Adding a second domain controller at a satellite location

I'd like to add a second domain controller at a satellite office as a preventative measure for a disaster scenario.  I'm running Windows Server 2008 Standard and the satellite office is connected to the main location via a VPN appliance.  

I have two questions.  Are there any problems with adding a server as a domain controller while it is in the satellite office.  My concern is transferring all the data necessary to make the server a domain controller via VPN.  Should I set it up in the main office first and then move it to the satellite office?  

My second question concerns maintaining a domain controller in a satellite office connected with a VPN.  I wouldn't think there would that much information transferred between the two servers to keep everything up to date.  My concern here is regarding bandwidth.  Does anyone have experience with maintaining a second domain controller as described?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Where is the physical server.  If it is on hand, you can set it up locally and then ship it.

Are you looking at setting up a standard DC or a RODC at the satelite location.
Presumably since you are looking at the satelite location as a DR, it will be a standard DC.

There are the changes in user/systems which does not consume that much data, if you have a range of GPOs, scripts. Those will increase the amount of data transferred.
Now if you are looking at sharing files by usign DFS with DFS-R to make certain documents available/copied to the "DR" site those will/could consume a large amount of the bandwidth, or take a long time to replicate depending on your choices.
DFS-R has a scheduling and bandwidth constraints that can be configured.

How secure is the satelite office.  i.e. anyone with a physical access to a standard DC, can circumvent certain things and effectively take control of the entire domain.

IMHO, you should always have two DCs at the main location.  Branch DC (RODC) as available/needed. It is a pain in the ..... if the office DC dies, and all the workstations/servers/appliances/switches/routers now have to send their requests through the VPN to the remote DC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John GobertEnterprise Systems ConsultantCommented:
If you already have a DC at the remote location and you build the second DC there then it will replicate from the local controller and not over your VPN connection.  You can also build it before shipping and just move it into the appropriate site in AD Sites & Services once you move it.

We keep two DC's at each of our remote sites and have never had any problems maintaining replication.  Standard replication traffic (once a controller has fully replicated for the first time) is usually pretty lite compared to other traffic.  What's the bandwidth between your sites?
Will SzymkowskiSenior Solution ArchitectCommented:
Best practice for installing a DC is allowing replication to take place while the DC is in the second site. If you are worried about replication traffic you can use the /IFM switch (install from media) which will allow you to install the DC in the remote site and having a complete copy of all the data (at the point of creation) which will help mitigate replication traffic. From there it will only replicate the changes that have taken place after the IFM was created.

Another thing you might want to consider is Global Catalog as well. If you have this remote DC also acting as a GC your replication traffic will be higher as well. It is always a good practice to have your DC act as GC's and only the initial replication could be large (depending on your forest wide information).

Another thing I would recommend is upgrading your sysvol replication from FRS (native/default) to the new DFS-r. This will help repl traffic as well as DFS-r only replicates deltas (new changes) and not the complete AD sysvol folder each time.

Hope this helps!
SupermanTBAuthor Commented:
Thanks for the help guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.