Domain Controllers - Multiple Sites


Currently i have a mix of DC's, a Win2008r2 domain at Head Office and some Win2000 and Win2003 DC's across another 4 offices. All offices are in different capital cities and these sites are connected back to Head Office with high speed VPN.

Each site has networked printers and local file storage of up to 500GB each.  Each workstation authenticates onto it's local DC and each DC has a different name.

Now it's obvious that the brach DC's need to be upgraded, preferably to 2008r2 however in what way does one think would be the best way to handle this?

Option 1 - Prepare new servers and keep them seperate as per current?
Option 2 - Prepare new servers and setup DC's as Read Only DC's?
Option 3 - Setup NAS storage in each remote branch and users authenticate against Head Office DC?

Your opinions and ideas most welcome.
Who is Participating?
tsaicoConnect With a Mentor Commented:
If you can budget the standard DC's (option 1) is what I would keep.  I don't see any reason why you couldn't do the DNS/GC/AD on them as well as basic print/file server duties.

What is the average number of users at each location?
Option 1 - Prepare new servers and keep them seperate as per current?
I would most likely go down this route. It allows user authentication and DNS lookup in the branch office to function when the VPN is down, keeps the lookups local to avoid unnecessary delay and reduces WAN utilisation.
Option 2 - Prepare new servers and setup DC's as Read Only DC's?
This option would be fairly similar to option 1, with the added benefit of securing the domain against changes from the branch offices. This may be useful if security in the branch offices is less than ideal and/or you don't have administrators in the branch office that need to make changes anyway. You will lose the ability for clients to dynamically register themselves in DNS against the RODCs though.
Option 3 - Setup NAS storage in each remote branch and users authenticate against Head Office DC?
I would probably stay away from this option. If your VPN goes down, users won't be able to logon to their machines (except if they have cached credentials), DNS lookups won't work and connections to the NAS won't work (assuming the NAS will be AD integrated for file permissions.
MAS (MVE)Technical Department HeadCommented:
If you are using DC only for accessing shares folder I would suggest NAS storage as it has its own authentication system. Only thing is your branch PCs should be added to workgroup as they wont be able to login when the connection is down.

If you are not expert in configuring ADC/GroupPolicy I strongly suggest drop the idea of ADC in branch offices as I was facing log-on issue, folder access issues, domain added PCs slow etc. All these issues due to  incorrect configuartion in ADC in branches.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
If you have more than one DC at the head-office and security is of utmost concerns at remote sites then I would go for RODC (option 2).  Otherwise stick to option 1 as for DR purposes, it is always good to have multiple DCs.

For longterm instead of using NAS devices, why don't you implement Windows Storage Server as an option.
tmaster100Author Commented:
Thanks guys.

To answer some questions.

The branch offices all have less than 10 staff.
The current DC's are used for file sharing, printer sharing, DNS, GC and AD.
Yes, i am very familiar with GPO's and use these extensively at Head Office.

The file storage in each remote location is not absolutley critical to the business but it is on raid protected storage and backed up nightly to tape which is rotated every day. Access to these files at high speed is the main reason why i set it up this way.

Each site is behind a heavy Cisco firewall and has no direct IP access in or out to the Internet so security whilst needed, it doesn't need to be over the top.

I do have software applications that do get quite complex when all the DC's are seperated but i guess i could always purchase new servers, setup AD etc and configure one-way trusts from Head Office so that my software can see all the AD tree's etc.

FWIW - I have setup Head Office with multiple Dell R720 Enterprise servers, all running Vmware Essentials Kit with an extensive backup regime but would one bother to virtualize small branch office sites in these circumstances?
Casey HermanCitrix EngineerCommented:
If it is just one server on the remote site I would just run it directly on the hardware. If there is multiples I would consider virtualization. But that being the case I would still have more than one host for redundancy at each site.

If the hardware is reasonably newish, you can in place upgrade the 2003 boxes to 2008 with no / little issues. I have done it several times. With only a few hiccups.  Just remember if it is 32bit 2003 to use 32bit 2008 and vice versa. I would replace the 2000 boxes completely.

If you go virtual this is a lot safer to do if you p2v the boxes that you already have. Then you can snapshot them before the upgrade to make sure that you can roll it back if something goes sideways.  Having Veeam as your backup solution at the sites would be helpful as well. It is very easy to restore and very fast to back things up. I think they have added tape drive backups to the new version 7.

Just a few thoughts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.