By Ace Fekay, MCT, Microsoft MVP Directory Services
So you are looking at a major IP migration from a public range to a private range and not simply extending the current scopes, or you simply want to change the current IP range.
One good reason to change the internal IP range, is the current range matches many of the retail box store router default IP subnets, such as from Linksys, Netgear, etc. The identical subnets cause issues when users at home are using VPN to the company network. If the subnets are identical, routing won’t work, therefore they are never able to connect.
Depending on the size of the infrastructure, changing the IP range can either be easy, or pretty involved and will have a major undertaking on your hands. Let’s see…
First come up with an IP Range
Come up with a plan that includes an IP range for all servers and static set hosts, as well as an IP range for each floor, building, etc., depending on the scope of this project, and the subnets currently in place.
You could use the same subnet for the whole building, which makes it easier to deal with, but not necessarily as efficient with network traffic, and especially if the number of hosts is so large (into the thousands), it becomes a rather large subnet broadcast domain. Also with one big subnets, you are reducing the ability to create efficient AD Sites appropriately.
For example, if one were to choose one subnet for a large building with 3000 users, you could use one subnet, such as 10.10.0.0/16, which will give you 65,000 IPs:
If you want to keep with the separate subnets for each floor, which is ideal, of course considering if you have layer 3 VLAN capable switches, that may be your better bet. Some may think it complicates matters with DHCP and routing, but looking at the network efficiency, I think it’s a better bet.
For example, if you have multiple subnets or buildings with less than 4000 total hosts (servers, users, printers, etc.), a good example is the following breakdown, which will give you 4096 hosts for each subnet (and this is just an example – your mileage may vary):
- 10.10.0.0/20 (10.10.0.0 – 10.10.15.255)
- 10.10.16.0/20 (10.10.16.0 – 10.10.31.255)
- 10.10.32.0/20 (10.10.32.0 – 10.10.47.255)
- 10.10.48.0/20 (10.10.48.0 – 10.10.63.255)
Procedure (steps are not in stone)
- Inventory all applications that have been configured with hardcoded IP addresses in their configuration, then change the IPs to the new IPs.
- Ask users to shutdown all workstations.
- Change the DC/DNS server’s’ IP addresses.
- In NIC properties, change it to the new IP address.
- In NIC properties, change the DNS IP addresses to the new IP.
- Re-register the DCs in DNS so it re-creates new records.
- ipconfig /all
- restart netlogon service
- Server properties, Nameservers tab, insure the new IPs are listed.
- Remove the old ones and re-enter if needed.
- Check DNS zones – Make sure all old IP references are manually removed if the registration process above does not overwrite the old ones, which it should.
- Check the GC records (located in gc. _msdcs.domain.local).
- Check the LdapIpAddress records – the “same as parent” A records that each DC registers.
- Delete the old reverse zone.
- In lieu of deleting and recreating the reverse zones, if you’re energetic:
- Change the AD integrated reverse zone to a Primary Standard zone (this takes it out of AD and puts it into a text file in system32\dns.
- Open the system32\dns\zoneName.dns file, and change all the IPs in the zone file, save it, reload the zone. You should see all the new IPs
- Then change it back to AD integrated again.
- You will need to delete and re-create the scope from scratch.
- If you have Scope Options recreate the Scope Options.
- If you have Server Options, simply change the IP addresses they point to.
- If using WINS, change DHCP Option 044 to the new IP address of the WINS server.
- Option 003 is the router
- Option 006 is for DNS addresses
- If using any other VPN solution, likewise.
- If using a Relay Agent or IP Helper, change the IP it’s pointing to.
- Run ipconfig /registerdns
- Restart the printers to take effect.
- If they haven’t been shut down, then run ipconfig /registerdns on each.
Do Multiple Internal Subnets exist?
- If using multiple internal subnets that you are currently connected to, change the static route entries on the edge firewall/router to insure communications work to the other subnets. The same on their end.
- Once again, check event logs for any errors.
- Test internet connectivity from your DCs and servers.
- DHCP – Take note of exclusions, reservations, SuperScopes, etc. Delete all scopes.
- Create a new big scope, or multiples if you had separate scopes, Superscopes, etc.
- Test DHCP by firing up a couple of workstations, logons, internet connectivity, printers, resource access, etc.
- Once again, check event logs for any errors.
I’m sure I may have missed a few steps and only briefed over others, but it should give you a good start and a guideline, because every infrastructure is different and unique.