200 Site network form scratch.

Hello All,

I'm in need of some guidance regarding a new project I'm about to start. To give you a little background I handle about 15 different clients. My larges client only has 3 servers and about 30 users. For the past 15 years I've handle very small business with one or two servers. The routine admin stuff for small domains.

This new project belongs to my oldest client that has started selling franchises thought out the united states.  They estimate about 30 new sites in the next 13 months. I have very little time to create a Network Operations Center. The company expect to add 30 sites a year or more to a total of about 300. so far 15 have been sold but contsturctions will not start for another few months, so I guess this is really happening.

As you can imagine I'm a little bit out of my comfort zone.

My main question is how to handle the data. Right now we have 4 centers with a PDC and a BDC out of corp office. All connecting through vpn to corp to access files (mostly excel and word). Each center has 6 computers and all centers have about 25 MB of bandwidth. No real problems from about 10 years with this setup.

My intent is to build the infrastructure for 200 sites with 6 computers in each site. I want to divide the country into time zones and create a domain in each time zone. I was thinking a PDC and BDC per zone and VPN from each site. I know I'm really behind the times on a lot of this stuff and there might be a better way to handle this.  All of our emails will be handled by Office 365 by the way.

Well at least this will start the conversation and I hope to hear from someone with the best way to handle something like this.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert OrnelasVP Operations at Cook's ComputerCommented:
With office 365 you can store files on one drive, but are the remote sites accessing any type of database, do the remote sites require AD for logins and such. My biggest customer is set up with MPLS circuits, shoretel phone system, and a DC at each site. The corporate site hosts all the software servers and shoretel HQ server and the PDC, everything is accessed via the MPLS and all internet traffic goes out Corporate. In the event of any failure at Corp we can move the network based firewall to an alternate site so sites can still have internet and we can spin up all corp servers in the cloud if the failure is going to be longer than a day. This is just one way of doing it, I'm sure more experts will chime in with more options but please elaborate on what the sites need to access at the corporate location.
Justin EvansCommented:
Hi Jorge,  

Looks like you have an interesting project there!  First thing I would  do is a diagram of the sites across the time zones,  How many time Zones are you traversing?

  This setup would be ideal for a Hub Spoke infrastructure,  where the satellites feed in to the Corp office.  If I understand you correctly your only adding six PC's to the satellite offices.  so I wouldn't recommend  different domains per time zone,  instead the design could be split up by OU's per satellite office and site links.  What you could do is save your documents in the cloud through Office 365,  using the VPN link for Authentication traffic,  if that is to slow then I would recommend a RODC Read only DC available from Windows Server 2012 and up, Therefore the majority of traffic would be going out from the satellite sites straight to the Internet.  Where the majority of the work would be available through office 365.  

I hope this helps.

For more information please message me with more details of the project and I will elaborate

Kind Regards

Cliff GaliherCommented:
You may be overthinking this.  The reason someone sells (or buys) a franchise is that it is independently owned.  Which means, by and large, you would not set up a network for the site, nor a domain, nor a VPN.  That's up to the franchisee.  You need to offer *services* as the franchisor and expose those services in the way that makes the most sense.  

Think of it this way:  McDonald's (arguably the most popular franchise) wouldn't want franchisees directly on their corporate network, nor would they want to be responsible for setting up literally many hundreds of networks for the various franchisees.  They instead offer some stock management as an application, some advertising as an application, etc.  Even pricing is variable as what a Big Mac costs in San Francisco is very different than what one would cost in Cody, Wyoming.  So the franchisee is often responsible for setting their own pricing (within the guidelines of the franchise agreement)...and is why you always hear those end-of-commercial "at participating locations" disclaimers.  

