is it possible to install two domains on the same subnet and apply the approval relationship?

Question

Hello everyone;

We have a domain server on the current site and we plan to open offices on another remote site which will be the headquarters. To facilitate user authentication, I'd like to install another domain server for the head office and set up an approval relationship for access to resources in both directions. I'm planning to set up a sit-to-site VPN.

my question, is it possible to install two domains on the same subnet and apply the approval relationship?

Thanks

Translated with www.DeepL.com/Translator (free version)

Answer 1

your textI can address the possibility of having two domains on the same subnet and explore alternative solutions for approval relationships:

Technically Possible, But Not Recommended

It's technically possible to have two separate Active Directory domains on the same subnet. However, it's generally not recommended due to several drawbacks:

• DNS Conflicts: Both domains will have their own DNS servers with potentially overlapping records. Resolving hostnames can become confusing and unreliable.
• Security Concerns: Broadcast traffic on the subnet might reveal information about each domain, impacting security.
• Management Complexity: Troubleshooting issues becomes more challenging when dealing with two domains on the same network segment.

Alternatives for Approval Relationships

If you need to establish an approval relationship between two Active Directory domains, here are better approaches:

1. VLANs: Separate the domains onto different Virtual Local Area Networks (VLANs). This isolates broadcast traffic and simplifies management. You can configure inter-VLAN routing to allow communication while maintaining separation.
2. Resource Forests: Consider creating a resource forest with a trust relationship. This allows users from one domain to access resources in another while maintaining separate authentication and administration.
3. Azure AD Connect: If you're using Azure Active Directory (Azure AD), explore Azure AD Connect for synchronizing identities between on-premises Active Directory and Azure AD. This enables single sign-on (SSO) across domains without directly linking them.

Choosing the Right Approach

The best approach depends on your specific needs and environment. Here are some factors to consider:

• Security Requirements: How crucial is isolation between the domains?
• Management Complexity: How comfortable are you managing separate VLANs or forests?
• Cloud Integration: Do you plan to integrate with cloud services like Azure AD?

If you're unsure, consulting a network administrator can help you choose the most suitable solution for your scenario. I can address the possibility of having two domains on the same subnet and explore alternative solutions for approval relationships:

Technically Possible, But Not Recommended

It's technically possible to have two separate Active Directory domains on the same subnet. However, it's generally not recommended due to several drawbacks:

• DNS Conflicts: Both domains will have their own DNS servers with potentially overlapping records. Resolving hostnames can become confusing and unreliable.
• Security Concerns: Broadcast traffic on the subnet might reveal information about each domain, impacting security.
• Management Complexity: Troubleshooting issues becomes more challenging when dealing with two domains on the same network segment.

Alternatives for Approval Relationships

If you need to establish an approval relationship between two Active Directory domains, here are better approaches:

1. VLANs: Separate the domains onto different Virtual Local Area Networks (VLANs). This isolates broadcast traffic and simplifies management. You can configure inter-VLAN routing to allow communication while maintaining separation.
2. Resource Forests: Consider creating a resource forest with a trust relationship. This allows users from one domain to access resources in another while maintaining separate authentication and administration.
3. Azure AD Connect: If you're using Azure Active Directory (Azure AD), explore Azure AD Connect for synchronizing identities between on-premises Active Directory and Azure AD. This enables single sign-on (SSO) across domains without directly linking them.

Choosing the Right Approach

The best approach depends on your specific needs and environment. Here are some factors to consider:

• Security Requirements: How crucial is isolation between the domains?
• Management Complexity: How comfortable are you managing separate VLANs or forests?
• Cloud Integration: Do you plan to integrate with cloud services like Azure AD?

If you're unsure, consulting a network administrator can help you choose the most suitable solution for your scenario.

Answer 2

your textNo, installing two separate domains on the same subnet at both locations (current site and headquarters) with a VPN connection isn't the best approach for your scenario. Here's why:

• Challenges with Shared Subnet: As mentioned earlier, having two domains on the same subnet (even with a VPN) can lead to DNS conflicts and make management complex.

Better Solutions for Your Scenario:

Given your desire for user authentication at both sites and resource access in both directions, here are two recommended approaches that leverage your planned site-to-site VPN:

Single Domain with Site Links:

• Maintain a single Active Directory domain at your current site (or migrate the existing one there).
  • Set up Site Links within the domain to define the connection between your current site and the headquarters. This optimizes replication traffic over the VPN.
    • Users at both locations can join the same domain and access resources based on permissions.
    Resource Forest with Trust Relationship:

    - Create a new domain at the headquarters (HQ) as a child domain in a resource forest.
    
       - Establish a two-way trust relationship between the existing domain and the new HQ domain.
    
          - Users can authenticate to their respective domains and access resources in the other domain based on configured permissions. This approach offers more granular control over access compared to Site Links.
    

Benefits of These Approaches:

• Simplified Management: You manage a single domain or a trust relationship, making administration easier.
• Improved Security: Each domain or forest maintains its own security policy, enhancing control.
• Reliable Authentication: Users can securely authenticate to their domain and access resources across the VPN connection.

Choosing the Right Approach:

The best approach depends on your specific needs. Here's a quick guide:

• Simple User Authentication & Resource Access: Single Domain with Site Links (easier to set up)
• Granular Access Control & Independent Administration: Resource Forest with Trust Relationship (more complex setup)

Additional Considerations:

• Scalability: If you anticipate future growth, a resource forest might be more adaptable.
• Technical Expertise: Setting up a resource forest requires a deeper understanding of Active Directory.

Recommendation:

Consider consulting with a network administrator to assess your specific needs and choose the optimal solution. They can also help you set up the chosen approach, including configuring the VPN and Active Directory settings.

No, installing two separate domains on the same subnet at both locations (current site and headquarters) with a VPN connection isn't the best approach for your scenario. Here's why:

• Challenges with Shared Subnet: As mentioned earlier, having two domains on the same subnet (even with a VPN) can lead to DNS conflicts and make management complex.

Better Solutions for Your Scenario:

Given your desire for user authentication at both sites and resource access in both directions, here are two recommended approaches that leverage your planned site-to-site VPN:

Single Domain with Site Links:

• Maintain a single Active Directory domain at your current site (or migrate the existing one there).
  • Set up Site Links within the domain to define the connection between your current site and the headquarters. This optimizes replication traffic over the VPN.
    • Users at both locations can join the same domain and access resources based on permissions.
    Resource Forest with Trust Relationship:

    - Create a new domain at the headquarters (HQ) as a child domain in a resource forest.
    
       - Establish a two-way trust relationship between the existing domain and the new HQ domain.
    
          - Users can authenticate to their respective domains and access resources in the other domain based on configured permissions. This approach offers more granular control over access compared to Site Links.
    

Benefits of These Approaches:

• Simplified Management: You manage a single domain or a trust relationship, making administration easier.
• Improved Security: Each domain or forest maintains its own security policy, enhancing control.
• Reliable Authentication: Users can securely authenticate to their domain and access resources across the VPN connection.

Choosing the Right Approach:

The best approach depends on your specific needs. Here's a quick guide:

• Simple User Authentication & Resource Access: Single Domain with Site Links (easier to set up)
• Granular Access Control & Independent Administration: Resource Forest with Trust Relationship (more complex setup)

Additional Considerations:

• Scalability: If you anticipate future growth, a resource forest might be more adaptable.
• Technical Expertise: Setting up a resource forest requires a deeper understanding of Active Directory.

Recommendation:

Consider consulting with a network administrator to assess your specific needs and choose the optimal solution. They can also help you set up the chosen approach, including configuring the VPN and Active Directory settings.