Remote Site Design and DC Configuration

  • Thread starter Thread starter Neil
  • Start date Start date
N

Neil

Guest
Hi,

I came across this new design for DC's in remote sites. I have not done
anything like this, but I am not sure whether it is the correct way to have
done it. Correct me if I am wrong.

There are 4 remote sites. Each remote site has a single domain controller
and the workstations are getting their DHCP address from the domain
controller through a helper address via the router. The workstations gateway
is the router and not the domain controller.

I am not sure how will the following be:

1. Authentication for users in remote sites? Will it be local authentication
or they will it be via the WAN to the main site
2. How will the Group Policy be applied?


Is this the way it should be in design for redundancy if the remote domain
controllers fail?

Earlier what I had done is the remote sites workstations gateway is to the
DC and they authenticate to the remote domain controller, get their policies
and scripts from remote domain controllers. And, I know with this, that if
the remote DC goes down then users will not be able to authenticate and
login. But, I had another domain controller in remote sites which I could
easily turn on the Global Catalog and they should be able to login through
that and the KCC will be built from that domain controller to the main site.

Your design help would be much appreciated.

thanks in advance
 
Re: Remote Site Design and DC Configuration

Hello,

Do you have only one AD domain/forest ? I guess so

in the AD sites (dssites.msc), create as many sites as IP subnet (one should
match on remote site)
Attach each DC of each site to its AD Site. So computers in remote site will
connect to it all time if available.

On each remote site, make the DC DHCP + DNS.

On remote workstation, give them their local DC as primary dns, and the head
office dc as secondary. All through local DHCP.

GPO will be sync between DC and will be applied.

Now about problems that can occur:
The wan link can be down => local dc has the necessary to maintain service
for some time
the remote dc can be down => workstation will go to the head office dc if
still valid dhcp lease
the head office may be down => same as link down

So to protect, you will:
-give long lease time, say one even 2 days
-maybe put two dc if remote site is big

You may have an issue with fsmo roles if only one dc at head office. The
operation master must'nt be on a DC which is Global catalog, or all DC must
be Global catalog

Do you use exchange ?


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Neil" <Neil@discussions.microsoft.com> wrote in message
news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...
> Hi,
>
> I came across this new design for DC's in remote sites. I have not done
> anything like this, but I am not sure whether it is the correct way to
> have
> done it. Correct me if I am wrong.
>
> There are 4 remote sites. Each remote site has a single domain controller
> and the workstations are getting their DHCP address from the domain
> controller through a helper address via the router. The workstations
> gateway
> is the router and not the domain controller.
>
> I am not sure how will the following be:
>
> 1. Authentication for users in remote sites? Will it be local
> authentication
> or they will it be via the WAN to the main site
> 2. How will the Group Policy be applied?
>
>
> Is this the way it should be in design for redundancy if the remote domain
> controllers fail?
>
> Earlier what I had done is the remote sites workstations gateway is to the
> DC and they authenticate to the remote domain controller, get their
> policies
> and scripts from remote domain controllers. And, I know with this, that if
> the remote DC goes down then users will not be able to authenticate and
> login. But, I had another domain controller in remote sites which I could
> easily turn on the Global Catalog and they should be able to login through
> that and the KCC will be built from that domain controller to the main
> site.
>
> Your design help would be much appreciated.
>
> thanks in advance
 
Re: Remote Site Design and DC Configuration

Hi Mathieu,

Thanks for the great tips. Yes, we have single domain single forest.

My question is should the remote workstations have router and not the DC as
the gateway?





"Mathieu CHATEAU" wrote:

