adding a second subnet to our existing domain.


New Member
Jul 3, 2024
Our domain is running out of ip addresses, currently the ip address range is
I want to add to this domain.

As far as i can tell, i have configured the router to route between the 2 subnets and added the relay agent.
So as far as i know that's all i need on the router side (we are using a cisco router/firewall)

What do i need to do to Active directory/Domain controller to make it recognize the new subnet.

I have read that i just need to go into

Active directory Sites and Services -> Click on subnets -> right click on Subnets -> click on new subnet -> enter my new subnet -> click on Default-First-Site-Name

and i am all done

What do i need to do to the DNS to server the resolved the ip addresses

i believe i just need to add the new scope to the DHCP server.

Please could someone assist me in these final stages.


Are you using vlans on your routing and switching? This is usually what you associate to the DHCP scopes if you are using Windows DHCP

thanks for the reply. We only have 1 vlan which is the primary subnet

i was going to run the second subnet over the same vlan because we dont have vlan routing. Also that would mean changing many switches and breaking up the network.
Our network is very old and is basically a star network with the cisco router/firewall hanging off 1 port on the main switch and running off a single port on itself.

I could break it up but due to the expansion of the network from what was a windows XP network with a handful of machines on it was never planned for the growth it got.
We had to install mini switches pretty much at each desk to allow ip phones as well as pc network access. and everything is configured for vlan1 (data) and vlan 20 (ip phone).
the building is a factory so running new cabling is not an option.

also due to us still using server 2003 for our production ERP we have had to use static ip addresses for about 70% of the network pc's and printers as we had difficulties after moving to windows 7 and since to windows 10 & 11

Well I do recommend going to a different vlan. Having huge flat networks is asking for trouble, but you could change your subnet to be, but you would want to move your gateway out of the DHCP scope.
This would be -

we have about 100 static machines and 47 switches on the network i guess we would have to setup an exclusion for that.
If we went to vlan, that would mean changing the vlan ports on some of our switches so they took advantage of the new subnet? we currently have 47 switches, so i would have to pick some and change them to the new vlan?

also that would mean running a second port to the firewall router to separate the vlan traffic, we have a cisco firepower 1010 router/firewall

running a second vlan i would add the new addressing scheme to that vlan?

when you say earlier about expanding the subnet cidr to can i still leave my router/firewall at the same address but exclude it in the exclusion range of the dhcp scope what would that involve with the domain controller is there would that would need to be done there apart from changing the servers ip address, also how would this affect our server 2003 machines?

Either way you go there's going to be work. I would move away from static assignments and make them DHCP reservations. With reservations the IPs will still be static, but any other info like GW and DNS will update as DHCP is updated. The issue you will run into with moving to DHCP reservations is you won't get the same addresses, so if you have hard coded configs for IPs you also want to change those to DNS names.

what is the issues i would run into with a huge flat network?

  • Security risks with lack of segmentation
  • Degraded performance
  • Broadcast storms
  • They don't scale well
  • Potential compliance issues (if you're required to meet any compliance frameworks)
  • Lack of control
  • Difficult to troubleshoot
  • STP issues

I am not sure we can add a new vlan. We have netgear switches and a cisco router/firewall.
I dont know if they can work together on the new vlan

I have also been recommended to just add a new scope. would this solve my problem, or is the vlan route still the best?

vlans are a much better option. If the switches are unmanaged than vlans won't be a option.

hi last question

our switches are managed netgear, but our router/firewall is a cisco firepower.

Would both of these be able to work together with a new vlan. We already have an ip phone system running on a separate vlan so would a new data vlan work the same? .
i believe i would have to configure a second port on the router/firewall to accept the new vlan. and provide internet access.

Good to hear. Yes Cisco firepower firewalls should support vlans

so in the routing of the vlans, i can use the relay agents to utilize my dhcp server and still be able to access my domain controller?
i would configure it as vlan1 (current data vlan) and vlan2 for the new data vlan.

The port to the domain controller would need to be a trunk vs an access port, then you would allow it to trunk all your vlans. Based on the vlan tagging the DHCP server would know which scope to issue addresses from