Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

One Site Multiple Physical Locations

Hello Experts,

I recently started working at a new company and while assessing their topology, there are changes I would like to make, but want to make sure how this could effect their current structure.

As it stand right now, this company has 1 Forest - 1 Domain - 1 Site - 2 DCs - 20 Different Physical locations.

Both DCs are running 2008 R2 and one is located at the Main Office and the other DC is located at an offsite location for disaster purposes.

My question is, I would like to separate each physical location into a separate site. For budget purposes right now, I will not have the option to purchase additional DCs. Am I going to run into problems if I create additional sites? Each physical location are currently using different networks. 10.10.20.0 - 21.0 - 22.0 etc. Seeing that they are all authenticating against DC1 what kind of walls would I come up against if I created separate sites?

Thanks for any recommendations or articles you can provide to help me with this question.
0
smartin0924
Asked:
smartin0924
  • 3
  • 3
  • 2
  • +1
2 Solutions
 
Neil RussellTechnical Development LeadCommented:
Firstly ask yourself WHY you want to create 20 different AD sites? Just because you have 20 physical locations it does not follow that you MUST have 20 AD sites.

AD Sites serve a purpose, be it for authentication to different AD controllers or to allow Site specific GP's etc.  Dont' partition just because it seemed like a good idea at the time.

Can you explain WHY the need for 20 sites? This may help in answering the questions you ask.
0
 
Dave BaldwinFixer of ProblemsCommented:
I agree with @Neilsr.  And if I were your boss, I would want a Very good reason to spend the time changing something that is currently working.
0
 
smartin0924Author Commented:
My first thought was just to structure the AD better so I could apply specific policies to the equipment in that location. We currently use roaming profiles and each time a user goes to a different site, we need to load printers for that user. I'm not 100% on roaming profiles and do not like having to use them so that will probably lead to another question or more research, but this was my first thought when looking into ideas to set things up.

Let me be clear, I am not wanting to change things just because. Im simply going off the bit of knowledge I do know. If there is a better solution, I am open for any and all ideas.

Thanks for replying
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Neil RussellTechnical Development LeadCommented:
For a better understanding of what "Active Directory Sites" are have a read here
0
 
Dave BaldwinFixer of ProblemsCommented:
I suggest you start keeping a list of problems and solutions.  Or maybe more accurately, situations and actions required.  How many times does a user go to a different site?  Are you talking 1 out of 500 or 10 out of 20?  Things like that should tell you how much work it is costing your company.
0
 
smartin0924Author Commented:
Neilsr, thanks for the article. The part that talks about "Sites and subnets are represented in Active Directory by site and subnet objects, which you create through Active Directory Sites and Services. Each site object is associated with one or more subnet objects.
Each site is in a different subnet.

Dave, as far as how many times users are going to different sites, its daily. If someone calls out sick or there's an shortage in staff, they move staff around to help out.
0
 
aces4all00Commented:
Each site requires at least 1 DC so without purchasing additional DCs you can have 2 sites at most.  If you check I believe you will find users are authenticating against both DCs right now.  If you're looking to limit who authenticates to the DC at the DR location creating a separate site for it is not a bad idea.  Adding sites does introduce some administrative overhead (you'll need to keep your subnets in AD Sites and Services are up to date and assigned to the proper subnets) and other services like Exchange couple be impacted by the change.
0
 
smartin0924Author Commented:
Thank You aces4all00. OK, so the additional DC's will come into play then with the extra sites. That's what I was not clear on.  Thanks for the information, that changes the direction would like to go.
0
 
Neil RussellTechnical Development LeadCommented:
Just because "Each [physical] site is in a different subnet." does not mean you NEED to have AD sites set up.

Group policy can easily handle different printers for different computers in different locations without using Sites. Just use an OU structure that maps to your locations.

Also it is NOT true that EVERY AD Site must have a DC. You can have sites set up without a DC in it and people do so.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now