4

I have 2 sites (HO + Branch), both with Win Servers 2003, connected by a tunnel. I want to have a DC in each location to allow for local login/authentication.

Can someone tell me what roles I should assign to the DC's in the remote branches?

I am about to install a Win 2012 DC's in each location in case that matters.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
TSG
  • 1,674
  • 7
  • 32
  • 51

2 Answers2

5

Typically, if the home office is the largest, that's where all of the FSMO role holders are.

The domain controller(s) at the branches should be both DNS servers and Global Catalogs.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    Can there be 2 GC roles? How can I add a GC role to the branch? (Without moving it from head office) – TSG Jan 06 '13 at 02:57
  • 1
    Each domain controller can be a Global Catalog server. It's not a role/function that's exclusive to only one DC. You can configure each DC to be a GC from within the Active Directory Sites and Services management console. – joeqwerty Jan 06 '13 at 03:11
  • Actually you SHOULD have more than 1GC - the GC is the only one that stores all security attributes. If you have only one, that is a desaster in the making. – TomTom Jan 06 '13 at 18:20
  • Not having a DC as GC is kind of a moot point these days – pauska Jan 06 '13 at 18:26
4

It essentially doesn't matter where you put the FSMO roles : although it's a good idea to have the PDCe in the office with the most people, since that's the one that handles notifications for password changes, lockouts, etc. With a HQ and a single branch office, you might as well leave all the FSMO roles on the HQ, especially if that's the office with better hardware and better backups.

Edit- as mentioned below, if you only have (and likely only will have) a single domain, you can and should simply make all of your DCs also GC servers - and that's not a role, which is what your question asks for.

mfinni
  • 36,144
  • 4
  • 53
  • 86