Advice Needed For First Deployment Of AD DS Across Enterprise With Multiple Physical Locations (Experience In Single Physical Location Deployment)

Question

Basically its a long story but somehow I've managed to find myself in charge of deploying servers across a multiple-site enterprise despite a) primarily dealing with routing and switching equipment 99% of the time, b) having very little experience in using Windows Server, and c) my boss being totally aware of this and basically saying 'better get learning'! Obviously not ideal!

My only previous experience with servers has been deploying Windows Server 2008 R2 for a business with a single physical location. The server had DNS, DHCP and AD DS all installed on a single server machine - as straight forward as a LAN can get.

My problem is that I have no idea as to how to scale or deploy AD DS from a single physical location to multiple physical locations.

The customer has the following requirements (probably very basic to an experienced individual):

1. That the users for each physical location can be administered locally.
2. That any user from the business (from any branch of the business) can use a machine in any other branch (if given rights).

Could someone please advise me as to how to go about this (and also maybe point me in the direction of some good sources on multiple physical location AD DS - I've searched TechNet but I cant find a general 'start here' article).

Do I need a DC for the entire forrest with other connected DC's for controlling each domain? Or is a single DC acceptable for each domain?

Apologies for my lack of knowledge on the subject as I am a complete novice.

Thanks for any help.

Answer 1

NEVER rely on a single Domain Controller. ALWAYS have at least two.

It sounds like your terminology is mangled. Where did multiple domains enter the picture?

• You can have, and it sounds like you want, a single forest/domain with multiple sites, in which case what you're looking for is Active Directory Sites and Services. It's part of the adminpack for 2003/RSAT (Remote Serve Administrator Tools) for 2008.
  • Literally, after standing up a new DC, you assign it to a site, so from an implementation standpoint, it's just dcpromo with an extra step at the end. (And even that's optional - I've seem horribly setup companies with multiple locations, but a single AD site.)
• Follow that link to get an overview on AD Sites and Services, but it's really pretty simple. You just set up sites for your physical sites, assign Domain Controllers to the sites, set up replication and authentication policies.
• Active Directory's a master-master schema, so there's not a whole lot difference between one and more than one.
  • Be mindful of your FMSO roles. It's generally best to keep those at the biggest or home office site.
  • Make sure everyone's got access to a Global Catalog (easiest by making a Global Catalog out of every DC, or at least one per site).
  • Keep an eye on replication between DCs, as one getting tombstoned can really ruin your week.
  • Get familiar with the Active Directory Sites and Services tool in RSAT. Not exactly rocket science, or particularly complex, but with multiple sites, you'll find yourself using it, so make sure you familiarize yourself with its settings and usage.