Domain Controller Architectural Idea

We have a network with eight sites.  Each site has a router that is connected via a site to site vpn.  I want to put a windows DC in one of the sites, and I am concerned about two things:

1) I dont want the internet use in each site to route thru the domain since I know that I need the primary dns needs to point to the DC, maybe the gateway matters more, I just dont want the dc resolving any internet addresses.

2) I am concerned about speed, all sites have fiber, but does anyone feel we need more than one DC in another location.


Thanks,
LVL 2
rrococi2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Not clear what you are asking, commonly, for redundancy having two DCs provides ....

Deciding on the placement of a DC in a specific branch,

The placement of a DC, DHCP, DNS server does not direct all Internet traffic.
Routing is the province of the VPN setup, since you use site to site, only.
The DHCP scope options in the site points to the gateway ..
The Dcs will communicate between/among without altering other traffic.

You can also use dfs/dfs-r to bring files closer to where they are used.

See if RODC is what you shoukd place in the site.

Do you already have servers in those sites?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Agreed - your question is a little unclear - if you explained why you don't want what you don't want, I think we'd have a better idea what your concerns are and how things might or might not be affected.

In short, my recommendations on DC placement/architecture:
For sites of 15 or less: no DC.  Setup VPN and authenticate over that.
For sites of 15+ to 250: One DC. DCs at other sites provide redundancy.
For sites over 250 users: two DCs (for sites over 5000 I might consider a third DC - but most sites don't have that much)
So long as you understand AD and especially backup and restore of a DC, you SHOULD have 2 DCs in the domain.

Other considerations: You could have so many sites (I had a friend who worked at bank where this was a problem) that the replication links get saturated because there are so many.  The solution in that case is to start eliminating replication links - go from a full AD Mesh of replication to a hub and spoke model.

Active Directory REQUIRES that the DNS servers used by the workstations is AD aware.  IT doesn't (technically) have to be Windows DNS, BUT it has to know about all the Windows services and so it ALMOST ALWAYS should point to Windows DNS servers and Windows DNS servers only (because of the caching nature of DNS).
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
1) I dont want the internet use in each site to route thru the domain since I know that I need the primary dns needs to point to the DC, maybe the gateway matters more, I just dont want the dc resolving any internet addresses.
The Internet does not go through the DC, only DNS resolution

2) I am concerned about speed, all sites have fiber, but does anyone feel we need more than one DC in another location.
DC on site is only for when link goes down, so no
0
MaheshArchitectCommented:
you can create root (.) zone on DNS server and it will stop internet flow from DC server
However it not means that internet is blocked. you may have web proxy through which internet still remain allowed
If you want to block internet, that needs to be blocked on network firewall level

Fiber connectivity is always very good as compared to normal lease lines / MPLS
The number of DCs per location is dependent on many factors
Put two DCs in HO
Put single DC in branch, branch client subnets should have connectivity to HO site
If you have any business critical application in site which needs DC/GC, put two servers in that site
Rest of user calculation is already explained in earlier posts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.