How do I perform this Active Directory black magic?
March 25, 2008 10:06 AM Subscribe
Best way to perform this Active Directory black magic? Our company has dozens of Windows terminal servers at remote locations (client sites), and we need a way to centralize Active Directory.
Currently, most of these are connected via OpenVPN back to a subnet here. I have a couple set up as domain controllers for a child domain, but this is becoming really hairy to manage, as logons take forever due to the VPN lag, the unpredictability of our clients' internet access, and various other factors. Add on to that, group policy settings in our central location are more suited to our set up here rather than the many varying setups at our client sites.
Previously, all these servers used local accounts only and this is also frustrating to manage, as well as a security problem, since all it takes is one errant account somewhere that a former employee might know about to cause us major headaches with a client.
I really like OpenVPN, and I'm sure this sort of thing has come up before. What's the best method to administrate all of these? Single domains for each client? One forest? Single domains with trusts? What's the best practice here?
Extended info: Server 2003 domain, all profiles are roaming profiles with folder redirection. not able to use mandatory profiles due to the extremely stupid software we have to support.
Currently, most of these are connected via OpenVPN back to a subnet here. I have a couple set up as domain controllers for a child domain, but this is becoming really hairy to manage, as logons take forever due to the VPN lag, the unpredictability of our clients' internet access, and various other factors. Add on to that, group policy settings in our central location are more suited to our set up here rather than the many varying setups at our client sites.
Previously, all these servers used local accounts only and this is also frustrating to manage, as well as a security problem, since all it takes is one errant account somewhere that a former employee might know about to cause us major headaches with a client.
I really like OpenVPN, and I'm sure this sort of thing has come up before. What's the best method to administrate all of these? Single domains for each client? One forest? Single domains with trusts? What's the best practice here?
Extended info: Server 2003 domain, all profiles are roaming profiles with folder redirection. not able to use mandatory profiles due to the extremely stupid software we have to support.
We manage a similar situation with our remote sites by maintaining a single domain with directory replication to servers that are local to the remote sites.
That way, authentication takes place at each site quickly and everything stays centralized and easier to manage. Creating different domains really doesn't seem necessary in your situation. Group policy can be managed by binding policies to user or computer OUs, rather than the whole domain.
Make sure you set up account password expiration. You should be deleting accounts for former employees, or at the very least changing their passwords.
posted by dosterm at 11:55 AM on March 25, 2008
That way, authentication takes place at each site quickly and everything stays centralized and easier to manage. Creating different domains really doesn't seem necessary in your situation. Group policy can be managed by binding policies to user or computer OUs, rather than the whole domain.
Make sure you set up account password expiration. You should be deleting accounts for former employees, or at the very least changing their passwords.
posted by dosterm at 11:55 AM on March 25, 2008
Yes, I don't see that different domains are at all necessary. In fact, some of my current clients do something like this right now with two servers in different parts of the country. They do replication between the servers. The only downside is that replication occurs on intervals and you may have to play with that to your liking. I work with one site that does this now, but their replication interval is 90 minutes. When I reset a password for someone, I have to do it on their local server, otherwise, they have to wait. :-)
posted by tcv at 11:59 AM on March 25, 2008
posted by tcv at 11:59 AM on March 25, 2008
tcv raises a good point that you can adjust your replication intervals to your bandwidth and usage needs.
However, to account for password resets and account lockouts, you assign the central DC to be the PDC emulator. That controller receives and sends security events as "urgent", or even higher than urgent in the case of lockouts. All DCs should be updating that information quickly.
That way full replication takes place on your schedule but issues of security can be handled quickly.
posted by dosterm at 12:24 PM on March 25, 2008
However, to account for password resets and account lockouts, you assign the central DC to be the PDC emulator. That controller receives and sends security events as "urgent", or even higher than urgent in the case of lockouts. All DCs should be updating that information quickly.
That way full replication takes place on your schedule but issues of security can be handled quickly.
posted by dosterm at 12:24 PM on March 25, 2008
This thread is closed to new comments.
But, in very general terms, I'd put a domain controller at each site with a terminal server running alongside it (the DC could be a virtual machine, doesn't have to be separate hardware). The DC has the OU for that site, all site users/objects in that OU. This keeps your folder redirection and RP's intact. Go up a level to "regionalize" if you want, and set up a global catalog to handle load balancing on the active directory. I'd set up site replication between certain sites for redundancy - tht's the regional aspect - so that if the parent domain can't replicate to its partners at least authentication can be handed off to another, regionally-close DC. I really think you want to handle authentication as close to each site as you can, though, and that's why a DC at each location makes the most sense to me. But I am old school about these things.
OpenVPN should be able to handle all of this quite gracefully, but I'm not nearly familiar enough with it to guarantee that.
That's a very, very rough sketch. But definitely look at using OU's to structure this.
posted by disclaimer at 11:53 AM on March 25, 2008