Active Directory Implementation question for growing business. HELP needed!

I'm in the planning stages for an Active Directory implementation here at our small but growing business and would like some best practice advice.  

- Basically we have about 65 people and looking to expand to 100 in 7 months.  
- Our production web server is hosted off-site and completely separate from our offices (no site to site VPN)
- The server room in our building is not ideal.  While power is good, it's dusty and we're located in earthquake country.  

I'd like to put 1 domain controller on site for performance reasons.  Once the domain is up we plan on utilizing BPOS for hosted exchange.  

The question is, where to put the second one?  If I put it in our production facility I would need to setup a site-2-site VPN which could potentially create a backdoor to our production environment.  Putting it on the same site wouldn't be fault tolerant.  Is syncing with BPOS considered a domain controller in the cloud?

Also is there a downside to having AD roles + DNS + File server roles on the same hardware to cut down on costs?  

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
You would get fault tolerance in the same site, you just wouldn't get true DR (worst case tolerance)  AD and DNS on the same box is common and recommended a lot.

File server is generally not recommended but in a case like yours I've seen it done with no issues.

I don't know the BPOS answer...haven't used it myself. (and Office365 is right around the corner)


mcsweenSr. Network AdministratorCommented:
You can't authenticate to BPOS in the cloud with the exception of Exchange and SharePoint so if one of your active directory controllers aren't available then there will be no logging in. (Though BPOS is a great product!  I wish I had been the one to sell it to you :)

VPN is not really a security risk to connect sites as long as you are using a higher encryption like 3DES or AES128 with MD5.  You can use PSK as long as you can ensure the keys stay secret; if you are really concerned use certificates.

Depending on how your users are distributed, how you plan to implement group policies, and how much file and print traffic you will see I don't think you have enough servers for what you need.  The servers are going to be a bit slow when everyone logs on in the morning and refreshes their group policies.

Best practices say you should have 2 domain controllers at each site with one at each site acting as a GC.  If your budget it tight you could get away with 2 where the majority of your users are and 1 at the other site.  You could even use a PC with Windows Server installed on it as a second domain controller.

Running DNS and AD on the same server is recommended but if you are running DHCP on the same server as DNS and you require secure dynamic updates you should configure DHCP to use a user account to update DNS A and PTR records.  File/Print services shouldn't be too much of an issue on the ADC as long as the traffic isn't too intensive.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wrinklefreeAuthor Commented:
Thanks for the replies.  

Regarding VPN, I'm not too concerned about the tunnel being broken in the middle, but rather a PC here in our office being compromised and having connectivity to the production environment.  I guess I could setup a separate network in the data center just for the DC.

You have a point about performance with a single DC.  I'll probably up that to 2, but would like to put one off site just in case of disaster.

I bet the BPOS domain controller is a 1 way sync, and not exactly a disaster recovery solution.  Any know?
for 100 users you don't realy need a server room.
to keep saving you can get one rack and put all in there.

you definatly want to have two domain controllers. they don't need to be expensive
you want to host DC; dns; dhcp; wins; on those servers
you DON'T want files to be on domain controllers it should be on seperate server.

if you have one office then have both DCs in your office but with redundant network connection.
if you have two offices then split them per office but in that case you need to setup Sites for DC authentication.

aaaaaaaaaaaalways avoid using Universal groups.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.