Announcement

Collapse
No announcement yet.

Setting up a multi-site AD (split from GPO thread)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting up a multi-site AD (split from GPO thread)

    hi buddy,

    we have 60 branches and 1300 client. we have a dc. How can make proper redandant. aditional domain controller or other solution? pls help me.

  • #2
    Re: GPO Replication Issue - Please help

    Please do not hijack another thread -- this is being split into its own one in the AD forum

    With that scale of network you need a proper plan -- from a consultant - rather than just advice here, however, IMHO (and assuming a single domain):
    One subnet per site (class C)
    Head office: 2 x DC (one physical, other can be virtual, with all the FSMOs)
    Each branch office: 1 x DC except for larger sites where 2xDC is better. All can be virtual if required, or RODCs if you are using Server 2008.

    On each DC install DNS (AD integrated), DHCP (with split scope if 2 DCs on site) and WINS if you need it. Also have a local WSUS server as a replica of the head office one.

    Thats just to start with -- I do offer global consultancy services for just this sort of thing
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Setting up a multi-site AD (split from GPO thread)

      Hi,

      I would recommend you drafting you requirements appropriately so it depicts your most important needs then we can give you a recommendation.
      on a side note I am a Private IT Consultant |
      Thanks & Regards
      v-2nas

      MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
      Sr. Wintel Eng. (Investment Bank)
      Independent IT Consultant and Architect
      Blog: http://www.exchadtech.blogspot.com

      Show your appreciation for my help by giving reputation points

      Comment


      • #4
        Re: Setting up a multi-site AD (split from GPO thread)

        I am Spartacus
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Setting up a multi-site AD (split from GPO thread)

          No, dammit, I am Spartacus
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Setting up a multi-site AD (split from GPO thread)

            I have a plan. I will setup two domain controller:

            1. Primary site
            2. Disaster recovery site

            I have no plan to setup domaincontroller in our another 60 site due to cost management. All client will be connected with PR site.

            will I face any problem?

            Comment


            • #7
              Re: Setting up a multi-site AD (split from GPO thread)

              Yes -- whenever a site link goes down, users will not be able to authenticate (cached credentials may work). Also all operations that access a DC will be slowed down due to the inter-site links.

              I strongly recommend that a network with 1300 client PCs over 60 sites has more than TWO domain controllers. If your management team are squeezing costs that much I would officially warn them of the potential consequences and not accept responsibility when problems DO arise. As an analogy, would you run your car with only 2 litres of fuel in it (and never fill it above that level) without expecting problems?
              Last edited by Ossian; 20th January 2011, 09:08.
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Setting up a multi-site AD (split from GPO thread)

                Hi,

                In addition to these 60 sites do you have any primary sites or are you consolidatingly referred to 60 sites as 1 primary site.

                What type of access does your remote clients needs?
                What kind of controls you are planning to put on these remote clients?
                Are they accessing some application ?
                How would your remote users would be connecting ?
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment


                • #9
                  Re: Setting up a multi-site AD (split from GPO thread)

                  Yeah, I agree with Tom (though if you have an electric car you should be ok with just two litres of juice )

                  This needs to be planned thoroughly and the service contuinity in some cases might depend on a trade off between reliable/redudant uplinks and server availability.

                  See if this helps you: http://technet.microsoft.com/en-us/l...42(WS.10).aspx
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Setting up a multi-site AD (split from GPO thread)

                    First of all, I am very grateful to all members for discussing in my thread.


                    Main purpose of deploy active directory service:

                    - Network security issue (prevent changes IP address, software installation, desktop change, password maintain, user authentication etc.)
                    - Virus control (prevent use of USB and CD ROM device).
                    - Single authentication of using terminal service.
                    - Optimization of network broadcast.
                    - Prevent abuse of desktop PC.
                    - Use of application software by terminal service

                    My network:

                    - All branches are directly connected with primary datacenter/HUB. If datacenter failed then all branches will be connected with disaster recovery centre/DR HUB.
                    - Inter branches routing are not allowed thatís mean branch to branch communication is not possible.
                    - Branches are connected with data center through WAN connection and bandwidth 256/128 Kbps

                    How can I will use more than one domain controller?

                    - Branches are only permitted to communicate with datacenter. If I deploy a domain controller in a branch, Branch user can get authentication from this domain controller and other branches do not get authentication from branch domain controller.

                    Any recommendation will be highly appreciated.


                    Thanks everybody.

                    Comment


                    • #11
                      Re: Setting up a multi-site AD (split from GPO thread)

                      Explore RODCs and cached credentials at the branches -- basically you can control who can log on locally (on the RODC) and everyone else gets forwarded to a writable DC.

                      What do you do if both the primary and backup lines go down (someone cuts through the fibre near your branch, for example)? No local DC, absolutely NOTHING happens. Placement of local DCs does not affect the "branches only talk to datacentre" as you can control replication. Also your links are very slow in modern terms so authentication with a central DC WILL cause issues.

                      Seriously, this is too big for you to make decisions based on forum posts -- get a consultant. The cost will be worth it
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment

                      Working...
                      X