Advice on AD 2003 Domain Controllers in branch offices

Discussion in 'Active Directory' started by Rubin Farr, Mar 20, 2006.

  1. Rubin Farr

    Rubin Farr Guest

    Hi All,

    Need advice on domain controllers in branch offices (in international
    locations.) We don't have full time IT staff and I don't feel like getting
    woken up by a pager more than I have to (already have way too much of that.)

    I've started on a push for a single domain for simplicity and don't want to
    get into the child domain thing (which after encouragement from this group,
    I see why it's not a good idea in terms of security.) My problem is this.
    The machine I have over in the site now is also a file/print server, and I
    want local users to be able to run backupexec on their own. In testing, by
    making the local 'ou admin' a member of the backup operators and setting
    backup exec to local system account, things seemed to work well.

    BUT..I know it is bad-period- to let non admins log onto dc's, but it does
    not seem worse than doing child domains.

    I think the ideal situation would be to set up a 2nd box as a dc--totally
    hands off-- just for authenticating and letting local IT firm be able to
    tinker with the file server when needed. The issue there is do we need 2
    boxes for a remote office with 6 users?

    The wan link is from sydney to US and logons are slow, otherwise I would
    have them authenticate over the WAN.

    We do maintain central IT administration here, but rely on local outsourcing
    companies for remote IT help.

    Ultimately -- throw a cheapo PC comain contoller in the remote site that
    handles logons. If it dies, local users can still logon over WAN until we
    get a new box out to them..


    Thanks much
    Rubin Farr, Mar 20, 2006
    1. Advertisements

  2. Your scenario is a common one. The recommended practices for security
    cannot really be justified to the business. The cost of a second server is
    probably too much. Longhorn is really going to help here, with the new Read
    Only DC - which will allow an actual local administrator without affecting
    the other DCs.

    In the meantime, you will probably have to implement what you have tested -
    backup operators - unless you are able to implement a virtualised DC.
    Paul Williams [MVP], Mar 21, 2006
    1. Advertisements

  3. Rubin Farr

    Rubin Farr Guest


    Thanks so much for your reply. Hmmm...virtualized that is a cool
    approach! So that would be the cost of vmware or virtual pc plus 2 licenses
    of 2003...which might not be bad.
    Rubin Farr, Mar 21, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.