Is Active Directory Sites and Services required and how to set up in Win 2008 R2?

gs-rho used Ask the Experts™

     We have a situation where we need to add a server to a remote office... right away...which previously has just been relying on access over VPN to the main office, for services. Besides the file server role that this new (remote office) server will fulfill, I feel the remote office would benefit from a DC being there.

- The main and remote offices are on different subnets
- The two offices are connected by SonicWall VPN tunnels and its pretty much open access between them, for most protocols
- Windows 2008 R2 DC's
- If it matters, Exchange 2007 SP3 is running at the main office (on a Win 2008 server which is not a DC.)

At first, I would like to know if setting up Active Directory Sites and Service is even necessary in every situation, of remote offices and different subnets... are those the requirements, right there?
Despite the fact that I and the people with me on my team have decent knowledge in a number of areas, we just haven't had the need to ever use Sites and Services (and probably have basically ignored it in any study.) Does anyone know of any good step-by-step links for setting it up on Windows 2008 R2 domain?

Thanks a lot!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Sites and services are used to config ad in every subnet to use the server in the same subnet. If you don't use it, even in your main office or branch, any machine could try to authenticated to any server, not the dc in the same subnet.

A good idea for some branch offices, are use read only dcs. You can create it almost the same way a normal dc, but these server allow you to auth users and computer in branch offices, without the need to query the central ad every time. Only the first time the main server is query and the following times the rodc server uses it cache.


I imagine the Exchange server would also use Sites and Services to check in with DC's in its subnet, rather than foreign subnets... care to confirm that? (If so, then that's another benefit.)

Seems like the main benefit is helping the network to run efficiently. Good benefit.

I have been under the impression that RODC is for when you have concerns of keeping tight security on the remote office. No one can make changes there... is there really any other reason. If it is, then some office may find it completely unnecessary...  thoughts?

Seems to me that RODC is no-return. You can't make it a full DC later... so if there are no security concerns, then it might be better to keep open the potential for having a full DC, if it is ever needed. Feel free to comment.

Your comments are appreciated.
Any step-by-step link known for setting up Windows 2008 R2 Sites and Services?
You are right, exchange use sites and services for many services, and the main idea to use sites and services is to use more efficient local resources, to auth, dfs, ad replication, etc. This way slow links are used better.

Rodcs are good option when you want to allow local auth of user and computer, but avoid replication and some other traffic, and not only for security reasons. If you don't have a local admin or support team, maybe is better a rodc. And yes, this could be changed to full dc if you want.

Sorry, but i am on my mobile. But to configure sites and services, you nedd to create the subnet for every network of your company, then ad shoud locate every dc in the corresponding site. If you want, can locate every dcin the right subnet. Then you can configure replication intra site and inter site. You can config a bridgehead server to be in charge of replication to other sites.
You can promote a domain controller on the remote site so that incase of network outage user are able to authenticate.
To configure the ADC,
First make sure that there is un-restricted connectivity between the sites.
Then on the server which you want to promote as a domain controller, assign static IP and the DNS IP should be that of the PDC and for secondary DNS it should be pointed to itself.
Install DNS component on the server.
Then run dcpromo to promote it as a domain controller. This server will appear in AD site and services along with the PDC.
Rename the default site give it name of one location and create another site and give it name of the other location.
Move the servers to their respective sites.
Now in Subnets, right click and select new subnet. After you create subnet, link it with appropriate site.
Add the IP of ADC in PDC's network configuration is secondary DNS server.
Later in configure the scope options in DHCP on both sites. For first site's DHCP Preferred DNS should be PDC and secondary DNS should be ADC. And for the new site this configuration should be the other way round.

You can also configure another exchange server and host the mailbox of users on the other site to that server.


Seemed to go really well. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial