AD DNS Design Sanity check
Posted on 2004-08-16
My company has 70 sites. 50 are small (upto 30 users) remote sites, connected via 256k to 1mb links to ISP cloud. All have ISDN backup and local file/print servers.
6 larger sites have 100 to 250 users with 1 to 3 local file/print with 1 to 4MB connection ISP cloud.
Several Large LONDON and Romford buldings with 4500 users on a gigabit LAN and connected to ISP via 34MB link.
We also have two data centers which will house all application servers and connected to ISP via 34MB link.
We have worked hard to shrink everything to a single NT4 domain so far. We are designing a single AD domain in a single AD forest to keep things single. Currently all sites have an NT4 BDC in case of WAN loss.
In our AD design, We have considered London (3000 users) as the main site with 4 DC. Rmford has Gigabit connectivity and 1500 users but considered as another site with one DC. The 6 larger site have one DC each. the other 50 small sites are devided as follows: 20 have no DC and are grouped into one site with their DC in one data center. Another 20 sites with no DC and are grouped into the other data centre. the last 10 have no DC and grouped together to consider London as their primary site with 5 DCs to choose for logon.
ALL DCs will be GC and AD Secure integrated DNS servers. There will be seperate DHCP servers for security reasons. The London users will have two London DNS servers as primary and secondary. The 6 larger sites will have their own DC and primary DNS and London as Secondary DNS. The remote small sites will have the data centre DC as primary and one London DC as secondary DNS. ALL to achieve logon and DNS load balancing.
To achieve further logon load balancing we will probably disect the London sites to 5 London sites to ensure certain buildings will have a primary logon DC, eventhough there is gigabit connection across London and Romford.
1) Is there anything else we need to consider in this design? ie: Did we miss anything?
2) Do we setup each DC as the Licensing server for that site?
3) Do we setup DDNS so client A-record does not get replicated to other DNS servers for reduced replication or in our case it does not matter. So far we have set DHCP server to register the client and lease time is 7 days which matches DNS scavenging.
ps: The client is worried about remote sites with no DC. If the link and backup ISDN link dies then there is no LOGON or connection to FAP possible. Any way to work roug Kerberos authentication??? MS articles have come up with bizzar ways of doing this like Local accounts and ACLs or Terminal services...
I really appreciate a second opinion on this design...