1

Up until now I have had one internal network for all my business devices. I’d like to move my domain devices (servers, clients) to a new VLAN with a different subnet so I can segregate and set up firewall rules to control traffic. My biggest concern is the DCs (2016) running AD, DNS and DHCP. I’d expect the clients to pull the new IP addresses once they are connected to the VLAN. What steps would you recommend taking to make it work? I’ll need to change the static IPs on my servers and set up a new DHCP scope. Will DNS need to be manually updated? What are the steps that should be taken for this transition? Are there any links to articles that would outline this? I’ve searched but not found this scenario yet.

5 Spice ups
2

Anywhere that DNS servers are statically set, will require you to statically set the new IP addresses.

Anything that gets it’s network configuration from DHCP just needs the DHCP server/scope option for DNS updated, and then devices rebooted (or ipconfig release/renew) to get new DHCP lease with updated info. I would lower the DHCP lease time leading up to this change, to ensure any missed endpoints will refresh themselves in good time.

If you have VLAN IP helper addresses, those need to be updated to point at the new DHCP servers.

2 Spice ups
3

But why do you need to move the existing network to another network ??
Will the other network be larger or have more devices and/or users than your Domain ?

What or how will you be creating the VLANs and IP address ranges based on ?
There are very few articles as there are literally no exact same networks and almost everybody’s networking requirements and/or specs are very different.

I would think for the main or current subnet to remain (eg 10.1.1.xxx /24) then change from VLAN1 (default VLAN) to other VLAN.

Then add 2nd or 3rd VLANs with other subnets (eg 10.1.20.xxx /24 and/or 10.1.30.xxx /24) for your other requirements.
But you may need firewalls and routers between the VLANs, not simply “firewall rules” depending on what your needs are ?

I have avoided the use of VLANs when when we added VoIP phones and security systems…the price difference of the VoIP phones without the 2nd NIC port is $50-$180 while laying another LAN cable is only approx $70-$80 each.
Then there is no need to “merge” the 3 networks as each set of devices would run on its own set of switches with the controllers (or DVR or servers) having multiple NIC ports (so they can connect to their own networks & production network for management).
This also makes a cleaner network and easier to manage and/or upgrade when the time comes.

4

I would recommend a staged migration to the new vlan/subnet.
Initial setup:
Network- setup the networking (vlan/subnet) and set dhcp relay to current dhcp server. no firewall/acls at this point.
Windows/AD - add new dhcp scope for new subnet, add subnet to sites and services.
Test new vlan with a domain joined workstation.

start to migrate:
Move one DC to the new vlan (not the dhcp server, or not the only dhcp server). reconfigure it’s IP and restart. Update other servers that use this DC for DNS. Test (e.g. dcdaig)
Then update dhcp settings so that this server is specified as dns server for clients.
Test

Final migration:
Move all remaining DCs one by one to the new vlan using same process. move servers to new vlan.

No manual updating of dns records etc is required - when you change the IP of a server/DC and restart it all records will update (so long as it can access the dns server)