the phones was clearly distinguished from the computer connections. If you needed a server on the AD side to talk to the VOIP system, you could always dual home it by having an IP on both networks and letting the firewall profiles of Domain and Private filtre your traffic accordingly, or even just allowing the specific ports needed for the system.
You may have been able to make things easier by just increasing the 192.168.0.x network to a 192.168.0.0/23 so that both your 192.168.0.x and 192.168.1.x IP's were valid for the new network. It's easier to change a subnet mask and DHCP to 255.255.254.0 than futzing around with DNS. For some of my customers, I have a 23 network setup just to give them a full block of 250+ static and dynamic addresses.
Sent from my Pixel 6 Pro using Tapatalk
The issue with this is cyber security: If i got access to one of your network segments i can somewhat easily take over your DC and you are pretty much fcked. You'd need to setup a very strict firewall rule for the communication between the two subnets. I have seen a couple businesses going down on their superb big net
Can you just not open it in terms of you click on it and nothing happens or do you perhaps get an error like "The specified domain either does not exist or could not be contacted."
Also i dont get why the phone system needs to be on a specific subnet. I mainly use tiptel systemand after setup you can switch the subnet to whatever you like and i am quite sure that is standard for all phone systems by now.
EDIT:
Oh and you mentioned you changed the DC#s Hostname, make sure to change the DNS of it accordingly.
Another thing:
Have you made sure to check the health of the DC before changing the subnet on it? Command for it is "dcdiag"
Also health check the DNS Service: "dcdiag /test:dns /v"
Do you get authentication problems in logs? Maybe your FSMO roles got corrupted.
And you need to add the new subnet to AD Sites and Service, this is important.
Last thing i could think of is a local firewall rule on the DC that doesnt allow traffic on any other IP/subnet, might want to check that too
All depends on the risk profile. In most instances, I'm just setting up a workaround until the customer's network team gets things in place for a permanent fix, or I'm waiting for my network engineer to get onsite and I need to keep things running.
There are also plenty of other compensating controls that can be put in place that it wasn't worth drilling into with a thousand foot view post.
Sent from my Pixel 6 Pro using Tapatalk
Initailly, when I tried to open users and computers nothing happened. I left and returned a few hours later and it was open. So, it would open but it took a loooooong time. I cleared that up.
I'm fairly new and inexperienced when it comes to Windows Server.
Anyway, everything is working fine now. This was good experience for me. You never learn unless you try new shit.
With that being said, I don't fully understand everything you're talking about. Feel free to break it down. I find it interesting.
Growth is found only in adversity.
Bookmarks