Based on what you've written, it sounds like you're planning the technical side of things before you've really gotten a handle on the business side of things.  And that's a bit of a cart-before-the-horse situation.  You need to sit down with the business owner and figure out exactly what he wants his responsibilities to be, what the franchisees responsibilities will be, make sure that is in writing somewhere, and only then design your solution.  And realistically, if you are used to small networks, I'd be honest with the owner and tell him this is not your wheelhouse and you'll be brining in a subcontractor to assist.  

I work on small engines. I'm very good at troubleshooting and working on cars.  I'd never dream of trying to service an 18-wheeler in any capacity. The size and scale and skillset is just too drastically different.  As it happens, I also support large networks. But I got my start in I.T. years ago in the SMB space (before there was an SBS product...R.I.P.), and have spent 20+ years gaining experience in working with large networks. So I say, from experience, it isn't an easy leap to make and the potential for catastrophic issues, both to your client...and thus indirectly to you and your reputation, is very high.  Don't take that risk. Bring in someone.  Not as in forums and EE, but as in someone who does large networks for a living and can really help keep the project on the rails (and will be expected to be compensated for their time, unlike forums and EE.)  

That's my advice, for what it's worth.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

Exactly what services are being provided by the client? There are certainly systems the franchises need to hook up to, but that wouldn't be all of the internal systems. And I would assume that those systems that are necessary for franchises are at least someone segregated from other corporate systems.
jcl64213Author Commented:
First of all thank you guys for your response. It did get me along further.

 This is a hands off franchise operation where corp will manage all aspects of the business including the network. The investor chooses the location and we run with the build out and run the franchise.

- I will be bringing in a consultant but it would be out of my pocket so the more info I have before hand the better.

- The files being access by the satellite offices are standard word forms, excel reports, and other MS Office files. The database we use is hosted by a third party and will be accessed directly from the satellite office via the internet.

- The satellite offices will be in every time zone in the US.

- I was thinking two domains, one for the franchises and the other for Corp. Each franchise has it's on OU.

- The remote sites will need to be authenticated by AD through VPN's
Cliff GaliherCommented:
Doesn't really sound like a franchise at that point.  But I digress.  Given the security and assumption that it is still an independent franchise of sorts, franchise owners may still have issues with one franchisee being able to authenticate against and access information in another franchisee's network. And since they don't manage the network, they'd have no choice.  It's at least a deterrent to invest, and at works a security nightmare.

Each franchise owner gets their own domain, with a trust to the "franchise source" for docs, resources, etc. And the franchise source domain is separate from the internal domain.

Each site gets an RODC. Don't authenticate across the VPN.

To better illustrate, let's say a guy decides to start a new franchise from his successful "McDowell's" restaurant (a nod to one of my favorite Eddie Murphy movies.)

There is the McDowell's corporate domain. Let's call it corp.mcdowells.com, and it is totally private.  No trusts. Used for internal company stuff, bookkeeping, management of the franchise business.

Then there is the McDowell's Franchise domain for franchisee resources.  franchisees.mcdowells.com, for all those forms and docs and stuff you mentioned.

Bob buys into the franchise and opens five restaurants.  He gets *one* domain (not five.)  bobs-franchise.mcdowells.com.  It has a federated trust to the franchisees.mcdowells.com domain to access docs.  Five RODCs.  One at each location. And one or more writable DC's at his "headquarters."

Jane also buys into the franchise and opens seven resutarants.  One more domain.  janes-franchise.mcdowells.com. IT has a trust to the franchisees domain.  Jane has access to franchise resources. So does bob. But they don't access *EACH OTHER'S* domains as there is no trust there.  Yay for security.

And authenticating over a VPN is a significant point of failure. It works, but I almost gaurantee you that the user experience will be terrible and that is a bad reputation on the business.  RODCs are inexpensive, secure, and easy to implement.  Well worth the investment, even at volume.
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Cliff Galiher (https:#a42468262)
-- Robert Ornelas (https:#a42468244)
-- Justin Evans (https:#a42468247)
-- Cliff Galiher (https:#a42470471)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.