Servers Can Be Moved into Incorrect Sites (228814)

MORE INFORMATION

The Active Directory Sites and Services snap-in does not ensure that a server has at least one network adapter with an IP address that is valid for a site before moving the server object to the new site. This process is based on an administrative action, and the snap-in does not enforce site and address integrity. The reasons for this include:

• There may be legitimate reasons to move a server to a subnet that does not match the IP address. For example, this is a quick way to ensure that the locator (and thus, most default activity) does not find the domain controller, but the domain controller is still available for Lightweight Directory Access Protocol (LDAP) and administrative operations. This is a feasible repair scenario.
• The tool cannot easily perform this check because you can modify the site and server relationships in a distributed system on a replica of the distributed system, even though there currently is no connectivity to the server that is being moved to a different site. (For example, remote administration of configuration container data precludes many validations.)
• The move cannot be forced to be performed by the server being moved because it may not be available.

Example

A server has a single network adapter with an IP address of 192.168.0.1. There are three subnets defined for 192.168.0.0/24, 192.168.10.0/24, and 192.168.20.0/24. The sites are defined as site 0, site 10, and site 20, with each containing the corresponding IP subnet. Therefore, the server is a member of site 0 as a result of its address. However, the server could be moved by an administrator to site 10 or site 20, thereby placing it into the wrong site because of the site and subnets configuration.

The administrator must ensure that the server object is moved to the proper site. Otherwise, replication and other communication problems may occur.