Best practice for Active Directory at remote locations

nooboftheyearedition · 2024-10-09T07:41:44.947Z

Hello there,

I have a client currently using Active Directory at HQ ( let’s say at abc.xyz domain ) happily ever after.

Now they want such system in new factory that’s remote from HQ. They also want to be able to reach both file servers at HQ or factory by users at both sites. (as well as roaming devices when changed location)

In that case, I guess most straightforward solution is using a site-to-site VPN and current AD server being sole one but not sure what should do if we want two AD servers in separate locations? ( for both sites to be operable in case of a communication issue )

And not sure how to keep them synced ( as clients at HQ also having credentials in factory server or vice versa) , need sort of sync or permanent site-to-site VPN?

I briefly checked and some answers mention tree domain or child domain but tbh not sure which one would suit better.

So I’d appreciate a brief guide.

Thanks in advance.

Rod-IT · 2024-10-09T09:30:45.916Z

NoobOftheYearEdition:

not sure what should do if we want two AD servers in separate locations?

It’s best practise to have at least 2 DCs anyway, but setup a second, on the remote site, configured for each to use the other as their primary DNS, then 127.0.0.1 as their secondard.

You may want to configure sites-and-services, so users over that ‘site’ get ‘their’ DC first. Update the DHCP scope for DNS to give users on ‘remote site’ ‘remote DC’ for DNS, then ‘HQ DC’ for secondary.

As for data, you may want to look at a DFS share with replication, again, you would use ‘sites-and-services’ to send users to their closest one first.

You don’t want a child domain, this is legacy.

There is too much details to give for the complete setup, but the above should point you in the right direction for some reading.

TL:DR
Read up on sites and services
Best practises for DNS
DFS-R

Active Directory DNS Refresher - Windows - Spiceworks Community

matt7863 · 2024-10-09T12:03:40.072Z

There are many options including child domains etc - but generally using one domain is sufficient - and if you need users to roam between locations it is the simplest solution.

Active Directory requires a network connection between the locations - this should be reliable. It does not have to be high bandwidth if you deploy local servers but performance of the access to remote apps/fileservers will be dependent on bandwidth.
A site to site VPN over the internet typically works well if =both sites have good business internet. DIA/leased line etc preferred over broadband.
If the internet connectivity is poor, or access to central resources is key then a private WAN is usually a better option. You can start with VPN and always upgrade if required.

If using an internet VPN (especially if a single point of failure - no resilience) then local Domain Controllers are essential. These can additionally provide DNS/DHCP also. This way the remote office can function when the communications to HQ are down.
Follow Rod’s advice. It is essential to correctly replicate site topology in AD etc.

randomparts · 2024-10-09T12:16:23.080Z

I worked at a place that had multiple sites on the same domain. We used a secondary read only DC at each site.

jameswalker20 · 2024-10-09T14:20:44.335Z

That is what I was going to suggest, @randomparts

PatrickFarrell · 2024-10-09T14:59:30.615Z

You can certainly have a domain controller at the remote site if you have a secure place to put it.

This gives you some off site redundancy. If something happened at the main site like a fire that damaged the server room, your active directory would not be gone.

Site to Site VPN would be the way to accomplish this.

There is no reason to do a child domain here. Child domains complicate administration. Domains are an administrative boundary, but not a security boundary. If you’re following the at least 2 domain controllers per domain, adding a child domain would mean you need 4 now.

kwelch007 · 2024-10-09T15:39:28.329Z

Yep. We have 100+ sites that work this way. It gets a bit more complicated when the network gets that big, but for just 2->few sites, having DC at each site and some secure always-on connectivity between them makes it pretty easy. As @Rod-IT said, you’ll want to set the local DC priority in Sites-and-Services…this effectively manages the DNS configuration.

Depending on cost and required speed, you may consider something other than a Site-to-Site VPN. MPLS comes to mind, or Metro-E/L2-handoff, but it might make sense to start with StoS and see if that’s adequate.

EDIT To reiterate, regardless of what you do you should definitely add a second DC at your primary site if for no other reason than redundancy of AD.

nooboftheyearedition · 2024-10-09T18:11:15.673Z

Thank you all for caring to reply but I’ll not that pretend I got all of what you said. So if you let me rephrase in noobman terms (and if I’m not mistaken)

1 - In any case there must be site-to-site VPN between two locations ( alas no more is available atm at new location ) anyway.
2 - It can either be RODC especially if have security concerns or better be another DC if secure enough. But RODC is easier in comparison to setting up another DC ?

