3

I am going to install a new DC on a recently grown branch site. I know that is a best practice to create a new site in Active Directory Site and Service, with the relative IP link cost and related parameters.

However, both the HQ and this branch office are equipped with beefy internet connections (100 Mb/s Fiber) and I wonder if it is better to leave both on a single site (ie: enjoing very small replication latency as per intrasite policy).

On some well-know resources I read that anything > 10 Mb/s should be considered as a single site; however, others advice to map each physical site to an AD site.

What are established best practices?

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • 2
    Since we/you don't know what the future holds related to this site or it's connectivity to HQ, my personal opinion would be to treat is as a remote site and configure ADS&S accordingly. – joeqwerty Mar 23 '18 at 18:02
  • @joeqwerty can you elaborate on your comment? If future requirements change, I should be able to easily move the domain controller using the Active Directory Site and Service, right? – shodanshok Mar 23 '18 at 21:42

2 Answers2

3

Considering you have an ISP between those sites, I would create an AD Site dedicated for that new branch for two reasons:

  1. Segregate the user authentications per subnet. If the connection between these sites fails for some reason, it wouldn't have such an impact.
  2. Organization - If your company starts to grow a lot and your Active Directory reflects your physical structure, the organization will be very helpful, trust me! A unorganized AD will start to make it difficult to give maintenance and troubleshooting.
Felipe Donda
  • 476
  • 2
  • 8
0

I just finished a "full cloud" migration for a client that wanted it no matter the cost. This included AD, which I migrated to FoxPass. The client in question has 100Mb links at all three sites, formerly done via a single AD server at each of those sites. The company as a whole has about 75 active users.

The FoxPass system with RADIUS over RadSec and LDAPS ties together the identity systems of all their cloud resources, as well as their workstations and per-site firewalls. It's not even noticeable that these things aren't on-prem anymore, and AD has been effectively banished. The downside is that it's pretty expensive. I've not found a cheap IDaaS offering that actually provides an on-prem AD equivalent for wide-scope use cases.

However, isolating identity services to a single locally hosted site might not be robust enough depending on your requirements. Without going for an already massively HA cloud solution, I think that going for at least one AD server per site is still your best bet.

Spooler
  • 7,046
  • 18
  • 29