Joining a domain - What is the best practice?

Dear Experts, we have 1000 users located at multiple sites.
- The Headquarter office includes 400 users, has Cisco Router 3925, not yet Firewall.
- Site A includes 200 users, has Sophos Firewall.
- Each of Site B, C, D, E has 100 users, only has Modem Internet, not yet Firewall

In Headquarter, the AD server (Win Server 2012R2) is ready but we are not sure about the method to join domain for ALL users. We have several questions as below:

1. MPLS-VPN leasdline and VPN connection, which one is better in terms of performance and cost?

2. In case we choose VPN connection, should we choose Site-to-Site VPN or Remote-Access VPN, and why? Which devices should we buy?

3. As my understanding, in VPN connection, the users who connected will use the Internet connection from VPN server, is it right? If so, will the VPN connection is suitable for 1000 users?

4. For the Domain diagram, which model should we use for high performance and availability? We intend to install Addition DC in Headquarter and RODC in each site? Is it okay?

5. In Headquarter, all servers are VM and we have Veeam 9.5 to backup, but in sites servers are physical. Which backup software is the best for physical AD machines?  
LVL 6
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
1) MPLS sounds more appropriate given the size of your organization.
2) You're connecting multiple offices, so site-to-site VPN is what you need if you're going that route. Remote access VPN is for users who are connecting from home or other places. Two very different things. As far as the remote access VPN goes, you need to make sure it can work for the number of users you want to have the capability to support.
3) There are a number of factors in the site to site VPN, including bandwidth at each site.
4) Yes, you should have an appropriate number of DCs at each remote site.
5) You can use Veeam for physical DC backup as well

I'd also recommend you work on standardizing infrastructure across the organization. That will make your life easier in the long haul.
Sajid Shaik MSystem AdminCommented:
The MPLS is always best and site to site VPN also works well when it comes to sites additional domain controller for each site will make sence and it'll maintain the redundancy to your AD.

about the VPN as you have Sophos appliance with that you can configure site to site VPN ... sophos to cisco ... sophos to sophos as well you can create...

about the firewall  as you have different sites ... the best option to choose the firewall is first of all what kind of apps users will use, is it centralised ? is it huge bandwidth consuming apps  and the Budget level  depending upon you can choose the firewall appliance, virtual appliance, UTM appliance etc. as well sepcific purpose firwall appliance like web, Email firewall appliance additional ...

all the best
Tom CieslikIT EngineerCommented:
1. MPLS-VPN leasdline and VPN connection, which one is better in terms of performance and cost?
MPLS-VPN is hard to setup especially on LAYER 3 level, but on LAYER 2 not, so decision is yours, for me simple SITE-TO-SITE VPN is enough but for Headquarters you must select Router with multiple STS connection allowed.
You can compare some models here
https://www.firewalls.com/products/firewalls/sonicwall/sonicwall-tz/tz-comparison

2. In case we choose VPN connection, should we choose Site-to-Site VPN or Remote-Access VPN, and why? Which devices should we buy?
Remote Access VPN is good for few single connections and require each user to be configured in DC with remote access.
This is not to secure so STS VPN is much better and secure since will allow connection only between 2 ends and SSL can be implemented.

3. As my understanding, in VPN connection, the users who connected will use the Internet connection from VPN server, is it right? If so, will the VPN connection is suitable for 1000 users?

Not really. In STS VPN users are using their gateway to connect to internet and only VPN tunnel to connect to other subnet.
If you going to use direct single VPN connection for each user all you need to do is disable setting "Use Gateway on Remote Network" in TCP/iPv4 properties

4. For the Domain diagram, which model should we use for high performance and availability? We intend to install Addition DC in Headquarter and RODC in each site? Is it okay?

With STS VPN all your subnets will comunicate each other constantly, so you can implement many Domain Controllers.
I think that MASTER controller should be in your HQ and you can have secondary controllers inside each subnets on other site of VPN tunnel.
Since all that sites will work in same Domain/Forest you don;t have to worry about Trust between domains.

5. In Headquarter, all servers are VM and we have Veeam 9.5 to backup, but in sites servers are physical. Which backup software is the best for physical AD machines?  
I'm using Symantec Backup Exec with Disaster Recovery Option and I think is one of the best backup software.
You can recover anything you want.

Capture.JPG

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

DP230Network AdministratorAuthor Commented:
Can someone please give us some model of Firewall for VPN and Security? The money is not a problem, we just need the best ones in terms of reliability, availability and security.
Tom CieslikIT EngineerCommented:
For me one of the best simple and secure firewall is SonicWall
It is much easiest to setup using wizards or intuition and knowledge.

Here you can find some models you can choose from

https://www.firewalls.com/products/firewalls/sonicwall/compare-sonicwall-firewalls

Dell Sonic website

http://pilot.search.dell.com/sonicwall
DP230Network AdministratorAuthor Commented:
Hi, just a quick question before we closed this, a normal domain user can add up to 10 PCs to domain, am I right?

And in case we join a PC via Internet (by pointing  its DNS record to DC's public IP address), is there any security risk? If yes, can you please clarify?
masnrockCommented:
Hi, just a quick question before we closed this, a normal domain user can add up to 10 PCs to domain, am I right?
The default limit is 10, but can be modified. But for intents and purpose, the answer to your question is yes.

And in case we join a PC via Internet (by pointing its DNS record to DC's public IP address), is there any security risk? If yes, can you please clarify?
The words "over the internet" says enough right there: yes it is a risk. For starters, you would have to open up firewall ports so that outside machines could connect to the domain controller. Just as traffic would be coming into the DC from outside, domain traffic would be going outside. Both cases, over an insecure means. Dont even consider this. I dont think you want to have your AD domain more open to getting hacked by people trying to figure out credentials via brute force attacks and the like. Plus that would open up sensitive traffic to getting sniffed across the internet (authentication attempts, information about data you attempt to access, information about systems on your network, etc).


You can close out this question and assign the points and helpful responses as you feel appropriate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.