Regarding AD Domain controllers and remote branch offices

Posted by Alex on Server Fault See other posts from Server Fault or by Alex
Published on 2014-08-21T06:49:08Z Indexed on 2014/08/21 16:22 UTC
Read the original article Hit count: 279

We have central HQ building and a lot of small branch offices connecting via VPN and want to implement AD (If you can believe we still haven't). We want everyone to log in using domain accounts and be policed centrally.

We are OK with having a RODC in a branch office with like 10 computers. But we have these small branches with two to four PCs only. Some of these branches connect to HQ via IPSec site-to-site VPN, some via remote access (client-based) VPN.

So there is no problem with ones that have local RODC or connecting to HQ DCs via VPN router. But how about small branches? We don't really want to set up a machine there, neither we want to invest into Windows Server licenses or fancy network equipment.

Also, the problem is that we cannot access HQ DCs via VPN because we are not logged in and connected to HQ internal network yet, so DCs aren't reachable.

What is typically done in that situation if it is needed to have central management over policies on those PCs? Or is it better to let 'em loose and use local policies and accounts in this situation?

© Server Fault or respective owner

Related posts about active-directory

Related posts about vpn