Changing to a Private IP Address Scheme

[lloydny]

We are getting ready to change the IP addresses of our entire network. We currently have 3 locations connected by point to point T1's. The 1st location is using the scheme 198.210.200.x. The 2nd 200.200.20.x and the 3rd 200.200.30.x These are public addresses but we are using NAT behind a firewall. We are looking to change to a private IP addressing scheme using 192.168.10.x, 192.168.20.x and 192.168.30.x. We have a mixed NT 4.0 and 2000 Server environment with a single domain. There are 3 Windows 2000 domain controllers, an exchange 2000 server and a Citrix Server. We are running DNS & WINS on the servers and all of our workstations have static addresses.
My question is, what would be the best way to go about making this switch to a private addressing scheme? What order do I need to do things in? What obstacles will I be facing and how should I solve them? I am planning to do the switch one location at a time. Thanks in advance for any help and suggestions!!!!

 

[Davetoo]

You'd best invest in a consultant to come in and examine your entire network first.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[TravisM]

The very first step is to get the clients moved over to DHCP. I'd create a DHCP scope for each site with the current IP scheme, then build a login script to switch the clients over to DHCP and let it execute. Keep the lease time reasonably short, that will be important later, when you actually cut over the network segment.

Once you're ready to cut over one of the segments make sure that you update the interface on the router to the new segment then change the DHCP scope servicing that segment to the new range that you want. Make sure you update any static routes that you have on your routers.

The clients will lease new address with all the new information you put in, then you're done. I make an assumption here that most/all of your servers are in one location, and that the T1's are terminating at a single "hub" location. That hub is probably that last that you'll want to cut over, and it should be pretty straight forward. After you've done the satellite sites, change all the static address at the hub site, and update the DHCP scopes again to reflect the changes, they should propagate. The other option is to update the hub site first, and that way you only have the change the DHCP lease range, and none of the scope options later, but it's really 6 one way half a dozen the other.

This is similar in method to what I've actually done when having to uproot a whole physical infrastructure to a new set of T1's and flop around some subnets. To minimize the manual work though you really need to get the clients moved to DHCP, once you have that done it's really pretty straight forward.

 

[lloydny]

Travis, I agree with you that we should go DHCP, however the Senior Administrator's at my company feel that they want to stay with static addressing. Being that we are going to stay static, what other advice can you offer as to the proper way to handle the cutover. I am worried about things such as DNS, WINS and Active Directory in general getting screwed up. Thanks for your help!!!

 

[minxca]

Hi,
It's good to change it to private addressing but I prefer 10.x.x.x or 172.16.x.x. Why? because home users usually use 192.168.x.x and that could be a problem when they do vpn.

 

[TravisM]

You can use the same method even without DHCP, but the amount of manual work you're going to have to do in order to accomplish the task is going to be very high.

Is there a particular reason why they want to disallow DHCP? Is it a security concern, or do they just want to be able to access machines as known resources? You could always create a static lease for each resource, and that will at least let you manage IP's centrally. It's just very difficult with something like this because other things are going to change on the client side also, like DNS server addesses, etc, which means a lot of fidiling with client machines.

There are two scenarios as I see it, if you cut the core network segment over first, you're going to have to go and touch every machine at every office to update DNS so they can authenticate to AD. If you cut satelite offices first, that's fine but when you eventually cut the core network segment over, you're going to again touch every computer to update DNS so they can get into AD. If you have the manpower/orgainzational skills to do that, you're fine.

Active directory should be fine with the change, with WINS you can just scour the DB and it will get updated as changes come in. DNS is the only potential problem, I'd say. The issue there will be if you have a lot of custom DNS entries you'll have to be vigilant - as a resource changes IP you'll have to make sure the host record is changed. If you have some of these resources sitting out in a DMZ with "real" internet access, you're going to have to get the router guys to set up the NAT translations and whatnot, but again that's not a biggie....

The largest part of the project is giong to be going out and making small config changes on the client machines. I would suggest writing a little script that you can just type an IP address into and it will go and update all the registry entries. That might help with the overhead a bit.