> Hello,
>
> Do you have only one AD domain/forest ? I guess so
>
> in the AD sites (dssites.msc), create as many sites as IP subnet (one should
> match on remote site)
> Attach each DC of each site to its AD Site. So computers in remote site will
> connect to it all time if available.
>
> On each remote site, make the DC DHCP + DNS.
>
> On remote workstation, give them their local DC as primary dns, and the head
> office dc as secondary. All through local DHCP.
>
> GPO will be sync between DC and will be applied.
>
> Now about problems that can occur:
> The wan link can be down => local dc has the necessary to maintain service
> for some time
> the remote dc can be down => workstation will go to the head office dc if
> still valid dhcp lease
> the head office may be down => same as link down
>
> So to protect, you will:
> -give long lease time, say one even 2 days
> -maybe put two dc if remote site is big
>
> You may have an issue with fsmo roles if only one dc at head office. The
> operation master must'nt be on a DC which is Global catalog, or all DC must
> be Global catalog
>
> Do you use exchange ?
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Neil" <Neil@discussions.microsoft.com> wrote in message
> news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...
> > Hi,
> >
> > I came across this new design for DC's in remote sites. I have not done
> > anything like this, but I am not sure whether it is the correct way to
> > have
> > done it. Correct me if I am wrong.
> >
> > There are 4 remote sites. Each remote site has a single domain controller
> > and the workstations are getting their DHCP address from the domain
> > controller through a helper address via the router. The workstations
> > gateway
> > is the router and not the domain controller.
> >
> > I am not sure how will the following be:
> >
> > 1. Authentication for users in remote sites? Will it be local
> > authentication
> > or they will it be via the WAN to the main site
> > 2. How will the Group Policy be applied?
> >
> >
> > Is this the way it should be in design for redundancy if the remote domain
> > controllers fail?
> >
> > Earlier what I had done is the remote sites workstations gateway is to the
> > DC and they authenticate to the remote domain controller, get their
> > policies
> > and scripts from remote domain controllers. And, I know with this, that if
> > the remote DC goes down then users will not be able to authenticate and
> > login. But, I had another domain controller in remote sites which I could
> > easily turn on the Global Catalog and they should be able to login through
> > that and the KCC will be built from that domain controller to the main
> > site.
> >
> > Your design help would be much appreciated.
> >
> > thanks in advance
>
>
 
Re: Remote Site Design and DC Configuration

yes off course.
The DC is not a router.
If you do so, it won't work.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mathieu CHATEAU" <gollum123@free.fr> wrote in message
news:uIGR0kw5HHA.1204@TK2MSFTNGP03.phx.gbl...
> Hello,
>
> Do you have only one AD domain/forest ? I guess so
>
> in the AD sites (dssites.msc), create as many sites as IP subnet (one
> should match on remote site)
> Attach each DC of each site to its AD Site. So computers in remote site
> will connect to it all time if available.
>
> On each remote site, make the DC DHCP + DNS.
>
> On remote workstation, give them their local DC as primary dns, and the
> head office dc as secondary. All through local DHCP.
>
> GPO will be sync between DC and will be applied.
>
> Now about problems that can occur:
> The wan link can be down => local dc has the necessary to maintain service
> for some time
> the remote dc can be down => workstation will go to the head office dc if
> still valid dhcp lease
> the head office may be down => same as link down
>
> So to protect, you will:
> -give long lease time, say one even 2 days
> -maybe put two dc if remote site is big
>
> You may have an issue with fsmo roles if only one dc at head office. The
> operation master must'nt be on a DC which is Global catalog, or all DC
> must be Global catalog
>
> Do you use exchange ?
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Neil" <Neil@discussions.microsoft.com> wrote in message
> news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...
>> Hi,
>>
>> I came across this new design for DC's in remote sites. I have not done
>> anything like this, but I am not sure whether it is the correct way to
>> have
>> done it. Correct me if I am wrong.
>>
>> There are 4 remote sites. Each remote site has a single domain controller
>> and the workstations are getting their DHCP address from the domain
>> controller through a helper address via the router. The workstations
>> gateway
>> is the router and not the domain controller.
>>
>> I am not sure how will the following be:
>>
>> 1. Authentication for users in remote sites? Will it be local
>> authentication
>> or they will it be via the WAN to the main site
>> 2. How will the Group Policy be applied?
>>
>>
>> Is this the way it should be in design for redundancy if the remote
>> domain
>> controllers fail?
>>
>> Earlier what I had done is the remote sites workstations gateway is to
>> the
>> DC and they authenticate to the remote domain controller, get their
>> policies
>> and scripts from remote domain controllers. And, I know with this, that
>> if
>> the remote DC goes down then users will not be able to authenticate and
>> login. But, I had another domain controller in remote sites which I could
>> easily turn on the Global Catalog and they should be able to login
>> through
>> that and the KCC will be built from that domain controller to the main
>> site.
>>
>> Your design help would be much appreciated.
>>
>> thanks in advance
>
 
Back
Top