On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered Brian Puhl, senior systems engineer, Microsoft IT.
To submit a technical question for consideration, send an email to editor@SearchWinComputing.com.
Question: I would like to know the best way to implement Active Directory in a remote site office. The scenario: We are in a headquarters office with a pretty stable LAN and Active Directory connectivity with local domain controllers, file-and-print and e-mail servers. Our new remote office will have about 20 to 25 users who want to have corporate e-mail accounts. We want to be able to remotely manage workstations from headquarters, provide login via Active Directory domain and provide network file-and-print service at a reasonably acceptable network speed. Due to security and complex administrative reasons, we do not wish to install domain controllers and WINS at the remote site, and budget issues limit us to VPN connectivity via the Internet. Given the constraints and security issues, how can we best design a network for such a remote site?
Answer: Security considerations are a priority when considering domain controller placement, and the majority of critical infrastructure functions including various caching mechanisms to mitigate against intermittent network connectivity. For example, group policies, name resolution, Kerberos tickets and IP addresses (DHCP), and even Outlook 2003 for e-mail all include local caches. The result is that if a user is in the office working, a network outage is likely to be transparent. Given the robust nature of the operating system, if physical security of a domain controller cannot be ensured in a remote office, then it's probably better to leave the DC in a secure data center. -- Brian Puhl