?
Solved

Best practice on when and when not to have a Domain Controller at a remote site

Posted on 2014-10-28
9
Medium Priority
?
450 Views
Last Modified: 2014-10-29
I have a 100 user network that are very heavy users.  The main site is 50 users and the 2 sites are 25 users each.  The connection between the main site and the remote sites is 100mb fiber.  Each site is on their own subnet.  I currently have a DC at each remote site providing GC, DNS and DHCP.  I have an RDS application that each user at the remote sites access that is hosted at the main site.

I am currently being challenged on why I have DCs at the remote sites.  I have been doing this since 2000.  I have always put DCs at remote sites for those roles (and DFS-r sometimes).  I know in my MSCE 2003 studies it was definitely best practice to do this.  Have things changed?  Does anyone have some best practice information that supports this in either direction?
0
Comment
Question by:EmbraceNext
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Expert Comment

by:Wylie Bayes
ID: 40409026
Well one thing to point out is that if connectivity to the main site ever goes down... users can still logon and work because they have a local DC at their location.

If you removed the DC's from the remotes, any type of external network interruption would cause your users to to not be able to logon at all.
0
 

Author Comment

by:EmbraceNext
ID: 40409057
RIght, and that has been pointed out but not enough to satisfy this person.  I am hoping for some documentation to either forward on or see that I am wrong.  Either way I want this to come to an end.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40409104
Not enough as in they don't care if users cannot log in? Maybe you can gain some leverage by figuring out what they are trying to accomplish by removing the remote DCs. Something to look into is an RODC start with server 2008 DCs. This helps to limit security exposure. Once you figure out what they hope to accomplish, you may be able to help find alternatives.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 6

Assisted Solution

by:Wylie Bayes
Wylie Bayes earned 2000 total points
ID: 40409166
http://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design/

2: Use the appropriate site topology
Although there is definitely something to be said for simplicity, you shouldn't shy away from creating more complex structures when it is appropriate. Larger networks will almost always require multiple Active Directory sites. The site topology should mirror your network topology. Portions of the network that are highly connected should fall within a single site. Site links should mirror WAN connections, with each physical facility that is separated by a WAN link encompassing a separate Active Directory site.

10: Place at least one global catalog server in each site
Finally, if you are operating an Active Directory consisting of multiple sites, make sure that each one has its own global catalog server. Otherwise, Active Directory clients will have to traverse WAN links to look up information from a global catalog.

Here is an actual microsoft article...  http://technet.microsoft.com/en-us/library/cc736771(v=ws.10).aspx

Could go either way on that one, you'd have to follow the chart and answer the questions.
0
 

Author Comment

by:EmbraceNext
ID: 40409325
Thank you.  What about having DHCP and DNS on a DC/GC?  I have always done that and its worked great.  Am I wrong for that?
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40409402
I don't see how you would be wrong unless it was misconfigured. As I said, find out their true intentions or if they had a recommendation let them know you can look into it.
0
 
LVL 6

Assisted Solution

by:Wylie Bayes
Wylie Bayes earned 2000 total points
ID: 40409438
GC/DHCP/DNS services on a domain controller are perfectly fine, and encouraged.  Only having 1 GC per local site is recommended for most environments.
0
 

Author Comment

by:EmbraceNext
ID: 40409458
Thank you Wylie.  Is there any documentation that says exactly that so I can point this guy to it?  I would like to thank  all of you so far for this, it really helps out!
0
 
LVL 6

Accepted Solution

by:
Wylie Bayes earned 2000 total points
ID: 40409503
Here is supporting microsoft documentation for DNS:
http://technet.microsoft.com/en-us/library/cc771613.aspx

For DHCP there is one caveat for running on a domain controller... :
You want to run the DHCP Server service on a domain controller. It is not recommended that you run DHCP on a domain controller unless you modify the DHCP Server configuration to use alternate credentials when making dynamic DNS updates. This recipe explains how.

See:  https://www.safaribooksonline.com/library/view/windows-server-cookbook/0596006330/ch14s20.html

So as long as you have this in place it's fine.  


Global catalog is self-explanitory.  Pretty sure that HAS to be on a domain controller since it is a FSMO role.
http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx 


-Wylie
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question