We have in our organisation a main office and several branches. I've setup the main DC for domain.com in the main branche's network, and everything is running fine. I now have the task to setup DCs in the braches and organize their networks.
I was thinking for setting up the branch DCs as subdomains. I want the LAN PCs to authenticate to the local DC and not to the root DC in the main office. Also, the conexion between branches is very sketchy and unreliable.
What is the proper way to setup this scenario?
Steps and links appreciated.
TIA,
-Jimmy
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
You have a choice.
Either child domains, or sites and services. Sites and Services will control which servers are used for authentication and will need to be configured anyway for the child domains to work.
What administration model are you going to use? Local administrators or centralised?
Is there going to be Exchange in this mix? If so, what version?
-M
Keep everything in the same domain for simplicity sake.
Go into AD Sites and Services and create the sites for the remote branches. Create DC's for each site and when you get the DC on site, move the DC to the proper site using AD Sites and Services. The creation of sites will ensure that the users at a particular branch will authenticate against the DC in that site.
I'd start off trying to go with separate sites. Keep the branch office in the same domain. How many users do you have and how big is your AD database?
What you will want to do is add the domain controllers to your domain.
Create sites for the branch offices.
You will add the subnets of the branch offices to the particular site in the branch office.
More info on creating sites here
http://windowsitpro.com/ar
You will then create a site link from the branch office to the hub. The ISTG/KCC will do the rest for you.
this link might help
http://searchwindowsserver
Thanks for your replies.
1- The main DC is behind an ISA Server with a dynamic IP internet conexion. I'd need some orientation on setting up a viable VPN. I could plug a fixed IP straight on the PDC, but not sure if that would be secure.
2- I would like a centralized approach, so all the branches get the same GPOs, but this could be tricky, because I'm using GPOs to set profile route to FILESERVER in the main office. Branches only have 1 server, and profiles, documents, desktop etc will be stored on the branch's DC since there is no FILESERVER there. Main office has bout 100 PCs, branches have between 15 - 30 PCs.
3- Main office has an Exchange 2007 server, but I've limited it to OWA access only.
I'm thinking maybe, should I just create seperate domains for the branches and deal with the repetitive admin tasks when needed?
-Jimmy
There is no reason at all that the branch offices should be run on subdomains - in fact, this is against Microsoft's recommendations. It only adds unnecessary complexity to your domain, where the control Active Directory Sites and Services gives you as to controlling the DCs clients will use to authenticate to is all you will need.
Even with having a Dynamic IP address at the main office, you cannot work around this by using subdomains. Subdomains would still need a connection back to the root domain. My suggestion would be to get a Static IP, or at a push, use something like http://www.no-ip.com. You'll need a site-to-site VPN (between routers - so a hardware VPN).
If you deploy the DCs as additional DCs in the same domain, all GPOs will filter down through replication to the appropriate sites automatically. I would highly suggest that you use DFS to replicate data storage between your sites and store the replicated folders in a Domain-based Namespace. I have used this to great effect - and it eliminates the issue of trying to configure policy to store data at the local site's DC. Alternatively, use Home Folders and then have folder redirection Redirect to the Home Folder (don't specify an absolute path to a particular server).
-tigermatt
Only real reason for using different domains has been to get different password policies. If upgrading AD to Windows Server 2008, this nead is eliminiated by using fine-grained password policies to get multiple password policies in same domain.
As already suggested a couple of times, create separate sites for the different locations. The clients will prefer DCs in local site, so place multiple DCs in each site to avoid the usage of WAN-links for the clients.
You nead to ensure that DCs can replicate and communicate over the WAN-links. See http://support.microsoft.c
GPOs can be linked to different sites instead of OUs if you want different GPOs applied to the different sites.
According to the Best Practices Analyzer, routing master has been deleted. I did have in the past another DC on the domain that I had removed awhile back, and I believe I maybe have deleted it from the Default Site when I was doing the renaming. I suppose this could be causing the problem. How do I get the Exchange to use the DC like it was?
Its an old DC thats long gone. Didnt realize there were still references to it in AD. The fix link provided by BPA is: http://technet.microsoft.c
I'm gonna boost the points 100 more. Appreciate all your helps.
In that case, it would seem you have migrated from a previous Exchange 2003 organization? In most cases, this error is caused by a server object of one of your older Exchange 2003 Servers lingering in Active Directory, or you may not have removed these legacy Exchange Servers correctly.
Check the 'green' comment at the bottom of http://social.technet.micr
IF you are not too familiar, I suggest you add another DC to the branch office and leave everthing in the default but make all the DC a GC. According to your company size, and assuming your script or netlogon place and clean with very small script file(s). Replication between the two DCs is not a problem. As far as creating two domain sites to control replication and authentication, yes, this will give you control on which DC for user to authenticate and other replication advantages. But I don't really see you have a need for it. I do have mulitple physical location with 20-30 users in a single domain site and only the bigger one are on differnt domain site. We have no problem working for the smaller loction in the same domain sites. This will simplify your AD. You can always create the site if needed later. No need to do it now. Leaving them on the same site also allow users to authenticate by any DC without delay. You may find it even smoother. The other thing I would recommend is make them both ADIZ DNS and I'm sure your DNS is also very small when comes to replciation. Also make both DC a DHCP server and split the scope for redundancy as well.
Business Accounts
Answer for Membership
by: brwwigginsPosted on 2009-01-06 at 11:31:18ID: 23308118
Personally I would not setup subdomains as it offers no benefit and is more administrative overhead.
I would use Active Directory sites and services to setup sites/subnets for each of the branch offices. The clients will use this information to find the "closest" domain controller on the network (should be local branch DC) and authenticate against it assuming you make them a global catalog server.
You can also set the replication schedule using a site link between the HQ and branch offices to schedule the replication