VPN

Active Directory in the cloud and branches through VPN?

Greetings!

Essence. I am planning to deploy AD for a company.

• The main requirement for AD is authentication, because the main fleet of machines is MacOS.
  
• The percentage of machines running Windows may increase in the future (it is currently minimal), and accordingly, there may be a need for a GPO (but not in the near future). Providing local login to machines.
  
• Also, synchronization of users/groups into an MDM system (poppy management) + integration with IdM (for logging in with the same credits to web resources) + plus a number of systems that can integrate with LDAP / AD. Any network share is not planned.
  

So far, branches are offices in the same city (3 pcs, the total number of users working simultaneously is up to 250 people), with good communication channels (up to 500Mbps in both directions) and duplication of providers.
In addition, there are remote workers and the entry into the domain of the equipment for which they work (mainly corporate laptops) is being considered. There can still be up to 100 simultaneously working users.
In the future, it is planned to open branches in other cities (potentially - in other countries, Europe, for example). But there will be no frankly bad channels, because in general, a good connection is needed for the office to work.

The idea came to deploy AD in the cloud (VMware Cloud, data center in the same city as the branches) on 2 virtualized DCs. Channel 100/50 (country / world.) Arrange access by creating a VPN from each Mikrotik in the branch to a virtual router in the cloud (and then route it to a network with domain controllers). Actually, she came because of the lack of desire to buy hardware for DC and a license for WinServer in each office.

At each branch, give clients via DHCP the ip addresses of the controllers + the ip of the Mikrotik itself as DNS (in order to survive without inconvenience those moments when / if the VPN drops and is stupid and the main DNS is not available. Workstations will then use Mikrotik's DNS). On the machines themselves, create a mobile account for each user (for caching credentials and the ability to log in to the machine, even if the connection with AD is currently broken).

As a rule, in any dock / book about AD, it is necessarily mentioned that, given the geographically distributed structure of the enterprise, it is necessary to install its own DC in each branch (mainly in the context of the fact that the wan channel is thin and generally unstable) . Those. this idea clearly doesn't follow MS guidelines.

• How much does this recommendation have the same value now, when the channels are both wide and stable, and in general no one interferes with having 2-3 pieces in the office and auto-switching when any of them fall?
  
• How much traffic is approximately generated when accessing a domain controller during authorization? It would be necessary to lay down the peak moments (in the morning everyone came and actively logs in to the machines), but how to calculate it?
  
• What are the general performance requirements for DC servers, depending on the number of users?
  
• Can prioritization of traffic and DNS help, maybe on the ports through which client machines access the DC? (but probably after the connection is established, reverse connections from DC to workstations will be on random ports, you don’t prioritize here)
  
• How viable is the idea of ​​not placing controllers in branches? Are there any other pitfalls?