Active DirectoryMicrosoft Technologies

Active Directory + Branch office infrastructure design

In organization it may have branch offices, stores in different geographical locations. Some of these branch office network infrastructures may not need integrate with the cooperate network.  For example if it’s a sales office they may communicate with the Head office just through email or phone. So that branch office network will work as separate independent structure.

But it’s not always simple like that. Your branch office also may need to be a part of cooperate network. In such requirement we need to properly plan out what services needs to deploy on branch network and how each services, resources should optimize in order to maintain connectivity with cooperate network as well as maintain security and availability.

Active directory also crucial in the branch office infrastructure design. Correct placement of associated services also important. Idea of this article is to provide tips and tricks which will help to build a proper branch office network.

Before go for implementations we need to consider followings,
1)    How branch office network and cooperate network connected?
2)    What is the bandwidth between the locations?
3)    What sort of operations, branch office will do?
4)    What data, resources branch office depend on from cooperate network?
5)    How often those should update or access?
6)    Who will manage the infrastructure?
7)    What sort of security measure should take on infrastructure design?
8)    What are the risks involve and how we can mitigate them?

Answers for those questions are depend on the organization business model. But if you have proper answer to those questions before the start implementation it solves 75% of the problems which can occurs in network.

Read Only Domain Controllers (RODC)

RODC is allows to get rid of administrative overhead and implement local services to the branch network. I already done complete RODC implementation series and you can get more info about RODC and its implementation from http://www.rebeladmin.com/2014/10/why-read-only-domain-controllers-rodc/

Global Catalog Server

GC server is distributed data repository that provides searching and login in AD forest. Placement of this depend on the link between branch office and the cooperate network. It will help to optimize bandwidth usage as we can use this to facilitate local login without going through WAN.

Universal Group Membership Caching (UGMC)

This is used when global catalog server is not in place in branch network. This also can use to prevent additional traffic use for authentication process between cooperate network and branch office network.

DNS Server

You must install DNS role in the branch office network even it’s a RODC. So users in branch office can query for DNS records even connectivity to cooperate network unavailable. If it’s RODC you can use primary read-only types. So it copies all the forest and domain DNS Zone files. If its not RODC you can keep it as secondary DNS server.

DHCP Server

If the devices in branch office going to use DHCP for ip assignment it is important to deploy DHCP server in branch office. It reduce support issues, and traffic on the WAN link. It also help to maintain the availability even WAN is down.

BranchCache

This is also very important in branch office network. It helps to cache the content which is accessed from cooperate network. This runs on two modes.
1)    Distributed cache mode – This distributes cache content among the user computers.
2)    Hosted cache mode – this stores cache content on the server in branch office and distribute data from there.

Recommended mode to use is hosted cache mode as it increases the cache availability and also multi-subnet access. However it depends on the budget and the requirements as it need server.

You can use distributed cache mode if,
1)    Network serve for less than 100 users
2)    No servers deployed in network
3)    Multiple subnet with less than 100 users in each

You can go for hosted cache mode if,
1)    Network serve for more than 100 users
2)    Multiple subnets with large number of users
3)    Additional servers are in branch office

These are the main services which is important for branch office network design, but depend on the operation requirements you can place other services and optimize it for branch office network use.

If you have any question about the post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *