New A.D Site will be created , What are the best typology & practices ?


  • Hello ,

    Currently we have one domain in one site serve about 50 users  , as our company expanding there will be new office in different place & I need to control them as well , the new office will hold about 40 users

    - The  users on two office not need to connect to each other only The IT Dep. only & the GM need to access both offices .

    - The Link will be via VPN using TMG on both offices

    what are the best practice in my case , I'm asking about do I have to make child domain ? what about replication ?intrasite or intersite ?   does the VPN using TMG with ADSL connection will be ok ? which type of trust ?? ..etc


    dimanche 10 juin 2012 09:31

Toutes les réponses

  • Hello,

    Better go for RODC(Read Only Domain Controller) at new office and here is article link:

    Regards, Ravikumar P

    dimanche 10 juin 2012 11:27
  • Hello,

    there is no need for a child domain according to your description. You can have them all in one single domain forest. For management of the sites use OUs in AD UC and have users/machines divided that way.

    For domain access you should use a second DC/DNS/GC in the remote site and configure the machines with the preferred DNS as local DNS server and the remote DNS as secondary. That way clients are able to logon when the local DC is down and also if there is a problem with the WAN connection.

    AD sites and services must be configured and also replication but let the KCC handle this automatically. Details you see in

    Important is that replication is working correct and that you should use the default topology, except you have specific requirements to change it

    Important is that AD required ports according to are open.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    dimanche 10 juin 2012 11:31
  • And When you replicating the copy of your DNS to RODC remote office, Create a Container that ACCepts Replication from The Global catalog, To do that Fist Check that radio button as Secondary zone in the first installation wizard of DNS,,!! install the DNS and Make the secondary server as RODC, then do ur replica from ur Global Catalog .. If failed it annoy with error Thanks, Suren

    Face the fact tat we all have plenty to learn about this field. Deal wit the failures, use tem as motivation, learn something new everyday. Claiming false credentials & phantom skillsets will not get you far, especially when 63248651487512645876531864 people in the universe know how 2 use the internet

    dimanche 10 juin 2012 12:08
  • Hi Adel,

    There are 2 good options for this type of environment.


    Assuming you have decent bandwidth at both sites you could run everything off the local domain controller over VPN and use a local SAN/Storage to store local data at the remote office. You can set this up using GPO that conventional My Documents and other related data will store on \\localsan\username

    This will essentially mean that you only have one server to maintain but it has its drawbacks, i.e. if your link is distupted, your office falls offline. Whenever I impliment such environment, I always make sure there is a complete redundant connection on WAN 2 of the VPN which is not the same ISP, and different carrier (i.e. if using CABLE or ADSL for primary connection then use wireless or sat for the secondary)

    The benefits in using this method are down the road if you wish to host other apps at the remote site, they can be easily accessed in the primary site (web based apps for example)

    This is (in my opinion) the easiest and cheapest way around it.

    Option 2:

    You can install an additional server in the new remote office and connect it as a child domain in RODC mode. You may also need to figure out some type of Synch mechanism for your data or just store the data on your local server/san

    You could use RDP over VPN for those that need full access to primary site if needed.

    Kind Regards,


    If you find my information useful, please rate it. :-)

    dimanche 10 juin 2012 18:26
  • thanks all but I want to confirm one point , I'm planing in the future to install Exchange 2010 server on this Branch office  , the Exchange will replicate with current Exchange server in our Main office .

    Is it Ok to go ahead with RODC ?

    lundi 11 juin 2012 09:10
  • Hello,

    NO, Exchange requires an RWDC NOT RODC.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    lundi 11 juin 2012 09:17
  • thank you for your fast reply , can you explain please ?? what are the best solution & topology now ? am I have to go with Child domain ? what about Additional domain controller ? 
    lundi 11 juin 2012 09:20