Domain Controllers - Multiple Sites


Currently i have a mix of DC's, a Win2008r2 domain at Head Office and some Win2000 and Win2003 DC's across another 4 offices. All offices are in different capital cities and these sites are connected back to Head Office with high speed VPN.

Each site has networked printers and local file storage of up to 500GB each.  Each workstation authenticates onto it's local DC and each DC has a different name.

Now it's obvious that the brach DC's need to be upgraded, preferably to 2008r2 however in what way does one think would be the best way to handle this?

Option 1 - Prepare new servers and keep them seperate as per current?
Option 2 - Prepare new servers and setup DC's as Read Only DC's?
Option 3 - Setup NAS storage in each remote branch and users authenticate against Head Office DC?

Your opinions and ideas most welcome.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Option 1 - Prepare new servers and keep them seperate as per current?
I would most likely go down this route. It allows user authentication and DNS lookup in the branch office to function when the VPN is down, keeps the lookups local to avoid unnecessary delay and reduces WAN utilisation.
Option 2 - Prepare new servers and setup DC's as Read Only DC's?
This option would be fairly similar to option 1, with the added benefit of securing the domain against changes from the branch offices. This may be useful if security in the branch offices is less than ideal and/or you don't have administrators in the branch office that need to make changes anyway. You will lose the ability for clients to dynamically register themselves in DNS against the RODCs though.
Option 3 - Setup NAS storage in each remote branch and users authenticate against Head Office DC?
I would probably stay away from this option. If your VPN goes down, users won't be able to logon to their machines (except if they have cached credentials), DNS lookups won't work and connections to the NAS won't work (assuming the NAS will be AD integrated for file permissions.
If you can budget the standard DC's (option 1) is what I would keep.  I don't see any reason why you couldn't do the DNS/GC/AD on them as well as basic print/file server duties.

What is the average number of users at each location?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
If you are using DC only for accessing shares folder I would suggest NAS storage as it has its own authentication system. Only thing is your branch PCs should be added to workgroup as they wont be able to login when the connection is down.

If you are not expert in configuring ADC/GroupPolicy I strongly suggest drop the idea of ADC in branch offices as I was facing log-on issue, folder access issues, domain added PCs slow etc. All these issues due to  incorrect configuartion in ADC in branches.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
If you have more than one DC at the head-office and security is of utmost concerns at remote sites then I would go for RODC (option 2).  Otherwise stick to option 1 as for DR purposes, it is always good to have multiple DCs.

For longterm instead of using NAS devices, why don't you implement Windows Storage Server as an option.
tmaster100Author Commented:
Thanks guys.

To answer some questions.

The branch offices all have less than 10 staff.
The current DC's are used for file sharing, printer sharing, DNS, GC and AD.
Yes, i am very familiar with GPO's and use these extensively at Head Office.

The file storage in each remote location is not absolutley critical to the business but it is on raid protected storage and backed up nightly to tape which is rotated every day. Access to these files at high speed is the main reason why i set it up this way.

Each site is behind a heavy Cisco firewall and has no direct IP access in or out to the Internet so security whilst needed, it doesn't need to be over the top.

I do have software applications that do get quite complex when all the DC's are seperated but i guess i could always purchase new servers, setup AD etc and configure one-way trusts from Head Office so that my software can see all the AD tree's etc.

FWIW - I have setup Head Office with multiple Dell R720 Enterprise servers, all running Vmware Essentials Kit with an extensive backup regime but would one bother to virtualize small branch office sites in these circumstances?
Casey HermanCitrix EngineerCommented:
If it is just one server on the remote site I would just run it directly on the hardware. If there is multiples I would consider virtualization. But that being the case I would still have more than one host for redundancy at each site.

If the hardware is reasonably newish, you can in place upgrade the 2003 boxes to 2008 with no / little issues. I have done it several times. With only a few hiccups.  Just remember if it is 32bit 2003 to use 32bit 2008 and vice versa. I would replace the 2000 boxes completely.

If you go virtual this is a lot safer to do if you p2v the boxes that you already have. Then you can snapshot them before the upgrade to make sure that you can roll it back if something goes sideways.  Having Veeam as your backup solution at the sites would be helpful as well. It is very easy to restore and very fast to back things up. I think they have added tape drive backups to the new version 7.

Just a few thoughts.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.