Managing an Active Directory Environment With Thousands of Subnets

Ryan Ries asked:

Most of us know that we need to create subnet objects and associate them to site objects in our Active Directories. This keeps clients in Site A authenticating to domain controllers in Site A, getting correct DFS referrals, etc.

How do I manage this in an environment with thousands of subnets? Literally, thousands of subnets that are ever-evolving, being added to and taken away.

Ideally, the answer should not be “hire 50 administrators.”

My answer:


You don’t need to create a new subnet for every single Layer 3 subnet that the network people create. Instead, create subnets corresponding to the IP address allocations for the entire site.

Here’s a quick example.

Say you have two sites. Let’s call them “New York” and “Mountain View”. New York’s entire IP allocation is 10.187.128.0/22. Mountain View has 10.187.132.0/22, but it also has some old cruft hanging around in 10.244.0.0/16.

The network guys will divide all those addresses into tiny subnets of as small as /29, there will be thousands of them, but they’re all contained within those supernet blocks.

Within AD, though, the New York site only needs the one subnet defined, and the Mountain View site only needs the two subnets defined. They cover all the possible IP addresses within their respective blocks.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.