Solved

Best practice on when and when not to have a Domain Controller at a remote site

Posted on 2014-10-28
9
350 Views
Last Modified: 2014-10-29
I have a 100 user network that are very heavy users.  The main site is 50 users and the 2 sites are 25 users each.  The connection between the main site and the remote sites is 100mb fiber.  Each site is on their own subnet.  I currently have a DC at each remote site providing GC, DNS and DHCP.  I have an RDS application that each user at the remote sites access that is hosted at the main site.

I am currently being challenged on why I have DCs at the remote sites.  I have been doing this since 2000.  I have always put DCs at remote sites for those roles (and DFS-r sometimes).  I know in my MSCE 2003 studies it was definitely best practice to do this.  Have things changed?  Does anyone have some best practice information that supports this in either direction?
0
Comment
Question by:EmbraceNext
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Expert Comment

by:Wylie Bayes
ID: 40409026
Well one thing to point out is that if connectivity to the main site ever goes down... users can still logon and work because they have a local DC at their location.

If you removed the DC's from the remotes, any type of external network interruption would cause your users to to not be able to logon at all.
0
 

Author Comment

by:EmbraceNext
ID: 40409057
RIght, and that has been pointed out but not enough to satisfy this person.  I am hoping for some documentation to either forward on or see that I am wrong.  Either way I want this to come to an end.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40409104
Not enough as in they don't care if users cannot log in? Maybe you can gain some leverage by figuring out what they are trying to accomplish by removing the remote DCs. Something to look into is an RODC start with server 2008 DCs. This helps to limit security exposure. Once you figure out what they hope to accomplish, you may be able to help find alternatives.
0
 
LVL 6

Assisted Solution

by:Wylie Bayes
Wylie Bayes earned 500 total points
ID: 40409166
http://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/

2: Use the appropriate site topology
Although there is definitely something to be said for simplicity, you shouldn't shy away from creating more complex structures when it is appropriate. Larger networks will almost always require multiple Active Directory sites. The site topology should mirror your network topology. Portions of the network that are highly connected should fall within a single site. Site links should mirror WAN connections, with each physical facility that is separated by a WAN link encompassing a separate Active Directory site.

10: Place at least one global catalog server in each site
Finally, if you are operating an Active Directory consisting of multiple sites, make sure that each one has its own global catalog server. Otherwise, Active Directory clients will have to traverse WAN links to look up information from a global catalog.

Here is an actual microsoft article...  http://technet.microsoft.com/en-us/library/cc736771(v=ws.10).aspx

Could go either way on that one, you'd have to follow the chart and answer the questions.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:EmbraceNext
ID: 40409325
Thank you.  What about having DHCP and DNS on a DC/GC?  I have always done that and its worked great.  Am I wrong for that?
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40409402
I don't see how you would be wrong unless it was misconfigured. As I said, find out their true intentions or if they had a recommendation let them know you can look into it.
0
 
LVL 6

Assisted Solution

by:Wylie Bayes
Wylie Bayes earned 500 total points
ID: 40409438
GC/DHCP/DNS services on a domain controller are perfectly fine, and encouraged.  Only having 1 GC per local site is recommended for most environments.
0
 

Author Comment

by:EmbraceNext
ID: 40409458
Thank you Wylie.  Is there any documentation that says exactly that so I can point this guy to it?  I would like to thank  all of you so far for this, it really helps out!
0
 
LVL 6

Accepted Solution

by:
Wylie Bayes earned 500 total points
ID: 40409503
Here is supporting microsoft documentation for DNS:
http://technet.microsoft.com/en-us/library/cc771613.aspx

For DHCP there is one caveat for running on a domain controller... :
You want to run the DHCP Server service on a domain controller. It is not recommended that you run DHCP on a domain controller unless you modify the DHCP Server configuration to use alternate credentials when making dynamic DNS updates. This recipe explains how.

See:  https://www.safaribooksonline.com/library/view/windows-server-cookbook/0596006330/ch14s20.html

So as long as you have this in place it's fine.  


Global catalog is self-explanitory.  Pretty sure that HAS to be on a domain controller since it is a FSMO role.
http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx 


-Wylie
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now