Risks of creating a backup LAN in AD environment 2

[gmail2]

Hi All

We're currently planning our upgrade to Win 2008. One of the managers here has come up with the idea of using an additional NIC in the servers to create a separate backup LAN to run backup over the network to a backup server. This includes backup of files servers and domain controllers. I agree with his idea in practice, but I'm wondering if there are any risks with doing this. If our backup LAN (which would be a closed network obviously) were to use subnet 192.168.1.0/24, wouldn't all the IP's in this subnet get registered in DNS, and woudln't clients therefore try to access the machines (possibly) using this address also ?

Any advise would be greatly appreciated

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[Jpoandl]

We use the concept of backup LANs... a LAN dedicated for server backup traffic.

When you install two NICs on the server, you will configure TCP/IP on one of them NOT to NEtbios and NOT to register its DNS settings. This will be done on the nic associated with the backup network.

You must have two networks for this to make sense... one for normal traffic and one for backup traffic.



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[gmail2]

thanks for the quck reply Joseph. OK, that's good to know. Sounds like it should be fine then

thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[kmcferrin]

You will also need to make the backup network nonroutable and have no gateway address. Having multiple default gateways will confuse the issue (there can be only one default, after all) and as long as the hosts are on the same IP subnet as the backup server then they won't need a gateway anyway.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[gmail2]

Sorry, one more question !! Is your backup LAN completely isolated ? Or is it connected to a router or firewall so that you can route to it (from your corporate LAN) for management or to monitor the NIC's (to check if they're up etc) etc ? Or is it completely isolated ? While I like the idea, the concept is new to me so I'm just wondering what best practices are or if there are any white papers etc?

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[gmail2]

ooooh ... looks like we both posted at the same time kmcferrin OK, I guess that answers my question then. So basically the backup LAN should be a completely closed network then. What about if you want to monitor those interfaces then, how do you go about doing that if there's no routing ? Or is that just a caveat that we have to live with ?

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[Jpoandl]

you would have to configure your monitoring device/server with two NICs... one for each network so that you can see the traffic. This may require that you add a nic to your current monitoring device.

Joseph L. Poandl
MCSE 2003/ MCITP - Enterprise

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[gmail2]

aaah ... ok, understood. However, our monitoring servers are in a data center and our file server is onsite. So this wouldn't be an option. I guess the only other solution would be to connect it to a router or firewall and setup destination based NAT

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau