! Do you think I need an Off-Site DC !

Posted on 2010-01-04
Last Modified: 2013-11-05
Quick question I have an offsite that has a total of 7 systems, they will not add more in the future based on the type of site that it is. I want them on the domain but I am wondering if it is needed to create a DC for that site. The sites are currently connected with PTP tunnel on our Cisco routers so DHCP and DNS is already set. We have 1 user there now that was at this site and she simply plugged in and it worked great. What do you think.

My main thing is hassle worth the pay off later for such a small amount of users.

Thanks in Advance.
    LVL 57

    Accepted Solution

    If things worked great I'd leave things as they are.  7 systems and a handful of users at a remote site doesn't justify a new DC and AD site in this case from what you described.
    LVL 18

    Assisted Solution

    by:Andrej Pirman
    If those users on your small site use DC only for basic functionality, like DHCP, DNS and Authentication, AND if ping from small site to primary DC is inside reasonable times (let's say, below 40 ms), my oppinion is that you will be just fine with DC over VPN.
    In this case there will NOT be lots of traffic between client computers and DC.

    But if there are roaming profiles, off-line folders etc, AND if ping is much over 40-50 ms, AND internet connection is asynchronus and slow (for example, ADSL with 1Mbps down and 256 kbps up speed), then I would setup remote DC.
    In this case you may predict a lot of traffic between sites, timeouts may be severe, etc.., so it would be better to have DC inside LAN.  
    LVL 95

    Assisted Solution

    by:Lee W, MVP
    In general, I would not consider it a requirement.  However, if there is a server there ANYWAY, then I would make it a DC.  Further, putting at least one off-site DC (off site in the sense that it is not with your main site) would be a good idea for disaster recovery.  If your main location burns to the ground (or is otherwise destroyed), your AD is not lost.  Further, a second server/DC can provide an added level of connectivity redundancy - for example, if your main site DC fails (unless you have more than 1 at the main site), this remote server can provide an added connection point (for example, for myself AND one of my clients, I have a DC at both my locations and if my main location's router/VPN server fails, I can connect to the other location and come in the back door (in a sense).
    LVL 18

    Assisted Solution

    Depending on your enviornement and how user leverage the network resources between sites. Since there's no real indication from the above that really required to have a DC. My suggestion is the more you configure the more you will have to monitor or support around the clock :).
    In general, the most important is that you have at least two DCs. These two DCs can be in the main site or one in the main and the other in another site such as this small site you are talking about. But, two things to keep in mind before you make a DC in this small site. Lets say if the main site is downed and even the rounter etc is not accessible then your DC in the small site is useless for the main site users and vice versa. If the link is working but the main site DC is down, will your bandwidth can accomodate the traffic for all your main site user to access the DC and other redundant servers or is there any needs? It really more of a decision what will need to be accessed and what will be up or down during outage.
    In general, the most critical systems are probably your mail server(s) and if you are using Exchange server and you do not have one in your small site and do not plan this remote site to be a backup site of your main site, then you may not want to have a DC there especially the number of users there do not justify for a DC. Even if you make a server in this site as a DC without spending $ for a new server, you will need to maintain another DC if you configure one here in the small site. The minute you have a DC, there will be traffic going between the sites that have DCs such as the replication of DCs and GPOs etc in the \\domainname\netlogon . There will be authentication traffics as well as other validation traffic etc between sites. Without the configuration of Active Directory site, user could be authenticated by any DCs from any sites which could create unnecessary traffic. If you put a DC in this small site you should configure AD site and assign the appropriate subnet to the correspond AD sites. If that's what you plan to do is to use this small site as a backup site, then you need a DC. If that's the your plan then you may want to enable DHCP relay and create partial scopes on the DHCP servers and vice versa. This probably will go on and on....If this site by no mean will be a backup site of your main, then may be leave it as is would be less work :)
    LVL 9

    Expert Comment

    We don't typically put a server onsite (DC/fileserver) until it grows beyond 20 users. Without bandwidth intensive feature (roaming profiles, offline files, etc), you should be fine.

    Author Closing Comment

    Thnanks guys

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now