Hello,
I am trying to evaluate our AD Sites and Services configuration that has not been touched in a long time to make sure it is configured correctly. The reason is I want to leverage AD Sites in SCCM Boundaries; so before I build on top of AD Sites I want to make sure it is valid and sane.
We have a main location which is our data center and 10 remote offices (some larger with 50-100 clients and others as small as 10 clients), connected with MPLS or IPSEC; so remote locations can reach the DCs for authentication over the WAN link just fine except if there is a connectivity issue; which we are OK with.
Main location has two Domain Controllers, one is our FSMO role owner, remote offices have a Windows server but no DC except one location; we do this to keep things simple and when it comes time to upgrade our DCs we don't have to update the OS on 10 servers to raise our schema level and the WAN traffic is acceptable.
So we have:
- Primary Site with 2 DCs, one has our FSMO role ownership
- Remote Office 1 has a DC
- Remote Office 2 (slow link) has a RODC
- Remote Offices 3 - 10 have no DCs, just a file server locally for shares, etc.
Currently in our AD Sites and Services we have 8 sites defined and we also have many Subnets defined and assigned to the corresponding sites. Not all of our remote offices have a site defined.
- What is the best practice around this in our scenario?
- Should each remote office location be defined as a "Site" in AD Site and Services?
- Should we create all the valid subnets for each remote location and assign them to the corresponding Site defined in #1?
- What about Inter-Site Transports > IP? We have Site Link type definitions for each site it seems; is this correct even if those sites don't have DCs?
At some point long time ago we had DCs in all these sites, but have since de-complicated stuff and we only run a few DCs now. So I just want to make sure our configuration is valid.
Any AD experts out there?