As these are simple networks at their cores ( using Windows Server Essentials, basically nothing more than a file server with a NAS ) , I want to keep things simple and not that error prone. And considering their need to access remote data is neglible , it’s more of a credentials issue.

As name suggests, I guess RODC only allows credential management via DC one, how it’s handled when there are two DCs ? They somehow sync ? Is any of them authoritative?

And would it be a problem (especially DNS wise) if one site is like 192.168.1.x while other is 192.168.16.x or so?

PS : I know some of you really want to say " you’re too noob for it " but alas have to handle it somehow.

edrubin1718 · 2024-10-09T18:21:45.842Z

The path of least complexity is some sort of reliable connection between sites and a DC at each site. A separate subnet per site actually makes it easier as long as appropriate routing, DNS and AD sites are set up.

PatrickFarrell · 2024-10-09T19:50:50.569Z

RODC is more complicated than a normal DC and doesn’t provide the same level of functionality. Unless you have security concerns of someone at that location getting into the server room there and getting physical access to the server to try and take it over, avoid the RODC route.

dwo1064 · 2024-10-09T19:55:43.358Z

I second that emotion about No RODC.
We had one once, and it was more of a pain for certain things and really didn’t do what we expected.

And to repeat, and agree with the above - One domain, Sites and Services, two DCs.

adrian_ych · 2024-10-10T09:29:50.064Z

NoobOftheYearEdition:

Thank you all for caring to reply but I’ll not that pretend I got all of what you said. So if you let me rephrase in noobman terms (and if I’m not mistaken)

1 - In any case there must be site-to-site VPN between two locations ( alas no more is available atm at new location ) anyway.
2 - It can either be RODC especially if have security concerns or better be another DC if secure enough. But RODC is easier in comparison to setting up another DC ?

As these are simple networks at their cores ( using Windows Server Essentials, basically nothing more than a file server with a NAS ) , I want to keep things simple and not that error prone. And considering their need to access remote data is neglible , it’s more of a credentials issue.

As name suggests, I guess RODC only allows credential management via DC one, how it’s handled when there are two DCs ? They somehow sync ? Is any of them authoritative?

And would it be a problem (especially DNS wise) if one site is like 192.168.1.x while other is 192.168.16.x or so?

PS : I know some of you really want to say " you’re too noob for it " but alas have to handle it somehow.

But I may also have failed to understand fully like

How many users in HQ
How many users that will be permanently at site-1
How many servers will be permanently at site-1
Are there going to be network appliances (eg copiers & printers) permanently at site-1

Coz we have a 250 pax HQ with 5 factories. There are no “perm” users at the factories but approx 50 staff work there like 20 days a month (back in HQ at least 1 or 2 days a month), not include the 500 production line staff with no PC or lappy access.

So we moved to literally all SAAS for eHR, ERP, email and file server

Email using Google Suites for Business
File Server using Google Drive (now with Dept shared folders)
eHR & ERP using some cloud services (not in context of this post)

So literally a set of DCs at HQ as recommended is 2 DCs per network and no DCs at any of the 5 remote sites (only Internet access).

No need VPN
No need excessive security appliances at remote sites
No diff between RODC vs DC if that site is not secure anyways ?

Rod-IT · 2024-10-10T20:24:19.571Z

RDOC is probably not for you.

It’s purpose is for low security buildings, where physical security isn’t great, it doesn’t do anything other than allow nominated people to login, if they needed to change their password, they would still need access to a writeable domain controller, so a two way VPN would still be a requirement.

Given you seem to only want data sharing, have you looked at SharePoint online or some form of web based document management system, you wont need to learn or understand the technologies or pay for anything other than the subscriptions to the service, it can scale as you do without any complexities for you to understand or manage.

Rod-IT · 2024-10-10T20:28:20.731Z

adrian_ych:

No diff between RODC vs DC if that site is not secure anyways ?

There are differences, which is why RODCs are better for low security environments.

A RODC will have limited accounts on it (machine and/or user), whereas a regular DC will have all the users, machines, and all other objects on it.

If a RODC is stolen or compromised and the business knows this, accounts on the writable DC can be locked, passwords changed etc, whatever is cached on the RODC will be stale and useless, but also limited to the subset of accounts synced.

I am simplifying for anyone who doesn’t follow too technically.