locked
Branch Office DC RRS feed

  • Question

  • Hi!

    We need to install a Domain Controller in a Branch Office and need to import fixed OU, Group or user accounts that are specific for that branch from Head Office DC.

    What DC deployment mode should be selected after running DCPROMO?

    Thanks.

    Wednesday, July 20, 2011 10:26 PM

Answers

  • Hi,

     

    Thanks for posting here.

     

    > DC but users in branch should be able to login even if the link is down temporarily between HO and Branch DCs.

    May I know how many user or computer account will be located at branch ? and what’s the domain functional level ?

     

    Actually we have user cache feature in Windows which will cache previous users' logon information locally so that they can log on if a logon server is unavailable during later logon attempts. In this case, you don’t have you deploy additional domain controller at branch but deploy a downstream WSUS server for updating service in order to reduce the VPN payload.

     

    Design the WSUS Server Layout

    http://technet.microsoft.com/en-us/library/dd939820(WS.10).aspx

     

    You may also take look our RODC feature which is quite suitable for active directory branch office scenario if you are still going to set additional domain controller at branch:

     

    What Is an RODC?

    http://technet.microsoft.com/en-us/library/cc755058(WS.10).aspx

     

    Some related information could be found form the article below:

     

    Cached domain logon information

    http://support.microsoft.com/kb/172931

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 22, 2011 7:08 AM
  • Hello,

    We need to install a Domain Controller in a Branch Office and need to import fixed OU, Group or user accounts that are specific for that branch from Head Office DC.

    as I see you want to have a single domain and there is no need in your case to have multiple domains.

    What DC deployment mode should be selected after running DCPROMO?

    Select adding an additional DC in an existing domain.

     

    For connexion between both sites, it will be better to use site to site VPN. Also, make sure that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx

     

    I need to manage Branch DC from Head Office and update it from WSUS Server in Head Office since there is no internet in branch office. There is vpn connectivity between HO and Branch. I already have user accounts in head office that i need to import in branch office DC but users in branch should be able to login even if the link is down temporarily between HO and Branch DCs.

    If you proceed like I mentioned, there is no need for import as all AD objects will be replicated via AD replication. Note that it is recommended to have at least two RWDC / DNS / GC servers per domain.

     

    For the branch office, you can deploy RODCs to reduce AD replication traffic and so that you enhance security of your AD environment if this is needed.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, July 25, 2011 1:28 PM

All replies

  • Hi,

     

    Thanks for posting here.

     

    Do you want the domain system in branch independent of head office’s ? it’s appreciate that if you could be more specific.

    Start form the guide below which given some good suggestions on different AD branch office scenario:

     

    Windows Server 2003 Active Directory Branch Office Guide

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5838

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 21, 2011 9:41 AM
  • I need to manage Branch DC from Head Office and update it from WSUS Server in Head Office since there is no internet in branch office. There is vpn connectivity between HO and Branch. I already have user accounts in head office that i need to import in branch office DC but users in branch should be able to login even if the link is down temporarily between HO and Branch DCs.

    Thanks.

    Thursday, July 21, 2011 11:44 AM
  • Hi,

     

    Thanks for posting here.

     

    > DC but users in branch should be able to login even if the link is down temporarily between HO and Branch DCs.

    May I know how many user or computer account will be located at branch ? and what’s the domain functional level ?

     

    Actually we have user cache feature in Windows which will cache previous users' logon information locally so that they can log on if a logon server is unavailable during later logon attempts. In this case, you don’t have you deploy additional domain controller at branch but deploy a downstream WSUS server for updating service in order to reduce the VPN payload.

     

    Design the WSUS Server Layout

    http://technet.microsoft.com/en-us/library/dd939820(WS.10).aspx

     

    You may also take look our RODC feature which is quite suitable for active directory branch office scenario if you are still going to set additional domain controller at branch:

     

    What Is an RODC?

    http://technet.microsoft.com/en-us/library/cc755058(WS.10).aspx

     

    Some related information could be found form the article below:

     

    Cached domain logon information

    http://support.microsoft.com/kb/172931

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 22, 2011 7:08 AM
  • Hello,

    We need to install a Domain Controller in a Branch Office and need to import fixed OU, Group or user accounts that are specific for that branch from Head Office DC.

    as I see you want to have a single domain and there is no need in your case to have multiple domains.

    What DC deployment mode should be selected after running DCPROMO?

    Select adding an additional DC in an existing domain.

     

    For connexion between both sites, it will be better to use site to site VPN. Also, make sure that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx

     

    I need to manage Branch DC from Head Office and update it from WSUS Server in Head Office since there is no internet in branch office. There is vpn connectivity between HO and Branch. I already have user accounts in head office that i need to import in branch office DC but users in branch should be able to login even if the link is down temporarily between HO and Branch DCs.

    If you proceed like I mentioned, there is no need for import as all AD objects will be replicated via AD replication. Note that it is recommended to have at least two RWDC / DNS / GC servers per domain.

     

    For the branch office, you can deploy RODCs to reduce AD replication traffic and so that you enhance security of your AD environment if this is needed.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, July 25, 2011 1:28 PM