Networks

you could but the child domain and the main site would never obtain replication information between the two. Therefore user names, passwords, associated ACLs schema changes, distribution lists, security groups, blah blah would never be updated between the two. Therefore is someone from the remote site were to visit the main site their credentials, account wouldn't be recognized.

If you can't do a WAN link [even dial up] best to make it it's own domain in the forest rather than a child of the root.

the remote site currently has no domain structure. we've been using cisco routers to provide the vpn link, which is working fine. however, the downside is speed. each site is on a dedicated t1. the chicago site has 300+ users, with the north carolina office only having about 20. the traffic moving across the vpn is consuming quite a bit of bandwidth. we're just trying to find a way to improve performance and still be able to get to shared drives in chicago.

I think it is important to point out that the child OU will be on the root server (Root of the Forest) that contains the FSMO roles. If you create a child domain it will be on your single DC in Chicago, not in another state. The users at your remote office will be authenticating to the DC in Chicago and therefore you will have to have some kind of WAN connection. This causes potential problems. If your WAN link or VPN goes down, remote users will not authenticate to the domain.

If you want to plan for redundancy you should have a DC in the remote office as well and then you could just have one domain and use OU's to organize your AD structure instead of creating a child domain. Of course, due to the replication traffic betweeen DC's, this would be most effective if you had half a T1 or better WAN connection. A cheaper solution, if you have ADSL at both locations, is to purchase 2 Cisco Pix 501 and create VPN tunnel. This is seemless to users and gives you a high bandwidth connection at a much lower cost than T1.

Hope this helps.

see our comment above.

If you have Exchange in the main site and users at the remote site get their mail via the WAN link, might consider another Exchange or move one to the other office as well as having a DC with the GC role there. That probably would substantially cut down on WAN traffic by users checking their email every 5 minutes thus having to use the WAN link. Active Directory is a logical structure and not a physical structure. You can have a child domain in bumtule which is a also in the physical structure a site.