AD Design

[jokes54321]

We finally reached a point where DC's at each remote site makes sense. I
read through the MS technet article on Planning Active Directory for Branch
Office and it left me with more questions than answers.

So, I was hoping to check with the Pro's here and see how things are being
done in real life.

We have a domain at our central office and have 21 remote sites with
anywhere from 10 to 150 users/devices at each. I only got approval to
install one DC at each location so this needs to play into the picture. Each
site is connected to the host site via 256K MPLS circuits.

With the above info, would it make sense to make each remote a child domain
or a Site that is part of the primary domain? I was leaning toward a child
domain but without a second DC at each site I don't think this would be
ideal. My fear with making it a Site that is part of the primary domain is
replication traffic over a 256K circuit. Our central office has 200
users/workstations.

Any suggestions will be appreciated.


Thanks,

Denny

 

[Danny Sanders]

With the above info, would it make sense to make each remote a child

domain or a Site that is part of the primary domain?

I would choose making it a site on your current domain. Less admin.

hth
DDS

 

[Ryan Hanisco]

Hi Jokes,

You do NOT want to make each site a separate domain because it will put
your whole domain in jeopardy and you will not be able to provide
reliable service to your users. At a bare minimum you want to have two
domain controllers in every domain to handle for that failure or
unavailability of a DC.

Generally you only want to have a separate domain when:
1. You cross geopolitical boundaries that might legislate IT policies
2. You need a separate security policies (password policies, &c.)
3. You have a corporate fiat ties to business requirements (or political
mandate)

In your case, you have several options based on the connections
determined in your MPLS implementation. Assuming that you are on a hub
and spoke-type network:
1. You may want to have 2 domain controllers at your HQ site that is the
MPLS hub to handle the primary site and any failover and the FSMO roles.
2. Have a DC at each site that is also a GC and AD integrated DNS.
Configure replication every 1-4 hours depending on the frequency of
changes.
3. You might want to look at other services on the branch office DCs
like DHCP, WSUS and IAS (for wireless authentication) and the like.

The branch office guide is great, but pay attention to the real
configuration requirements when implementing. If you have a way to get
the OS on the DCs and promote them on site, do that rather than staging
them in a temp site. Political minutiae always intervenes and you'll
end up with tombstoned DCs.

Let me know if you have any questions.

Ryan Hanisco
FlagShip Integration Services