Question

  • Creator
    Topic
  • #2225686

    WAN with 200 locations, no DC at sites?

    Locked

    by chady ·

    I am really not sure where to find the information on this or if anyone else has done anything like this.

    Our company would like to build a WAN over mainly DSL connections using site to site hardware mainly Sonicwall’s tz180’s at the sites, a pro4060 at the main office. That all seem possible. The real questions is if we get the WAN over VPN up and going, can I have those sites on the main domain with only a domain controller at the main office, and one replicated off site? The main reason for having the sites on the domain is to enforce group policies and control access to the machines. Currently the computers are in workgroups (only 3-8 machines at each site) 200+ sites. We really would not be using the WAN for any applications, maybe VoIP at some point, but not for a while.

    All the sites are independently owned and would have a very hard time justifying the cost of a domain controller at each location. Especially when it is for corporate benefit (more control of machines, via group policies, easier deployment of software, etc.)

    Thoughts, ideas, words of wisdom?

All Answers

  • Author
    Replies
    • #2618787

      Clarifications

      by chady ·

      In reply to WAN with 200 locations, no DC at sites?

      Clarifications

    • #2618677

      Answer and some thoughts.

      by faradhi ·

      In reply to WAN with 200 locations, no DC at sites?

      [i]can I have those sites on the main domain with only a domain controller at the main office, and one replicated off site?[/i]
      Yes you can have one domain controller that replicates to local DC’s across the WAN. I think you would agree that is preferred.

      As for the justifications for cost. It will take much longer for each site to login if they are processing scripts and Group policy over the WAN. I had a T1 to another site and the remote site did not have a domain controller. We received constant complaints about login times. Sometimes up to 2 – 3 minutes. And, we did not have the VPN overhead to deal with.

      I learned long ago in customer service, when calculating perceived wait times double the actual time. So count on complaints of at least 6 mins to log in if you do decide not to put a DC at the remote sites.

      As for the costs, You do not need a lot of power for these DCs. All you need is 2 – 60 GB HDs (Mirrored), 2 – 1 Gbit NICs and a single processor. Use SATA drives for this to further reduce the price. You’re looking at $2,000 – 3,000 including OS if you purchase with the manufacturer without the bulk discount. Additionally if you can purchase all of the servers for the independent owners in bulk, you should get a substantial discount.

      If they still don’t want to spend the money, fine. I think they will change their minds once they try to login over the WAN.

      I hope this helps.

      -edited for clarity

      • #2617787

        questions and answers

        by chady ·

        In reply to Answer and some thoughts.

        Well, I was just thinking of two or three DC’s. Two here, and one off site somewhere, and not having any at the site locations.

        Wouldn’t the credentials be cached for login? So, it would just be checking for new GPO’s and that type of stuff. That slows donwn the process that much? Any idea how to calculate how much traffic that might be? And with server 2008 I think they are totally revamping what all gets replicated (or maybe that is just the replication between DC’s) to help limit the amount of trafic.

        Let’s say we did put a DC at each location, would you make those all their separate domain, under our main domain, or just replicate to all of them?

        • #2617776

          I would make one domain

          by faradhi ·

          In reply to questions and answers

          Yes the credentials would be cached.

          However, It’s not the GPO’s as much as it is the login scripts. The amount of traffic depends on what the login scripts are doing.

          Now, We pushed out apps and had mappings back to the main site so that accounted for some if not most of the slow down.

    • #2618675

      Should work fine

      by Anonymous ·

      In reply to WAN with 200 locations, no DC at sites?

      We have had several sites which operated that way in the past (They have been moved to a Frame WAN, but for political, not technical reasons).

      You might want to consider having 2 DC’s at the main site, considering your system count is closing on or exceeding 2000 (depending of course on the beefiness of the system you have for a DC).

    • #2459530

      Have you implemented this design?

      by jroan ·

      In reply to WAN with 200 locations, no DC at sites?

      We’re considering something very similar and have found limited information on the topic. Just curious if you have and if so what success you’ve had. Thanks…John

      • #2564879

        Nope

        by chady ·

        In reply to Have you implemented this design?

        I have tested a remote location without a DC and doing the authentication over the VPN, their machines seemed ALOT slower. They were here in the office but then the warehouse moved to a remote location, (just across town) and I tried it just to see. I would think that most of our stores would really complain about the speed, and whenever the VPN went down, so did their “internet” (DNS was not available unless you allow split tunneling).

        So, I have been waiting for Server 2008 and some of the advanced features with remote offices/DC’s. As well as trying to figure out a way for our stores to see the benefit of a DC/Server on location that “nobody really uses”.

Viewing 3 reply threads