F
F
Florez2015-12-30 10:46:37
Active Directory
Florez, 2015-12-30 10:46:37

How to implement a branch structure and remote domains in hosting?

Good day, dear community of gurus.
I have a fascinating problem, the correct and reliable solution of which for some reason does not occur to me.
And so let's get to the point) There is a branch-distributed structure of the enterprise with a central office. There are more than 200 PCs in the central office with their own domain controller, their own group policies, and everything is done as it should, correctly and beautifully.
At the same time, the company has branches in different cities, the number of PCs is from 20 to 40 in each branch, and all this goodness is essentially not administered in any way - there is no domain, no security policies, different admin accounts everywhere ... well, in general, you understand ...
All branches are naturally tunneled among themselves, there is visibility, but there are different subnets everywhere - in more detail in the figure:
e485c2924ad64774ae6401695fa52a6e.png
It is necessary to apply group policies of the central office to all branches, there must be a separate Site-Domain for each branch. for each branch, Exchange will still be configured with its own website, etc., there is neither the possibility nor the desire to install it locally in each remote branch. We also can’t place it in the central office yet - there are no resources, and I don’t want to buy hardware for such tasks - it gets old quickly.
Therefore, the option is to take a physical server into the hosting, to raise virtual machines on it:
1. Gateway (what, how to do it is not clear)
2. Slave AD domain under Branch 1
3. Slave AD Domain under Branch 2, etc. for each branch.
How to implement all this and make friends each domain controller of a virtual machine with its own branch, plus everything so that each domain is on the right subnet?)

Answer the question

In order to leave comments, you need to log in

4 answer(s)
A
athacker, 2015-12-30
@athacker

Central AD controllers -- at the central site.
In branches - we put and we configure RODC.
About redundancy of separate Exchange for each branch - it agrees with the previous speaker.
And why "in branches different subnets" - through "but"? :-) This is exactly how it should be - each site should have its own IP subnet. And even not one, if the site is large.
It's also not clear what kind of problems you're having with hosting. What difference does it make on what the infrastructure is implemented on - on hardware, on your virtual machines or on virtual machines from a hosting provider?
Only the model you intend to use is wrong - you should not rent a physical server, but take resources from cloud providers. If your physical server sneezes, you'll have a lot of stuff. Well, yes, you will be restored from backups (perhaps it will even be restored). But time will be spent on it immeasurably, and all this time your network will be lying around. If you want to do it yourself, you need to:
- take at least two servers for backup
- provide fault-tolerant disk storage (disk storage - because you have two servers, and both will need access to a common storage. That is, it is either a storage system or distributed file system (but then you need more than 2 servers).
Therefore, there will be much more fuss with renting physical hardware than buying a small cloud from a service provider. Well, the most famous examples are Amazon, Azure, DigitalOcean. From domestic offhand - CROC, DataLine, SoftLine, Selectel, Science-Communication.

D
Dmitry, 2015-12-30
@Tabletko

Putting your own Exch to each branch seems to me a big waste of the budget than to allocate a separate machine as a DC (AD, DHCP, DNS) to each branch and a simple gateway like MikroTik.
And so: each branch is a separate site. If you really want to - make subdomains (site1.contoso.com, site2.contoso.com, etc.)

R
Ref, 2015-12-30
@KargoZ

Obvious problems are foreseen in the absence of the Internet in the branches . How to log in if the controller is not visible? How long will local resources respond if the channel is loaded?
If vpn is present, I would build a forest with physical or virtual slave controllers. Just transitive trust relationships do not provide for group policy inheritance.

N
NRinat, 2016-01-06
@NRinat

For hosting, if there is money, I would recommend taking out one full-fledged node (ClientAccess + Mailbox) Exchange and at least one controller to make redundancy.
You can put RODCs in branches, or rather, you need to put them.
The scheme is like this.
1. Central office. DC01, DC02, Exchange Node.
2. Hosting. DC03 , Exchange Node.
3. Branches. RODC(1...n).
The colleague, would not recommend you to fence subdomains. Get everyone on the same domain. Create sites, and if network speed allows, do notify based replication between sites.
The simpler the circuit, the safer and clearer the system will be.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question