Domain topology recommendations

I am replacing the server in our branch office and taking it as an opportunity to reconsider our domain topology. Considerations are:

Users may wish to share some files
Would like to streamline user admin/security
Would like to host all users' mailboxes on single Exchange server

What other functionality or advantages  could clever design at this stage give us?

Main site uses Server 2008R2. Branch Office will have Server 2012. I could upgrade main site to 2012 if necessary.

Sites are joined by VPN.

Thanks.
jostickIT ManagerAsked:
Who is Participating?
 
SandeshdubeySenior Server EngineerCommented:
How many clients/users you have in banch office.If you have 10-15 users then there is no need to have DC in the remote office.Assuming your branch office is connected to main office with good n/w connectivity you can plan to have member server with file server role if required in main office or in remote office.Regarding user admin/security you can install RSAT tool on Win7 or admin pack on Winxp and delegte basic control on AD like creating new user,restting password,etc.

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
Best Practices for Delegating Active Directory Administration  http://www.microsoft.com/en-us/download/details.aspx?

You can have exch server in remote office but this will require DC locally.Depending upon the business requirement you need to plan accordingly.You can have additional WSUS server in remote office too.Normally it is not recommend to have WSUS/file/exchange server role on DC it should be placed on member server.

In general it is recommended that at least two DCs in a domain for high availablity and fault tolerance, but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication.

Avoid having a multi-domain forest - instead, start your design with a single domain forest and unless you can come up with a compelling reason to create additional domains, leave it as such. In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.

The following articles could be helpful to design the AD structure:

Determining the Number of Forests for Your Network
http://technet.microsoft.com/en-us/library/cc960533.aspx

Determining the Number of Domains Required
http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx

You can read MS article and the previous discussion:

Domain controllers # Determining the number of domain controllers you need
http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx

How many domain controllers are recommended
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e 

Hope this helps
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you plan on hosting Exchange mailboxes in the branch office you will require the following...

- Domain Controller
- Global Catalog
- Exchange Server (MBX, CAS, HT roles)
- DNS

If you use 2012 server in the branch site you will be required to do a Forest/Domain prep so that your 2008R2 DC can communicate. You do not have to raise the functionality but required to do a forest/domain prep.

I would also recommend that if you are hosting Exchange in this branch office you will want to have 2 DC's in there for site resiliency as the users will not be able to retrieve mail if your DC goes down at the site.

File Sharing or admin/security does not require a DC to be in the same site as it can look to another site for authentication.

One other thing to take into consideration is that if you upgrade your DC in your branch site you will also require USER CAL's for all of the users that will be authenticating to the DC. This is something that you will want to take into consideration as it is an extra cost factor.

Forest/Domain Prep for 2012 - http://social.technet.microsoft.com/wiki/contents/articles/13422.manual-schema-upgrade-for-windows-server-2012windows-server-2012-r2.aspx

Will.
0
 
jostickIT ManagerAuthor Commented:
Most email to/from the branch office is to/from the main office so would probably have single Exchange server in main office and have the branch office users connect to it. There are only ten users and in cached mode I thin this is quite acceptable.

There would be a fileserver at the branch office but is a DC necessary if we have a single domain?

Am I better having two domains or a single domain?

Thanks.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jostickIT ManagerAuthor Commented:
Also I would have to have windows update server at the branch office.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Single domain is preferred as it is less administration and no need as there are new features in 2008R2 and above the solve these issues i.e. (multiple password policies). You can have a file server in the branch office pointing to the DC in the main office for authentication and DNS. You can also have a WSUS server in the branch office as well.

Will.
0
 
jostickIT ManagerAuthor Commented:
Seems like simple is best then. Any disadvantages to keeping it single domain?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.