The Bleeding Edge

My struggles with technology --- an homage to Jerry Pournelle

Windows domain — breaking up is hard to do, part 2

Leave a Comment

This is the second in a series of posts about downgrading from a Windows domain-based network structure to a workgroup-based one. The series starts here.

Here’s a quick outline of my present network:

  • Flat IP structure, with everything on x.x.x.x/24.
  • DHCP server on a Windows server, serving a scope of about 200 IP addresses and a dozen reservations. About 100 active leases, including all workstations, most switches, VoIP phones, iPhones, iPads, thermostats, TV boxes, WAPs, etc.
  • About 20 devices with static IP addresses: DCs, servers, firewall, NAS boxes, VoIP PBX, Voicemail
  • Local DNS on a Windows server, synched to the DHCP server via Windows Server OS.

Here’s a thought that occurred to me.  Keep everything pretty much as it is, but run multiple DHCP servers in the transition, and try to sort everything out with VLANs. The more I think about this, the more problems I see, but the big reason for my rejecting it is that I don’t trust myself to keep everything straight in the transition, and be able to replicate the VLANs faithfully as switches fail and are replaced. I’m doin this to make my life simpler, and this sounds like it could go the other way. Nevertheless, I include it here for completeness.

If I’m ever going to get rid of the Windows DHCP server, I don’t want to do it in one fell swoop. I’d like to convert all the reservations to hard-coded IP addresses. I’m also going to want to run a split-scope DHCP server in the future for reliability. both those things mean I’m going to need a bigger IP address space than my present /24 network. I figure at least /22, or maybe /21.

With that as a given, here are two possibilities that might work.

Big, flat IP network. Keep the IP structure flat, but make it bigger.

  • First, convert the present system to, say, a /21 subnet mask, but leave all the IP’s the same. Manually change all the static IP subnet masks, and change the subnet mask the DHCP server is handing out.
  • Bring up two DHCP servers, say on Synology NAS boxes, and give them 255-address scopes that don’t overlap. Have them pass out the new subnet mask, and 8.8.8.8 for a DNS address.
  • Then go around and force all the DHCP clients to release and renew their leases.
  • Downgrade all the domain workstations and file servers to to workgroup members. There are some complications to this that I’ll go into later.
  • Decommission the domain controllers
  • Have no local DNS, or run a DNS for the static IPs on a small server or maybe a router.

Issue:

  • Before the change, the IP broadcast address is x.x.x.255. After the change, it’s x.x.y.255. In between, different devices are going to have different broadcast addresses. Will that wreak havoc?

Variation:

  • Move the PBX, VM, and all the VoIP phones to their own subnet, and connect them to their own router, still using the flat switching structure.

And here’s an alternate approach.

Three subnets.

  • Create a /24 subnet for the VoIP gear as in the variation above. Make all the devices use fixed IP addresses.
  • Keep the current subnet, 10.10.24.0/24, for servers, NAS boxes, switches and WAPs, but convert it to all fixed IP addresses, using the already-leased DHCP-assigned addresses.
  • Put reservations in the Windows DHCP server for all those fixed IP addresses.
  • Keep the local DNS that’s running on the Windows servers, for now.
  • Create a new /20 or /21 subnet, say at 10.0.0.0.
  • Assign a port on the firewall to that subnet.
  • Shut down the Windows DHCP server.
  • Bring up DHCP servers on two Synology NASs, or one NAS and the firewall, have them serve /23 or /24 scopes on the new 10.0.0.0/20 subnet, passing out 8.8.8.8 for a DNS.
  • Either force the remaining DHCP clients to release and re-acquire their leases, or just wait until they do.
  • Add rules to the firewall to allow 10.10.24.x traffic to access 10.0.x.x ports, but not the other way around.
  • Over time, convert the domain workstations to workgroup members.
  • Configure the 10.10.24.x devices to use 8.8.8.8 for a DNS.
  • Shut down the Windows DNSs.
  • Decommission the Windows servers.

I think I like the last one the best. It doesn’t have that time when the network broadcast addresses are not well defined, and it allows control of the traffic between the trusted machines and those that come and go, and just want to talk to the Internet.

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.