IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
While working with a customer this week on their Active Directory (AD) Site configuration I found out they had not heard about using a /32 or /128 subnet mask. In fact my Bing search did not reveal a lot of information on how and when to use this handy part of AD. The purpose of this article is too explain the what, how and when of using this technique.
AD Sites allow you to attempt to match the logical (AD Sites) to your physical subnets (cables, wires, hardware). This is not an easy task, mostly because networking is hard for most people. Your networks may also not have the best documentation or have available documentation to the AD administrators. Your network may also not be broken down the way you need it for AD purposes.
Let me define some uses for sites before we go any further:
What are Sites for anyways?
1) To help control AD replication. Putting domain controllers within a site (intra) or further way in different sites (inter).
2) The client logon process uses sites to find the closest domain controller(s).
3) System Center Configuration Manager uses AD sites for its configuration and package distribution.
4) Distributed File System (DFS) uses sites to determine if a given client is closer to one replica or another.
5) Printing can use locations which are an attribute of sites, allowing clients to locate printing devices close to them.
6) Blank sites (without a Domain Controller or DFS Server) force clients to use site costing to find the next closest site. They may also be setup for later use, staged as you will.
What does it mean /32 or /128? First off I am taking about creating a logical connection within your AD to match the physical that already exists. Start by opening Active Directory Sites and Services snap-in from the Administrative Tools. I am using Windows Server 2012 but any currently supported version of AD will work for this purpose. The /32 or /128 will take precedence over a lesser subnet mask of say /24 or /64. The dialog box looks like this:
This is from my test lab where I have only two Domain Controllers (DCs). I wanted to have two sites, but the physical network has only one subnet. /32 or /128 to the rescue!
If you use a /32 on IPv4 that puts all 1’s for the subnet mask (32 of them in fact), leaving only that IP for the range. So a range of 192.168.3.51/32 would only cover 192.168.3.51’s IP.
If you use a /128 on IPv6 that puts all 1’s for the subnet mask (128 of them in fact), leaving only that IP for the range. So a range of fe80:a10c:5fea:47c1:df05/128 would only cover fe80:a10c:5fea:47c1:df05’s IP.
First you need to find your IP addresses. I like to open a Command Prompt and type ipconfig as seen here:
These are static addresses. If you use DHCP to assign the computer an address you will have to reserve it within DHCP to ensure it keeps that address after a reboot and that the lease will never expire.
Next, open Active Directory Sites and Services snap-in from the Administrative Tools. Highlight Subnets (under Sites) and secondary mouse button to create a new Subnet. After you have a few /32 or /128’s is should look something like this:
So when does this come in handy?
1) Test Lab scenarios.
a. When you need to test AD or applications between AD Sites and you only have 1 subnet. Below I created two logical sites on one physical network using IPv4 and IPv6 subnets. The /32 or /128 allows me to control precisely which site each test machine will be in, even though they are on the same physical subnet in the real world.
b. To allow testing of remote services for a client
2) Build Site.
a. On Windows Server 2012 you have the ability to pick the server you replicate from when you create a new Domain Controller. You may not want to use the same DC that all your clients hit. Creating a new Site and using a /32 or /128 to add a dedicated promotion DC might be just what you need. This is an awesome feature of Windows Server 2012 (first in 2008 R2). I love it!
b. Another use is a dedicated application testing, point them to your /32 or /128 Build Site and let them have fun. You may have to move the client (by its IP Address) into the site before you test.
a. To isolate a computer from traffic maybe because you want to decommission it. Taking it out of a used site will allow only hard coded application to continue to use it. Monitoring to find the rest and “fix” the hardcoding. You might need a rubber mallet to stop the person from hardcoding.
b. To do maintenance on the machine or software for a lengthy period of time.
a. DFS site costing. You might find that you have sites with no DCs but we need to shape the DFS link target discovery. So we create a site, link it up, and then associate a single IP subnet for the site that matches that DFS link target server’s IP. Lastly, have the client sites linked to the DFS site then link the DFS site to the site with the DCs.
As you have seen the /32 or /128 subnet can be a very handy tool in your Active Directory bag of tricks. No need to limit the weight on DNS records or even reboot a machine or use RRAS to create a new network. This technique can be used for clients and servers alike.