3

we have an 2008 R2 active directory server on our main site. Recently we opened a small secondary site. My question is pretty simple : our 2 sites are connected with a VPN, is it mandatory for us to install a secondary AD server on our secondary site or can we used our main AD on the 2 sites ?

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Alex T.
  • 185
  • 2
  • 12

2 Answers2

1

In theory no,you don't have to have DC on both sites.

If you have a DNS server on the secondary site (or your clients are pointing to the dns server on the primary site) with the srv records for your domain controller on primary site and your clients can all access the domain controllers then you don't need another on location.

But the recommendation would be that you have it, because the VPN service can go down, and there is a question of speed for the clients on secondary site, especially if you don't have DNS server on the secondary site.

When an Active Directory client (computer or user) is trying to log on to the domain or some domain service it looks for domain controllers by asking the DNS server that it has listed on it's system (NIC card settings) for addresses of domain controllers (these are srv records which are not regular host A records), so all your clients on the secondary site have to have DNS server set on their NIC cards that has those records, which means that if the VPN goes down and your clients are all looking at DNS on primary location, your DNS resolving will go down for all of them (they wont be able to do Internet browsing and similar), so it would definitely be recomended that you have at least an Active Directory capable DNS server on the secondary site.

ralz
  • 2,751
  • 2
  • 17
  • 22
0

It's not 100% necessary, and there are ways around it. However, it's very practical to have one. It will help avoid issues with DNS, authentication, log-in times (applying group policies), Time Service for your workstations, among other things. How will you handle DHCP for the site?

If you are concerned about security of your AD, you could install a Read-Only DC.

If your VPN link is down, and you don't have an AD server on-site, you'll have all sorts of authentication issues, and log-in times will greatly increase. You could have a local DNS server that's setup as a secondary to your AD DNS (and caches records), but that only works around one of the problems.

HostBits
  • 11,796
  • 1
  • 25
  • 39