How would one integrate a domain in a VLAN network?

drbx19 · 13 Jan 2012 at 11:09

E.g. I have three sites with three VLANs (Students, Staff, Finance)

1. Do I set up a forest-domain structure with independent domains or do they share one?
2. Do I have a DC at each site?
3. How do I make sure that a machine in the student VLAN at site 1 is not given the same IP address as a machine in the student VLAN at site 2 (from DHCP)?

Any help is much appreciated.

a1ex2001 · 13 Jan 2012 at 11:29

Assuming you already have DHCP in place then you don't need to change anything DHCP doesn't need to be AD integrated.

Number of DC's is entriely up to you, a minimum of two for redundancy is advised and given the chance I'd happily have them on different sites for further reliability. The actual number depends on the number of users and the speed of your site links.

I would only setup one domain as I can't stand overly complicated AD's that were setup for no good reason.

Given the level of questions your asking I would strngly advise you not to do this without significant third party help assuming it is a real piece of work and not your university course work you are getting us to do!

drbx19 · 13 Jan 2012 at 11:30

a1ex2001 said:
Assuming you already have DHCP in place then you don't need to change anything DHCP doesn't need to be AD integrated.

Nah I don't the whole network is being set up from scratch.

ecksmen · 13 Jan 2012 at 11:31

1) This is a business decision based on Security policies, you could have seperate domains so no one from another site can authenticate on a different site (ie good security). You may want systems to talk to each other so you could do trusts. Similarly you could have a single domain spread across all three. It's entirely up to you (this is the wonder of AD planning).

2) Typically yes, windows will cache credentials but if this is disabled (again, some consider it a security issues) and you don't have a local DC, what happens if the intersite coms fail?

3) DHCP scopes... again this is too varied a question.

All these 3 questions are too high level, for accurate clear and good advise you need to be clear in your objectives. Right now its merely speculation...

K.C. Leblanc · 13 Jan 2012 at 22:27

When you say sites, do you mean three physical different locations with WAN links between them. Or is a single campus?

If you look on Edugeek.net there's quite a lot of stuff about vlans. But generally most normal sized schools (from you post it sounds like some sort of academic institution) will use a single domain.

In the past it's been more common for schools to have two, this was generally a throwback to when schools didn't have proper IT staff and different people managed curriculum and administation computers.

How many computers are we talking about?

mrbios · 14 Jan 2012 at 14:14

drbx19 said:
E.g. I have three sites with three VLANs (Students, Staff, Finance)

Don't bother trying to put staff and student pcs located in the same areas on separate vlans, it's pointless and just creating more work for yourself.

You'd be best off splitting the 3 sites in to 3 separate vlans, then putting various services within those sites on separate vlans again. Depending on the amount of PCs within each site I'd suggest a separate RODC for each site and then a central PDC for your infrastructure each doing DHCP, DNS and so on for their respective sites.

Eg. All pcs in site 1 have the vlan of site 1 regardless of use, and the same for site 2 and 3, then all printers within site 1 2 and 3 all have the same vlan across all 3 sites, along with various other services such as if you have a managed wireless solution, IP TV implementation etc.

Just a rough suggestion though based on the information you've given, actual implementation various greatly depending on what will be on your network, such as amount of PCs per site. Get your routing and vlans right and you'll cut down on all the horrible broadcast traffic