Best practice regarding remote locations and Active Directory Domain

I have a client that has a corporate office and 67 remote small (4-5 workstation) retail shops.  Previously, several of these locations had servers installed in them for various reasons; but all of those remote servers are on completely different Active Directory domains.

Considering that all of those remote retail shops are small; and are connecting back to the corporate site over IPSec VPN tunnels, is there any reason why those servers should not be on the *same* domain as the corporate AD?

What I want to do it remove those AD domains and just bring those servers into the corporate AD domain but leave them as just simple file and application servers, (maybe provide DNS and DHCP locally).  

I just do not see a reason to have those small networked servers as their own domains.  Unless it was set up that way because it was a Microsoft "best practice".  But that is not how I learned to implement AD domains.

Thank you,
Jeff
jgrammer42Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
Active Directory Best practices

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices

    As a security best practice, it is recommended that you do not log on to your computer with administrative credentials.

    When you are logged on to your computer without administrative credentials, you can use Run as to accomplish administrative tasks.

    For more information, see Why you should not run your computer as an administrator and Using Run as.

    To further secure Active Directory, it is recommended that you implement the following security guidelines:

        Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains. For more information, see User and computer accounts.

        Physically secure all domain controllers in a locked room. For more information, see Domain controllers and Securing Active Directory.

        Manage the security relationship between two forests and simplify security administration and authentication across forests. For more information, see Forest trusts.

        To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group, and add a user to the group only when schema changes need to be made. Once the change has been made remove the user from the group.

        Restrict user, group, and computer access to shared resources and to filter Group Policy settings. For more information, see Group types.

        Avoid disabling the use of signed or encrypted LDAP traffic for Active Directory administrative tools. For more information, see Connecting to domain controllers running Windows 2000.

        Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups. For more information about these groups, see Default groups.

        Use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog. For more information, see Global catalog replication.

        For general security information about Active Directory, see Security information for Active Directory and Securing Active Directory.

    Establish as a site every geographic area that requires fast access to the latest directory information.

    Establishing areas that require immediate access to up-to-date Active Directory information as separate sites will provide the resources required to meet your needs.

    For more information, see Create a site.

    Place at least one domain controller in every site, and make at least one domain controller in each site a global catalog.

    Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient.

    For more information, see Enable or disable a global catalog.

    Perform regular backups of domain controllers in order to preserve all trust relationships within that domain.

    For more information, see Domain controllers.

copied from microsoft technet
https://technet.microsoft.com/en-us/library/cc778219%28v=ws.10%29.aspx
0
jgrammer42Author Commented:
Thank you for the info &link.  And that is my point.  Those servers should be DOc's in the existing domain not stand alone completely separate domains.  That is how I read this.  Am I correct?

Thank you
0
Jeff GloverSr. Systems AdministratorCommented:
Short answer. Yes you are correct. No reason at all for them to be their own domains and a world of reason for them not to be. We have 30 remote sites and we use a Read Only DC with Read Only DNS  at each site. This way, the users can logon tothe workstation and do business even if the remote links are down. The only limiting factor is your Main Domain controllers have to be 2008 or above and you have to prepare the forest for RODCs.
Make sure if you do use RODCs, you prestage the user and computer accounts for each site on their own RODC. Saves headaches if the link goes down.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Thank you very much!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.