Active Directory Design

[Guest]

I am in the process for designing a network consisting of a main office and
about 70 branch offices with about 10 users in each branch. The branch
offices are each connected to the main office through a 56k Frame Relay. The
users in the branch office must be able to work locally even if the Frame
goes down. The corporate office must be able to deploy group policy and
software updates from the main office. The domain will be centrally managed
at the main office. The clients range from Windows 95-XP

Questions:

What is the best way to minimize traffic over the frame?
Should I put a domain controller (Global Catalog) in every branch?
Would it be better to use subdomains?

 

[Guest]

I would start here

http://www.microsoft.com/technet/prodtechnol/windows2000ser
v/technologies/activedirectory/deploy/adguide/default.mspx

I take it you can't use 2k3? If not there is a reg
hack/modification that will allow your clients at the
remote site to still log on without a GC in there site.
Although this is not recommended I have used it a few
times for those rare cases of a 56k line that is shotty.

Hope that helps.

 

[Guest]

What benefits would I gain by w2k3? They are licensed for w2k3, but have not
implemented it due to deployment costs and past application compatibilty
problems.

I should also note that the branch office's main app is sql based pos that
replicates back to the main office at the end of the day. It is possible to
have a Windows XP machine act as the server for the POS app. I can see how a
dc in each brach could get rid of several problems, but would it create so
much traffic that it would end up creating more?

Also, Historically the Frame has only gone down for a few hours over the
last 5 years.

 

[Chriss3 [MVP]]

Comments inline.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

I am in the process for designing a network consisting of a main office and
about 70 branch offices with about 10 users in each branch. The branch
offices are each connected to the main office through a 56k Frame Relay.
The
users in the branch office must be able to work locally even if the Frame
goes down. The corporate office must be able to deploy group policy and
software updates from the main office. The domain will be centrally
managed
at the main office. The clients range from Windows 95-XP

Questions:

What is the best way to minimize traffic over the frame?
Should I put a domain controller (Global Catalog) in every branch?

[Christoffer] Yes Domain Controller, as Global Catalog with DNS is the best.
If you have the requirement to provide authentication when firame relay is
down.

Would it be better to use subdomains?

[Christoffer] It dependes about how many updates you are about to do, and if
you need main office data replicated to branch offices. May this is a good
soultion to use if you not need data in the main office domain at branch
offices. Only forest wide configuration information will be replicated
between office then, and thats good since you have very slow links between
offices.

 

[Hunter Coleman]

"I can see how a dc in each brach could get rid of several problems, but
would it create so much traffic that it would end up creating more?"

Not if you configure each branch as an AD site. That way, you'll be able to
schedule replication traffic to occur between specific time windows. You can
then configure a hub site, so you don't have direct replication between
multiple 56k links. You'll still have some "leakage" traffic, such as
account lockouts, that will happen outside of the replication schedule, but
that traffic shouldn't be overwhelming.

The Branch Office Deployment Guide has a lot of good information for your
scenario.
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/default.asp
(watch for the URL wrapping)

 

[Hunter Coleman]

I'd be hesitant to consider separate domains in this case. You'd be looking
at doubling the hardware requirements for domain reliability, ending up with
140 DCs instead of 70. Trying to duplicate group policies across 70 domains
would be a large-scale headache as well.

--
Hunter

Comments inline.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

I am in the process for designing a network consisting of a main office and
about 70 branch offices with about 10 users in each branch. The branch
offices are each connected to the main office through a 56k Frame Relay.
The
users in the branch office must be able to work locally even if the Frame
goes down. The corporate office must be able to deploy group policy and
software updates from the main office. The domain will be centrally
managed
at the main office. The clients range from Windows 95-XP

Questions:

What is the best way to minimize traffic over the frame?
Should I put a domain controller (Global Catalog) in every branch?

[Christoffer] Yes Domain Controller, as Global Catalog with DNS is the best.
If you have the requirement to provide authentication when firame relay is
down.

Would it be better to use subdomains?

[Christoffer] It dependes about how many updates you are about to do, and if
you need main office data replicated to branch offices. May this is a good
soultion to use if you not need data in the main office domain at branch
offices. Only forest wide configuration information will be replicated
between office then, and thats good since you have very slow links between
offices.

 

[ptwilliams]

What is the best way to minimize traffic over the frame?

As stated, through the proper definition of AD sites.

Sites are how you control the physical aspects of AD: sites are defined as a
series of well-connected subnets, and are basically used to localise traffic
and control replication.

Replication isn't really an issue with so few users - intersite replication
traffic is compressed, and runs by default, every three hours. If
necessary, you can drop this down to once a week (although once or twice a

Should I put a domain controller (Global Catalog) in every branch?

Yep. With links that slow, you need to localise as much traffic as possible
to the site. Each site will need to be running DC/GC/DNS and possibly DHCP
as well (although that's not a requirement, just an administrators friend).

If you don't have a DC/GC per site (assuming each remote location is a site,
as a 56K link is quite the definition of the need for a site boundary) you
wont be able to contain logon traffic, GPO traffic (s/w distribution will
kill your line), etc. and will see some serious line congestion.

Would it be better to use subdomains?

Not really. For so few users this would be a lot more work, and would
probably not save you anything - in fact, there could be as much if not more
replication traffic, as the GC would need a partial replica of each domain
partition replicated - up to 70. And without GCs cross domain queries and
the like would be a real burden on the WAN.


The best bet, is to download the branch office deployment guide and look to
do it this way.

You'll have two choices with your site links - individual links in a hub and
spoke topology (what I'd go for) or several sites sharing the same links
(it's a cloud topology). It doesn't matter that much, but you'll need to
manually intervene with the links, the link costs, the replication
schedules, etc. and if you have some underutilised lines, may want to add
some redundancy by making those links transitive and giving them a slightly
lower cost, etc.

Hope this helps,


--

Paul Williams
http://www.msresource.net


Why not join us in our free, public forum?
http://forums.msresource.net
______________________________________
I am in the process for designing a network consisting of a main office and
about 70 branch offices with about 10 users in each branch. The branch
offices are each connected to the main office through a 56k Frame Relay.
The
users in the branch office must be able to work locally even if the Frame
goes down. The corporate office must be able to deploy group policy and
software updates from the main office. The domain will be centrally managed
at the main office. The clients range from Windows 95-XP

Questions:

What is the best way to minimize traffic over the frame?
Should I put a domain controller (Global Catalog) in every branch?
Would it be better to use subdomains?