Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
New Child Domain for Branch Office ?

Answered New Child Domain for Branch Office ?

  • Tuesday, November 04, 2008 4:53 PM
     
     
    Sign In to Vote
    0
    We are trying to decide if we should use a child domain or a read only domain controller for a new Branch Office of a bank.

    Exchange 2007 and Terminal Services for all users is hosted at the Primary site.  The branch office will have two low latency connections with a VPN to the Primary site configured in the SonicWall appliance, with failover between the connections.  Most applications will run on the Terminal Server at the primary site.

    If I set up a Child Domain for the branch office, and a user logs on to the Terminal Server at the primary site, where does the user get authenticated?  Does the user get authenticated by the Global Catalog Server at the primary site or does it refer the authentication to the Branch Office Domain Controller?

    This will be the first of several branch offices.  Each branch office user will frequently need access to resources at the primary site (such as Terminal Services and Exchange), but should be segregated from each other.  Would it be better to have Child Domains for each independent branch of the organization, or a single domain for all?  I have been studing pros and cons of both approaches and can't really find information to make a good decision.  I think if I leave it with a single domain for all, I should use a Read Only Domain Controller at each branch office, with caching enabled for the users at that office... but that is the only decision I have been able to make.

    Any thoughts and help would GREATLY be appreciated.

    James Jensen
     

All Replies

  • Tuesday, November 04, 2008 5:20 PM
     
     Answered
    Sign In to Vote
    0


    If I set up a Child Domain for the branch office, and a user logs on to the Terminal Server at the primary site, where does the user get authenticated?  Does the user get authenticated by the Global Catalog Server at the primary site or does it refer the authentication to the Branch Office Domain Controller?


    It depends on how you configure your sites. If the branch office is configured as a different site, ensure that the DC in the branch office is listed under the servers folder of the site (in AD Sites and Services) so that all computers under the branch office site will have this as their preferred DC.


    This will be the first of several branch offices.  Each branch office user will frequently need access to resources at the primary site (such as Terminal Services and Exchange), but should be segregated from each other.  Would it be better to have Child Domains for each independent branch of the organization, or a single domain for all?  I have been studing pros and cons of both approaches and can't really find information to make a good decision.  I think if I leave it with a single domain for all, I should use a Read Only Domain Controller at each branch office, with caching enabled for the users at that office... but that is the only decision I have been able to make.


    You can actually use OUs to segregate your users instead of using child domains. This would entail less administrative overhead as you only need to take care of one domain namespace, lesser FSMO roles to take care of, just to name a few advantages. RODC actually sounds a good option for you.

    Regards,

    Salvador Manaois III
    MCSE MCSA CEH MCITP | Enterprise/Server Admin
    Bytes & Badz : http://badzmanaois.blogspot.com

     
  • Tuesday, November 04, 2008 5:21 PM
     
     Answered
    Sign In to Vote
    0
    As for your first question:  Where does the user get authenticated?  The user will be authenticated by the DC in their own domain to the DC that is physically closest to them (assuming Sites and services have been configured properly).  So given a user called usera is in the child domain child.parent.local, when the user logs into to a terminal server that is physically in the main office and there is also a domain controller for child.parent.local in the main office that domain controller will authenticate usera.


    As for the design of AD, personally I would recommend using a single domain.  I would imagine there aren't a lot of users in the individual branches so you may be adding too much complexity by have a child domain for each branch.  Another negative is that I would always employ two domain controllers per domain (just incase you have a HW failure of one of the servers).  So you'd need to have a lot of servers to accomplish this.
     
  • Tuesday, November 04, 2008 6:01 PM
     
     Answered
    Sign In to Vote
    0
    Howdie!
     
    TheThird78 said: If I set up a Child Domain for the branch office, and a user logs on to the Terminal Server at the primary site, where does the user get authenticated?  Does the user get authenticated by the Global Catalog Server at the primary site or does it refer the authentication to the Branch Office Domain Controller?

     That depends on what your sites and services configuration looks like. What domain\username combination would they use to authenticate at the Terminal Server?

    This will be the first of several branch offices.  Each branch office user will frequently need access to resources at the primary site (such as Terminal Services and Exchange), but should be segregated from each other.  Would it be better to have Child Domains for each independent branch of the organization, or a single domain for all?  I have been studing pros and cons of both approaches and can't really find information to make a good decision.  I think if I leave it with a single domain for all, I should use a Read Only Domain Controller at each branch office, with caching enabled for the users at that office... but that is the only decision I have been able to make.

    I'd definitely go for the RODC scenario. Just because another domain creates a lot of new overhead with management, backup of the full-blown DCs and stuff (remember it's a best practice to have at least two DCs per domain for "fail-over" purposes. That would mean you'd either have to place a second DC to the branch office or at the main location if you're going for a two-domain approach). A scenario like yours is why RODCs exist. Place a RODC at the remote office (make sure your main office has a Server 2008 DC there otherwise that won't work) and configure AD Sites & Services appropriately so that users authenticate with the RODC. No issues with the TS user accounts and authentication there and not much of a security risk with having a DC at the remote office (don't think there's no risk at all with having a RODC there - but you mitigate the damage through risk of theft/manipulation pretty much).

    Unless you don't have a concreate reason to isolate the branch office from the main location (different security needs like other passpolicy or mgmt isolation (sort of) ), I'd go for the RODC.

    cheers,

    Florian

    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
     
  • Tuesday, November 04, 2008 6:10 PM
     
     Answered
    Sign In to Vote
    0
    I would like to add that I think it would be even better to employ three domain controllers per domain for any domain (forest root or child). If you have a hardware failure on the 2nd domain controller while you are repairing the hardware for the failed domain controller, you could have service disruption. Call it paranoia or whatever. It's additional protection. All the more reason to have a single domain, yes.