3

I'm looking at a RFQ for taking over a company's infrastructure management. I'm fuzzy on details (am preparing an email back to them to clarify some things), but it sounds like they want ALL of the hardware in their office out. The things they have running are relatively standard (AD, Exchange, SQL Server, SharePoint).

My question revolves around having a remote AD controller. I know there are tons of situations where you have branch offices that use the home office's AD controller via site to site VPN. It just feels a bit ... off to relocate this ENTIRE stack to a remote site (either our offices, or, more likely, a local colocation facility). There's obviously going to have to be some kind of device remaining to do DHCP at a minimum since their current AD server handles all DHCP and DNS responsibilities.

Does this configuration seem legit to others?

Tim Coker
  • 298
  • 3
  • 8

2 Answers2

4

Short answer: It "could be" a terrible idea, depending on the WAN link (thanks guys).

Longer answer: You'll be sending (nearly) all authentication traffic through a VPN. Not only is this tons of unnecessary overhead, it may be entirely untenable if they have roaming profiles hosted on the remote end. Exchange and SharePoint can both involve SPNs for SSO, so Kerberos traffic for these is another consideration.

They cannot get around having some kind of hardware on site, be it a massive VPN box or an AD box. They're both a single point of failure, so why not have the SPOF you actually need?

You could host another DC and their Exchange/Sharepoint setup. I would highly recommend having at least one DC with DNS and DHCP on site (you probably don't want DHCP on your side). Depending on how they use SQL Server, this may have to live on the client side too.

Joel E Salas
  • 5,572
  • 16
  • 25
  • 3
    "a terrible idea" may be a bit strong. If the connection to the remote network is fast (say metro-Ethernet at 100Mbps or faster) then locating the servers off-site may not present any technical challenges. It's hard to argue, to me, that having servers sitting across a metro-Ethernet fiber ring is much different than having them sitting in a closet on-premise if the metro-Ethernet provider has a good SLA and keeps up their end of the bargain. It Just Depends(tm). – Evan Anderson Mar 14 '12 at 22:24
  • @EvanAnderson: completely agree. If a business can function at an acceptable level over a WAN connection to a cloud provider (Live 365, hosted Exchange/SharePoint, etc.), why would a low-latency 100Mb LAN extension pose any issues? Only issues I see with a remote infrastructure would be if the office was large enough to pose a technical or personnel/"boots on the ground" problem that a remote setup would aggravate. – gravyface Mar 14 '12 at 22:32
  • Agree with both of you gentlemen, but in my experience the cost of metro-Ethernet makes a few server boxes look mighty appealing to C-level execs. @gravyface +1 for making me look up "boots on the ground" – Joel E Salas Mar 14 '12 at 22:47
  • In this instance, something like metro-Ethernet isn't even an option. Does that change how you guys feel about having a remote DC? – Tim Coker Mar 19 '12 at 12:51
  • I don't know how they feel, but I'd be OK with moving out what can be moved out and taking ownership of the DC and other things that must remain in their offices. I'm guessing this is a more common scenario in these situations? – Tim Coker Mar 19 '12 at 12:53
2

If you had a reliable VPN termination point, it could be done, but a far better alternative would be to keep at least one box local and virtualize a DC, and DHCP server locally in the event that a link fails.

MDMarra
  • 100,734
  • 32
  • 197
  • 329