Solved

AD Sites Question

Posted on 2016-09-07
4
38 Views
Last Modified: 2016-09-08
I'm interested in hearing opinions on this.

I have 3 different geographical sites with datacenters in them, each with at least one Domain Controller. I also have 3 remote locations, which do not have any servers at all, just 3-5 computers each. They are connected through MPLS via a slower (3 MB) connection. The remote locations get Internet access through one of the datacenters for O365 email and hosted SharePoint. Other than that, they contact the datacenters for authentication, minimal shared file services, and updates.

In AD Sites and Services, these are all setup as individual sites (6 sites) with the appropriate subnets associated to their respective site. My question is, what are the pros and cons of this setup? Wouldn't the best configuration be to only have 3 sites (the 3 datacenters) and have the remote sites' subnets be part of one of those 3 sites? Or does it really not matter if there's no AD replication between those remote locations anyhow.
0
Comment
Question by:rsgdmn
  • 2
4 Comments
 
LVL 15

Expert Comment

by:whoajack
ID: 41788520
Hi there,

You need to have the sites and subnets properly configured so that the "remote" domain controllers will function properly for those computers. This is assuming that you have a site to site VPN so that all those subnets are considered internal and are accessible / can access the domain controllers.

I've never setup a site in that manner but here is a thread with several folks mentioning it will work...
https://social.technet.microsoft.com/Forums/windows/en-US/81a6ff41-da00-470b-a86e-2409cad01756/remote-sites-without-a-domain-controllercreate-ad-sites-and-services-subnet?forum=winserverDS

Really for AD authentication you would want a DC in the site with the users. Or have them just operate as if they are in a remote WIFI location and not trying to access resources as if they were "internal".
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41788800
Generally, it's best to avoid having AD Sites that don't have a DC in them. It makes the site topology unnecessarily complex, since AD Sites are designed primarily to define and route domain replication traffic. Replication traffic only occurs between Domain Controllers, so having sites without a DC in them is more or less pointless.

Removing the remote site AD sites and reassigning the subnets attached to them to whichever Datacenter they are directly connected to will cause no increase in traffic, and it will not reduce failover capabilities. If the connection from one Datacenter to all other datacenters fails, the ability to connect to a DC for the remote site connected to that Datacenter will fail whether it has its own AD site or not, unless there is a full mesh MPLS configuration going (each remote site is connected to all Datacenters via a separate MPLS circuit). If that's the case, then it may make sense to have a separate site for the remote clients, since they have more than one way to connect to a Domain Controller and can connect to multiple sites.

I would recommend examining the Site-Link configuration. If the remote sites are in a Site-Link that connects them to all the Datacenter sites, verify the MPLS configuration to see if they have redundant connections to all Datacenters. If the remote sites are in a Site-Link that only connects them to a single Datacenter, it's probably safe to remove the remote site and move the subnet to the datacenter site.
0
 

Author Closing Comment

by:rsgdmn
ID: 41789850
Thanks for the responses. They are connected via a mesh MPLS network. So each of the remote sites can reach a domain controller in any of the three data centers. So I guess I'll leave it as is. I'm not sure what the advantage is to having it this way, but since I can't seem to find a disadvantage, I'll leave it as is.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41790244
If there's a mesh, it makes sense because you can assign AD replication links to each of the MPLS links. That protects the remote sites from connectivity failure in a single Datacenter. If the remote sites were in the same AD site as a Datacenter, they would always use that data center's DC. If, for some reason, the datacenter a remote site was in the same AD site for lost all network connectivity, the remote site might not be able to discover the other DCs and authenticate.

If the remote sites were only connected to a single Data Center, there wouldn't be a way for the remote site to connect to the other DCs anyway, so having the remote site in a different AD site would make no sense.
1

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now