Solved

Domain Controllers - Separated by long distances

Posted on 2013-12-05
8
297 Views
Last Modified: 2014-01-22
Hello All,
My company is thinking about opening a new office in the UK and because of this, I'm thinking about how my domain hierarchy is going to change.  Our HQ is located in the states and I am concerned about how to go about setting up a domain controller for this office in the UK.

What are some of the obstacles I'm going to have to look out for because of the distance between domain controllers?

I'm thinking about creating a new sub-domain that has a two-way transitive trust between the two.  That way if we have other remote offices appear in the future we can add another sub-domain off the forest root and configure the same way as the first allowing the two sub-domains to have trust each other as well.

Your thoughts?
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39699382
How is your current forest setup, it is it a single domain.  A domain for the UK is a common way to do it.   Or call it Europe for future expansion.

How big is your current AD?  Do you know what network connectivity will be like?

THanks

Mike
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 100 total points
ID: 39699403
if you have explicit requirement to separate existing AD domain, then only go for child domain
For example, if you want to have separate domain in same forest due to some legal, business, security reasons.

Otherwise single domain single forest is best from management point of view and to maintain simplicity and avoid complexity.
You can deploy ADC at all new locations if required.
You can delegate administrative task OU wise at those remote locations.
More even you can deploy RODC if user base is less than 100 and physical security is less.

Apart from above there is one concept call empty forest root and add child domain as resource domain and then expand child domain to all remote locations.
Since this concept will not work in your case as you already have single domain single forest and do not required unnecessarily creating child domain and migrating all resources from parent domain to child domain.

Mahesh
0
 

Author Comment

by:tnims
ID: 39699421
Example:

Existing Domain is:    HQ.test.com
UK Domain would be:   UK.test.com

The two domains would connect via VPN tunnels (Dell SonicWall)


Current Size:

Domain Controllers:

DC-01.HQ.test.com  (Site ADC)   --  Datacenter
DC-02.HQ.test.com  (Site TXO)   --  Texas Office
DC-03.HQ.test.com  (Site NCO)  --  NC Office
DC-04.HQ.test.com  (Site: ADC)  --  Datacenter


_________________________________

Note:  After the UK domain controller is configured, I'm going to start to config a new Exchange environment that is only related to  uk.test.com   -- totally separate from exchange environment on HQ.test.com
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 100 total points
ID: 39699478
Hello,

If you plan to build a separate Exchange environment, you need a separate AD forest. There can only be one Exchange organization per forest.

-JJ
0
 

Author Comment

by:tnims
ID: 39699633
How do big corporations usually handle these types of scenarios?  Do they create new forests for each geographical region and use trusts between forests?

We don't want large amounts of AD traffic and exchange traffic to be routed across the WAN, etc.  This is the reason I'd want to create a new exchange environment for the UK region.  

What I do want is for the people traveling between the US/UK region to be able to access the same resources on each separate domain/forest.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 39699649
We have a few foreign offices but they are in our domain.  We also have good bandwidth and they are a separate AD site.

How big of an environment are we talking about?

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 39700110
Personally if possible I would not recommend setting up a child domain. This will leave you with more administrative effort and more complex scenarios when trying to do upgrades to later versions of AD. What would be the exact reason for a child domain? How are you going to benefit? Most of the reasons to have a child domain in the past was to accommodate multiple password policies, which is now resolved in 2008R2 and up domain's.

If you are worried about latency issues you can modify your replication schedules so that AD changes replicate during non business hours or as radially as you like (15 min intervals max).

 I have administered AD domains where we had data centers in Vietnam and high latency lines but due to the time difference we could set replication intervals to accommodate our needs.

Will.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 100 total points
ID: 39700196
Avoid having a multi-domain forest - instead, plan to have single domain forest and unless you can come up with a compelling reason to create additional domains, leave it as such. In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.As the connectivity between HQ and UK is good stick to single domain.You can delegate control for UK team to have access to AD as per business required.Enusre that DNs/GC role is enabled on all DCs.

The following articles could be helpful to design the AD structure:

Determining the Number of Forests for Your Network
http://technet.microsoft.com/en-us/library/cc960533.aspx

Determining the Number of Domains Required
http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx

In general it is recommended that at least two DCs in a domain for high availablity and fault tolerance, but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication.

You can read MS article and the previous discussion:
Domain controllers # Determining the number of domain controllers you need
http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx

How many domain controllers are recommended
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Azure AD / OAUTH 2 46
Master DC completely died 15 75
Making an existing Domain a Child of another Domain 4 33
Active Directory Powershell Script 9 43
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question