Setting up a domain across four locations

Note:  All servers are Windows Server 2016.  All firewalls are SonicWALL.  All Workstations are Windows 10 Pro with about 6 Macs thrown in.

Working with an office that has four locations all currently in workgroup configuration.  We want to add a domain controller at each location but we want all four locations to be on the same domain.  We will have IPSEC VPN's configured as follows (Office A is the main location):

Office B to Office A
Office C to Office A
Office D to Office A

So the domain controller at Office A will be the "main one" in that configuration as, for example, if an account is disabled at Office C, then replication would have to occur from Office C to Office A and then from Office A to Office D before the domain controller at Office D knew anything about the account being disabled.

Question:  Is this a viable setup?
Question:  What would be the DNS settings for each domain controller?  Assume the following subnets:
Office A - 192.168.200.x
Office B - 192.168.201.x
Office C - 192.168.202.x
Office D - 192.168.203.x

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
That is a viable configuration. You would essentially be configuring AD Sites and services to have a site for each office, then configure an IP Site Link for each site and add the main DC and each site's DC to its respective Site Link.
Adam BrownSr Solutions ArchitectCommented:
Yes. You would do that process for each site. Once done, each DC would only replicate with the primary DC in site A, and then site A's DC would replicate to the other DCs. This is a fairly standard Hub and Spoke configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JamesNTAuthor Commented:
I love the article's reference to "Primary Domain Controller."  I've always said the server with the FSMO roles is the Primary Domain Controller and that MS's saying that there is no PDC and BDC anymore is nonsense.  But I digress.

As for the IPSEC VPN, I will probably allow network to network.  So, any computer 192.168.200.x can get to any computer 192.168.201.x.  So basically any computer in one of the spokes can get to any computer in one of the hubs.  Any issues with that in your mind?

JamesNTAuthor Commented:
Oh, and what about DNS?  Or does the link take care of that?  The article doesn't seem to mention DNS.

Adam BrownSr Solutions ArchitectCommented:
DNS is replicated with all other AD data as long as the DNS zones are Active Directory Integrated. If they aren't AD Integrated, make them AD integrated, cause it works well and is easy to manage. Non-AD Integrated DNS is a huge pain in the butt.
JamesNTAuthor Commented:
I always AD integration my DNS.  :)

So no special settings on the DC's for DNS.  Just have each one point to itself?

Lee W, MVPTechnology and Business Process AdvisorCommented:
I love the article's reference to "Primary Domain Controller."  I've always said the server with the FSMO roles is the Primary Domain Controller and that MS's saying that there is no PDC and BDC anymore is nonsense.  But I digress.

So which is the Primary domain controller when server A hosts the infrastructure master, B the PDC Emulator, C the Schema Master, D the RID master, and E the Domain Naming master?  Do you have 5 PDCs?  Then what's the point in declaring "Primary" - you can't have a "PRIMARY" when you have 5 each having a FSMO role.

There's no problem with this config... How you want to connect the sites is up to you. As long as the DCs can communicate that's fine.  As long as you make DNS AD integrated (which is default), that's fine - DNS will replicate to all DCs.  I would point the DC at it's own IP first and subsequently list all the other DCs.  Even Microsoft internally debates DNS config.  Can't find the article now, but it was a post by a Microsoft employee (as opposed to the MVP cited in the link above) about DNS config and that there are pros and cons about configuring to point to itself first vs. another DC and that they don't have a solid preference one way or another.
Cliff GaliherCommented:
So a comment for the OP and a comment on one of the comments (as they are related)

When setting up a hub and spoke as suggested, I'd put *TWO* domain controllers at the main site.  The "primary domain controller" in this case is primary because it is the sole point of failure in such a topology.  Maintenance windows exist, and outages occur where, due to the topology, a single DC at site A can cause issues if it is down for an extended period of time.  Having two at that site alleviates that issue to some extent (a down link is still a concern, and I'd actually do multiple VPN tunnels to alleviate that as well, but that's another conversation.)

As someone who actually worked on NT from its founding days as a joint effort with IBM and OS/2, a  PDC/BDC in that sense is not at all the same as FSMO role holder in the modern architecture.  The PDC/BDC model is well and truly dead, so Microsoft is absolutely correct in saying that there is no PDC anymore.  EVen saying that "the PDC is the controller with all the FSMO roles" is an injustice.  The FSMO roles can be spread across multiple DCs, and in any deployment of scale, often are, and in multi-domain forest deployments, *MUST* be.  Also, when you look at what a BDC did and didn't do back in the day, *no* modern writeable DC has such hard restrictions. It is truly multi-master making the old PDC and modern FSMO comparisons totally different.

A "primary domain controller" in a hub and spoke doesn't even need to hold FSMO roles. You could throw them on one of the satellite offices.  And yet because the DC at site A is still responsible for communicating changes from site B to site C, the DC at site A is "primary" as far as the topology is concerned.  Which is totally independent of the PDCe FSMO role, or any legacy PDC limitations.  Apples and oranges. The only thing they have in common is the English word "primary."

All of which actually is relevant when DR planning for site and/or link outages.  While hub and spoke topologies are certainly fairly common, the hubs become a single point of failure, as mentioned above.  When using dedicated private links, sometimes there is that risk and even multiple DCs in the hub can't mitigate an extended link outage.

But when site-to-site VPNs are being used, at least a hybrid mesh topology is better.  You can weight the connections so traffic over slower WAN links is avoided, but should a link be completely down, at least replication occurs over the surviving links.  Given SonicWALL's robust VPN support, even on their entry level TZ-series, there is little downside to adding that level of redundancy.
Cliff GaliherCommented:
@Lee:  One of the town halls at summit a couple years ago seemed to come to a consensus on this, and I haven't seen articles that contradict it since.  The consensus was, as I recall, that in a multi-DC domain, the first DNS entry should be another authoritative DNS server (usually a DC), then a second should be itself.

As it was a town hall, I won't give details (NDA's are weird) but of the publicly available knowledge, the basic jist is that the DNS service loads the AD integrated zone *after* the DC is determined to be healthy and advertises itself for DNS.  By pointing to another DNS server first, the server can find another DC and start the netlogon advertising processes faster. If it points to itself first, reboots are slower as it can't use itself during startup as it isn't advertising as authoritative.

Once up, the impact is negligible, and order doesn't even really matter. If the primary DNS server goes down, fallback to secondary (itself) works as expected and is fast enough to be a non-issue. But when an environment is having issues and multiple reboots are required during a restore, that primary vs secondary really adds up.

It was actually broken down on a technical level really well. Not just a "because we think its better" and was straight from the server engineers in the room.  Given that, I've actually switch from my SBS roots of "point to yourself first" mentality and have been recommending another DC first for the last ...three? years.  I'd be curious if you've heard different more recently.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I *think* I dug it up... (Using the fact that the first sentence on the answer is it depends on who you ask).  In which case, I misremembered and this question will pretty much guarantee I get it right in the future!

Oh, look at that, it's by Ned!
JamesNTAuthor Commented:
I'm about 5 inches away from DEMANDING that EE allow me grant all of you 500 pts.  This is a GREAT conversation!  Let me digest all this and double check with the client on setup.  I'll be back soon.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Thank you JamesNT - It's folks like you that are the reason I answer questions - people who see the value in a back and forth comments!
JamesNTAuthor Commented:
Alright, I hope I was fair about all this.  Thank you all for your assistance!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.