Segmenting network traffic for separate management

Is it a good idea to segment management traffic to a different network than other traffic?  In the old days, some large enterprises did just that for “security reasons” by putting two network interface cards (NICs) in each server.  The first NIC then handled all management traffic between the servers and the administrative workstations or for RDP-only management sessions, while the second NIC handled all other network traffic for the servers such as file and print traffic.

But is this a good idea for today’s networks?

Admins and consultants I’ve talked to almost uniformly say “No” in response to this question.  The main reason is because of the issue that arise when domain controllers have more than one NIC in them.  You can get it working but it takes some additional steps such as registering the management NICs in DNS using static CNAME records and unbinding NetBIOS from the management NICs.  But if your servers have more than two NICs then this kind of approach can cause real headaches that you may only be able to work around by using static host tables and other stuff that adds considerable management overhead. 

So don’t try it.  It’s the same as having two hard drives in every workstation and trying to relocate user profiles to D: drive instead of their default location on C: drive.  It can be done, but only if you do it during deployment, not afterwards.  And it can become a supportability nightmare.  And it really doesn’t make it “easier to back up user data” as user data shouldn’t be store on users’ computers anyways, it should be redirected to network file servers where it can be centrally backed up.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top