We help IT Professionals succeed at work.

Domain Controllers Placement

isnaa asked
we have single domain with 5 sites connected through VSAT link.
Our Headoffice is having 2 domain controllers and 1 DC in each Site.
We just want to remove all Servers from site and consolidate in Headoffice.

Can any one here share the drawback of moving out DCs from site, appreciate if any link / document could be shared.
Watch Question

Satellite DCs like these provide a number of services to their local client population, including authentication, DNS, DHCP. Technically, the clients could obtain these services over the long-distance links, but -- since these links are more expensive and lower performance (in terms of bandwidth, latency, and reliability) than LAN connections -- it's pretty common to deploy a DC at those sites that hold a sufficient number of clients to make it worthwhile.
Manager - Infrastructure:  Information Technology
What is the reason for the removal of DCs at sites?  If it is due to security then I suggest you deploy read-only DCs (RODC).  Another question would be how will these sites get their IP address assignments as I am assuming DCs are used for DHCP.  You could use DHCP relay and all sites obtain their IPs from the head office.  How do these sites access the Internet (do they have their own or do they use head-office).  If sites have their own Internet connection then my suggestion would be to either leave DCs at the sites or replace them with RODCs.  Just remember that if there are no DCs (again I am assuming DCs also provide DNS and DHCP), your users will not be able to authenticate or get an IP.  Also remember that these links should be used for business applications and it is wise to keep authentication, DNS and other non-business functions off the link.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

You haven't really explained what the servers are used for beyond DCs.  If nothing, fine, but remote satellite offices usually use a DC as a file and print server as well, often one and the same.  You also haven't explained the connections between the sites or what resources the sites need.

In most scenarios I would setup a DC at a site, I would also have more reasons to have it than simply DNS, DHCP, and authentication.  Can you elaborate more on the DCs usage.


Well DCs in Sites are also using as DHCP and DNS,   We need to move out all servers from Sites and consolidate all services from HeadOffice.

For DHCP, we will configure the Switches.
For DNS yes they will use from HeadOffice

Please comment, appreciate for any link / documents ....
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

If all the servers are used for are DHCP, DNS, and Authentication, reconfigure DNS and DHCP and Turn off the DCs now. This simulates removing them and allows you to restore services nearly immediately in the event you have issues.

I assume you have very good, reliable links to your remote HQ.  Without a DNS server on site, if your HQ goes out, users can still logon, but they CANNOT access the internet because all your DNS servers are in a single site that is now down.

I assume your HQ site is on backup generators and in an area with solid power.  Of course, I live in NYC which generally has VERY solid power... but... You may remember the blackout that hit the ENTIRE northeast back in 2003 or so?  For a day, EVERYONE was done.  If your locations are all centrally located in the same city or region, then all the sites would be down in a similar blackout.  But if they are spread out across the country or, for example, over 1000 miles/1500 KM range, then when HQ goes down, you're shutting down ALL your remote sites since they no longer have DNS access.

Even if all your offices are fairly close together, if the right kind of disaster hit the HQ - fire, flood, tornado, etc, you could shutdown your entire business by removing the DCs from all other sites.

In my opinion, the wise thing to do, if you really MUST cut back on server resources, would be to leave at least ONE DC in your most remote site and create a mesh VPN between all sites.  If the HQ ever goes down, your other site's DC can handle DNS and authentication for everyone.  And if the HQ has a true disaster, you could preserve AT LEAST your AD.

You could also look into using DFSR or other file replication technologies to ensure you have redundant copies of critical data in two locations.

At the end of the day, unless you want to FULLY DETAIL what your business does, all the applications it uses, and what kind of resources you have and are able/willing to maintain (And your few sentences don't come close), then your best option is to hire a professional consultant who can sign an NDA for you (since I assume you're concerned about revealing details about your company in a public forum) and subsequently and APPROPRIATELY help analyze what you have, what you need, and what you can do.
Mohammed KhawajaManager - Infrastructure:  Information Technology

At the of the day, mesh VPN might require more work and still not have full redundancy.  It might be worth it to keep DC, DNS, DHCP and file & print local at each site.