As businesses grow they expand within their original location and often spill over into nearby buildings when space becomes constrained or open up a branch office in another, distant area. If these new offices are outside of the reach of the head office LAN then the IT manager immediately has a new challenge to provide the same levels of service to the branch office workers as enjoyed at the head office while simultaneously not compromising the security of the network.
Data across the WAN
Branch office workers usually need to access the same information as the head office colleagues and this information usually resides in a mixture of data stores:
• Files on file servers.
• Web content on web and web application servers.
• Email and scheduling information on mail servers.
• Data records in databases.
All of these data stores serve their information across the LAN at rates up to 1GBit/sec, so in a well designed and LAN environment the rate of transfer of data is between server and workstation is not an issue. With the addition of a WAN link to the equation the rate of transfer between a server located in the head office and a workstation in the branch office can be constrained by the speed of the WAN link and as the cost of a WAN link rises in direct proportion to the speed at which it runs, adding additional bandwidth is not always the best cost option. Another approach to speeding up data transfers over a WAN is to not transfer the data more times than you have to. This is know as ‘caching’ and has been a common answer to speeding up the transfer of commonly used data for a long time now. Processors in computers use on board memory cache to store recently accessed data on the basis that it’s quicker to read it out of memory than off disc and web services have long benefited from the presence of web cache servers which store recently accessed web pages or even in some instances pre-fetch pages that are likely to be accessed. Microsoft Outlook has had a cached mode since Office/Exchange 2003 allowing Outlook inboxes to be accessed over slow links or even no links at all.
Windows 7 and Windows Server 2008 R2 have incorporated the caching concept and applied it to this branch office scenario with a technology called BranchCache. Branchcache will cache either file or web data recently accessed by workstations with the BranchCache feature enabled. So the first access of a file or web page is constrained by the speed of the WAN link but subsequent access are served form the local cache. BranchCache can be configured to work in one of two modes:
• Hosted mode.
• Distributed mode.
In hosted mode files or web pages accessed from a remote BranchCache enabled server are transferred to a local Windows Server 2008 R2 host where they can be subsequently accessed by local machines.
In distributed mode there is no local BranchCache server and any files or web pages accessed from a remote BranchCache server are stored locally on each workstation and advertised as available when another branch office client tries to access the same content. This advertising process uses a new multicast protocol called the BranchCache Discovery protocol to locate any locally cached content. The content is then retrieved from the ‘discovered’ client. As the discovery protocol is multicast then all clients need to be on the same multicast network domain, either the same LAN segment, or in a multi VLAN network with multicast configured across VLANs. Much work is done by network engineers to reduce the amount of multicast traffic across their LANs so care this method should only be employed where the benefits of BranchCache outweighs the problem caused by local multicast traffic or where a hosted solution cannot be deployed.
One of the most effective ways of increasing service levels in a branch office is to provide a local domain controller on-site to speed up logons, allocate network addresses (DHCP) and accelerate hostname lookups (DNS). In a head office environment your domain controllers are often locked away in secure server rooms away from prying eyes and fingers but in a branch office there may not be space for such a room and often a branch office domain controller is stuck in the corner of the office along with the workers or in an unlocked broom cupboard. With Windows Server 2003/2008 every domain controller had full access to all aspects of your Active Directory configuration (with the right administrator logon), a potential security breach specially the server required a local operator to check backups.
Windows Server 2008 R2 introduces a new, read-only domain controller role. The read only domain controller hosts a full copy of the Active Directory database and can therefore be used by local clients for logon, DNS and DHCP services but the Active Directory database cannot be accidently or maliciously corrupted.
One other benefit of this change is that, when installing a domain controller in a branch office you can ship a non DCPROMO’d server to site, define a local user with rights to add a read only domain controller and then allow them to DCPROMO the server into the role. Previously you had to either pre-stage a domain controller in the head office, then ship it to the branch office or a domain administrator had to accompany the domain controller to the branch office to install.