This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 94%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hi i have deployment to integrate on prem AD and GOV cloud, i have to deploy additional tree domain within existing forest, but in gov cloud i have public ip segment on which will be sit two new DC. Networks on prem is private A class but cloud has public subnet. Network is fully routed with any any comunications btween dcs on headoffice and cloud. Is that supported scenario to have public subnet on DCs?. Cloud network i think will be not exposed to public internet.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
On your private network in theory you can use any addressing scheme. Just make sure that the domain controller is not multi-homed and that all members use the static ip address of DC listed for DNS and no others such as router or public DNS.
--please don't forget to upvote and Accept as answer if the reply is helpful--
No, this isn't going to work. All domain members must use domain DNS to find and logon to domain so you'll need to use a VPN.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi DSPatrick yes there is a tunnel VPN between gov cloud and onprem but DNS will maybe a problem if the DNS server in cloud will have public IP as nameserver for that treee domain?
Multi-homing a domain controller will cause you no end to grief for active directory DNS
Hi DSPatrick that range is in 100.74.xxx.xxx range it seems that its a private range can be this adress space used on AD DNS?
Shared address space[5] for communications between a service provider and its subscribers when using a carrier-grade NAT.
https://en.wikipedia.org/wiki/IPv4_shared_address_space
Ok but I will rather to use normal private adress space for placing DCs, so i will be ask to reconfigure network to comply with RFC.
Thanks Patrick
Sounds good, you're welcome.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
HI DSPatrick, network guy suggest me that network 100.74.xx.xx is private so no problem I have already setup tree domain to the root forest, but have question about default zone _msdcs.root.forest.net. Domain controllers is replicating fine but on new tree domain controller DNS this zone is missing. When I check _msdcs.root.forest.net on root domain, zone is configured to only replicate all domain controlers in this domain (for windows 2000 compatibility), its necessary to change replication of this zone to all domain controller in forest ? Is there some chance to broke something. On root domain is bunch of old w2008r2 controllers and others is w2016. Its safe to change this?
Thanks
Sounds good, glad to hear. Since a new topic, I'd suggest closing this one by marking answer and open a new thread for new topic.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Ok i wil post new thread Thanks
Sounds good, you're welcome.
