Re: VLANs and Microsoft Active Directory Authentication

tstreit28 · ‎12-02-2010

Hi,

Currently our network is in one big subnet, 10.0.0.0/8. We have grown and now it's time segment the network into VLANs, actually this should have been setup originally, but I inherited this network. We have a Windows 2003 Active Directory Domain Controller and a Cisco 3750 managed switch. What I am currently trying to do is create a VLAN with the IP range of 192.168.40.0/24. So far I have been able to do create the VLAN, give it Internet access and access to our email server using access lists on the switch, no problem.

1. What I need to know is what ports on the switch do I need to add the access list to allow for Windows 2003 Active Directory Authentication?

2. What do I need to do the domain controller to allow authentication from a different subnet? Other the 10.0.0.0/8 network. Any guides or walk through's would be helpful.

3. Is there something that I need to configure on the switch to direct authentication requests to the domain controller?

On the domain controller I have already installed Microsoft IAS and Routing and Remote Access services, but not sure if they are configured correctly, so I have no problem starting from scratch and reconfiguring them. I have also added the 192.168.40.0/24 subnet to Sites and Services.

Any help would be much appreciated.

Thanks,

Ted

Jon Marshall · ‎12-03-2010

Ted

Most of these questions are more Microsoft type questions than Cisco but i'll help out where i can -

1) See this technet article for ports needed for AD authentication -

AD ports

2) See this blog entry with details with adding subnets to AD -

AD subnet authentication

3) No, there should be nothing to do on the switch for AD authentications. Bear in mind for DHCP if the DHCP server is on a different vlan than the client vlan(s) then on each client vlan L3 interface you need to add an ip helper-address eg.

int vlan 10

ip address x.x.x.x

ip helper-address y.y.y.y <-- where y.y.y.y is the address of your DHCP server

Jon

tstreit28 · ‎12-03-2010

Jon,

Thank you for your reply, and I appreicate all the information. I was looking for more of a direction to get pointed in since I wasn't sure which direction to go. As far as the DHCP server, I actually have a seperate linux server hang off the VLANs network to provide DHCP and DNS, which may be an overkill but it works really well.

Thanks again,

Ted

Jon Marshall · ‎12-03-2010

Ted

I was looking for more of a direction to get pointed in since I wasn't sure which direction to go

Not sure exactly what you mean. We would be glad to try and help but could you clarify what it is you are looking for ?

Jon

tstreit28 · ‎12-03-2010

Jon,

What I meant was I wasn't really sure if I had the switch configured properly or if it was a Microsoft AD problem and so you clarified that it sounds like I have the switch configured properly and I have to get the domain controller configured properly. Thank you for the help.

Ted

gravelpit58 · ‎01-11-2011

Do you have access to Packet Tracer 5.3? If so use it to model the current network and servers and share that here as an

attachment. Am I correct then assuming all switchports are in VLAN 1? Create the required Vlans for the groups /Depts that

should not share traffic. Then add the DHCP scopes for each new vlan subnet to linux server. Don't for get to use the IP helper-address direct of that

server. Use EGIRP routing protocol to allow traffic between the E-mail, DHCP, DNS subnets / vlans.

And ACLs to prevent unwanted interaction.

Hope this helps, Joseph