Best practice on when and when not to have a Domain Controller at a remote site

I have a 100 user network that are very heavy users.  The main site is 50 users and the 2 sites are 25 users each.  The connection between the main site and the remote sites is 100mb fiber.  Each site is on their own subnet.  I currently have a DC at each remote site providing GC, DNS and DHCP.  I have an RDS application that each user at the remote sites access that is hosted at the main site.

I am currently being challenged on why I have DCs at the remote sites.  I have been doing this since 2000.  I have always put DCs at remote sites for those roles (and DFS-r sometimes).  I know in my MSCE 2003 studies it was definitely best practice to do this.  Have things changed?  Does anyone have some best practice information that supports this in either direction?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wylie BayesNetwork Technician IIICommented:
Well one thing to point out is that if connectivity to the main site ever goes down... users can still logon and work because they have a local DC at their location.

If you removed the DC's from the remotes, any type of external network interruption would cause your users to to not be able to logon at all.
EmbraceNextAuthor Commented:
RIght, and that has been pointed out but not enough to satisfy this person.  I am hoping for some documentation to either forward on or see that I am wrong.  Either way I want this to come to an end.
Not enough as in they don't care if users cannot log in? Maybe you can gain some leverage by figuring out what they are trying to accomplish by removing the remote DCs. Something to look into is an RODC start with server 2008 DCs. This helps to limit security exposure. Once you figure out what they hope to accomplish, you may be able to help find alternatives.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Wylie BayesNetwork Technician IIICommented:

2: Use the appropriate site topology
Although there is definitely something to be said for simplicity, you shouldn't shy away from creating more complex structures when it is appropriate. Larger networks will almost always require multiple Active Directory sites. The site topology should mirror your network topology. Portions of the network that are highly connected should fall within a single site. Site links should mirror WAN connections, with each physical facility that is separated by a WAN link encompassing a separate Active Directory site.

10: Place at least one global catalog server in each site
Finally, if you are operating an Active Directory consisting of multiple sites, make sure that each one has its own global catalog server. Otherwise, Active Directory clients will have to traverse WAN links to look up information from a global catalog.

Here is an actual microsoft article...

Could go either way on that one, you'd have to follow the chart and answer the questions.
EmbraceNextAuthor Commented:
Thank you.  What about having DHCP and DNS on a DC/GC?  I have always done that and its worked great.  Am I wrong for that?
I don't see how you would be wrong unless it was misconfigured. As I said, find out their true intentions or if they had a recommendation let them know you can look into it.
Wylie BayesNetwork Technician IIICommented:
GC/DHCP/DNS services on a domain controller are perfectly fine, and encouraged.  Only having 1 GC per local site is recommended for most environments.
EmbraceNextAuthor Commented:
Thank you Wylie.  Is there any documentation that says exactly that so I can point this guy to it?  I would like to thank  all of you so far for this, it really helps out!
Wylie BayesNetwork Technician IIICommented:
Here is supporting microsoft documentation for DNS:

For DHCP there is one caveat for running on a domain controller... :
You want to run the DHCP Server service on a domain controller. It is not recommended that you run DHCP on a domain controller unless you modify the DHCP Server configuration to use alternate credentials when making dynamic DNS updates. This recipe explains how.


So as long as you have this in place it's fine.  

Global catalog is self-explanitory.  Pretty sure that HAS to be on a domain controller since it is a FSMO role. 


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.