Announcement

Collapse
No announcement yet.

AD for multi-site company

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD for multi-site company

    I was asked to implement AD by a potential client who's got a couple of offices countrywide with around 500 employees at the HQ and around a 100 at each of sites. No idea how they worked without centralized authentication and access control that far. Maybe someone can enlighten me? Most of my much smaller clients heavily depend on AD. Never done a project this big so a couple of questions.
    Would a single DC suffice for each of the branch offices?
    I was thinking of 2 DC for the HQ but not sure if to put them both on the same box as virtual machines through Hyper-V (more familiar with) or VMWare (heard a lot of good things about it but expensive licensing) with some sort of SAN storage connected or whether it'd be better to keep them on separate hardware and cluster them. I don't suppose with around 1.5k employees in total there would be a need for more DC's at the HQ but as I said I have no hands on experience with projects this big. At this stage I have no idea regarding the existing hardware but based on initial talks I'd assume at this point it shouldn't be a problem to budget for new hardware. Any sugestions or recommendations welcome. Would be great to know the cheapest and most expensive (within reason) solution for this problem. Cheapest would probably be using promoting existing servers to DCs but have only general idea about more expensive technologies as never really had the need to implement them at any of my clients. This project sounds like a great way of getting into more enterprise-ish world than I'm floating in so would be a pity to let it slip by.
    Also if someone could point me to some good reading on technical documentation it would be great. Never really had to do any documentation so far but in this case I reckon there is no go without it and some modelling in virtual lab. Regarding the documentation I only found some Job Aids on MS website but would be nice to see some examples broken down into stages

  • #2
    Re: AD for multi-site company

    I'd say no to virtualising both DCs on the same host as you then have a single point of failure. My usual design preference is one virtual DC and one physical. In highly-available deployments (E.g. Hyper-V Cluster with a SAN) I'll make the virtual DC the FSMO role holder and DHCP server as well so that those services are highly-available. One DC per remote site should be sufficient assuming the WAN links are reliable and dependent on any applications that may require AD access.

    Fundamentally though, you need more requirements before starting to design. What applications are required and where will determine where DCs and other servers are required. HA and DR must also be taken into consideration, backups, remote access, volume of data etc.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: AD for multi-site company

      Agreed re physical DC as it can be started before VM Hosts on the domain

      100 user offices (IMHO) need 2 DCs for redundancy, even if good VPNs allow authentication against HO

      However, given the size and the unknowns, I would recommend a good consultant to review the environment and advise - the money spent will certainly be saved over the project. They will advise you on a lot of issues including security, GPOs and domain infrastructure, all of which WILL need to be considered when moving from effectively a giant workgroup
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: AD for multi-site company

        Many thanks for your advise. I just thought of the need to join all PCs to the domain which can be a pain since they most likely already contain user profiles with data. This would have to be sorted out before anything else. Indeed a lot of things to be taken into consideration. Just worried if I go for a consultant they could well take the project over and I would miss the chance to get involved. I'm sure I would be able to get this working but I'd like it done properly in the most efficient way and for that indeed some advise would be appreciated. The good thing is I wouldn't be completely on my own as each office has it's own IT stuff with Windows admins so a good team work should get this project running in a good time. What I'm looking for is some solid starting points to form a step by step plan and what you suggested makes a lot of sense and thank you for that.

        Comment


        • #5
          Re: AD for multi-site company

          A good consultant (especially if YOU have hired him/her) will keep you involved at all stages. With all due respect, you do not appear to have the appropriate skills (or you would not be posting here) and presumably the in-house team do not either (or they would have done it themselves), so external assistance could make the difference between success and failure on a large, mission critical, project

          The "normal" process to migrate user profiles is to use USMT (http://support.microsoft.com/kb/555542) or manually run MigWiz on each client. Personally I prefer to treat this as an opportunity to remove the legacy cr*p from the profiles so tell users to copy anything they want to keep to a network share, then do the domain join.

          The link above will outline the general process you need to follow, but will need to be adapted to your environment. I would strongly recommend you concentrate on the 7 P's early in the process
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: AD for multi-site company

            Originally posted by Ossian View Post
            A good consultant (especially if YOU have hired him/her) will keep you involved at all stages. With all due respect, you do not appear to have the appropriate skills (or you would not be posting here) and presumably the in-house team do not either (or they would have done it themselves), so external assistance could make the difference between success and failure on a large, mission critical, project

            The "normal" process to migrate user profiles is to use USMT (http://support.microsoft.com/kb/555542) or manually run MigWiz on each client. Personally I prefer to treat this as an opportunity to remove the legacy cr*p from the profiles so tell users to copy anything they want to keep to a network share, then do the domain join.

            The link above will outline the general process you need to follow, but will need to be adapted to your environment. I would strongly recommend you concentrate on the 7 P's early in the process
            Honest answers are often best answers and I appreciate your honesty. When I cover all the bases regarding existing infrastructure I'll contact a consultant to help me form a plan and run the project. I had the same thoughts regarding user profiles although I take into account there may be individuals from the management and higher who won't even want to listen about loosing their beautiful wallpapers lol.

            Comment


            • #7
              Re: AD for multi-site company

              Management MUST buy into the ideas of standardizing the environment as much as possible, else you end up with no real improvement with your refresh. If they refuse to lead by example, but rather insist that they get privileges no one else can have, they create a dual standard which isn't sustainable, long-term. It also shows that they consider themselves to be 'above the law' in your corporate environment, so how can they be trusted?

              Every special exception almost certainly has a penalty for access rule complexity, storage space, etc., which then leads to more expensive solutions in 3rd-party application needs, extra training or consultancy, more storage hardware, and so on. This stuff doesn't come cheap.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment


              • #8
                Re: AD for multi-site company

                That's a very good argument indeed RicklesP. Will bear that in mind.

                The more I think of it and what it may involve apart of getting the AD working I'm starting to have doubts if it's feasible for one admin to deal with the whole project. To plan it prototype and test the most critical parts surely so but to implement it in a reasonable time would require a team where jobs and responsibilities would be split and delegated. If it was a number of branches being added to an existing infrastructure it would be far less complex. Same if it was a relatively small organization. In this case however there is just far to many things that need to be taken into account and addressed for a single person to deal with.

                Comment

                Working...
                X