On from my DNS query, we have run into a problem that I saw coming but need to try and fix before we spend lots of money calling in CSE to do for us: we have a split site computer network. My Systems Manager wants to keep our new "lower" site separate from our managed "upper" site, and to do this we have to dat installed a separate server, used local profiles with redirected folders etc., and it runs nice.
The "problem" occurs when we RIS image the systems. They don't know where to get their DHCP address from (the upper site server or the lower site server). This shows itself in lack of ability to browse to the REMINST folder all the way to not even seeing the server on the LAN at all!
I'm aware that you aren't "supposed" to run two DHCP servers on the same LAN. I told them this a while ago while planning was taking place. But no-one listens and they want what they want.
My solution would be to have CSE come in and make the LAN one contiguous space (install the server as a member of the upper site network etc). The Sys. Manager is reluctant and wants to try different solutions next week. We have exactly one week to decide what to do before things start getting critical mass.
All that said (sorry for the length), I want to know:
(a) If running two separate DHCP servers (with different subnets) on the same LAN is possible and can work, and
(b) How to make it work. Can I use prestaging of the clients in the AD and then RIS? Can I block DHCP broadcast requests on our switches so that DHCP requests don't travel across sites? Or is there another way?
Any advice via PM, email, or on the forum would be greatly appreciated.
(a) If running two separate DHCP servers (with different subnets) on the same LAN is possible and can work
This indeed can work and does as this is the way that I do it and allows for DHCP failover I have one server dishing out 192.168.0.1 -> 192.168.2.254 and the other doing 192.168.3.1 -> 192.168.4.254 this way we do not get any conflicts.
I am not sure how you have done your image for RIS but we do complete clean installs and have done this summer on over 500 machines, each machine when it hit the GUI protion of the install found either DHCP 1 or DHCP 2 and grabbed an IP and continued without issue.
Not one of the 500 PC's failed to get on the network and continue the install.
I am however running 1 domain, 2 Windows 2003 DC's both of the set as GC's with DC 1 being the FSMO role holder and schema master.
The domian is split into 2 ASync VLANs and controlled at switch level this is how I split the Admin and Curriculum networks but this is just extra in my case.
What's different between our two networks is that (if I read you right) we are running two completely separate domains- each with their own DHCP server. If it were a case of one domain (as your own is) then spreading DHCP across more than one server makes a lot of sense.
What I've found out since asking the question is that a good way of actually blocking DHCP requests from crossing physical sites is to install either (a) a router (which won't forward broadcasts) or (b) use VLANs.
I'm going (I think) with (b) VLANs. One for each domain. Well, I'm going to try it anyway- lol!
Does this make sense?
Summary: two separate networks (I know it's stupid, but it's what they want); two separate DHCP servers; separated by two VLANs so that DHCP broadcasts stay on the local subnet only.
Thanks again- and if you think I'm heading down the wrong track here feel free to say so :-)
If you are talking about a DHCP box on each site (presuming one on yours and the other at the old OLPJ site) then IIRC you can add an extra tag on the DHCP request that is unique to each site and that can be blocked at switch level (I can't remember whether this requires layer 4 or layer 3 switches though ...) so one from site A never reacher site B ... Also, if you are using reservations via Mac address you can have the reservation on one server and not the other, and as long as you don't have any other addresses available within the scopes the rqueting machine will fail on the first server and make the request to the second server.
Speak with David Oram for more help on the switch side of things ... if you can get hold of him.
I think you may be suggesting we use tagging a la 802.1q (used in VLANs on layer 3 switches). We have two layer 3 switches (one on each site) and I'll get on to David Oram on Monday and get his body over here to configure them (he hasn't given us the correct username and password for the switches--incredible!). As you say, *if* I can get hold of him :-(
Here's an update to the issue: I said that the Sys Admin wants the networks separate (as does the head of ICT) but after extensive discussions with .ICT (County) and also our managed solution providers, we are joining the networks and making sure that we can manage most of the LAN centrally.
It took a lot of convincing however. Thanks to all of you for your contribution- I actually went away and did my research and presented most of the points as arguments for or against managing these networks separately.
ICTNUT: you were right on the use of tagging and backbone trunking- apparently we would have had a lot of problems with this and shared internet access.