Active Directory setup with multiple branches

tz flag

I am looking to get started with AD, only used it briefly before.

Our business currently does not use AD at all, however, we are thinking of setting it up. We have one head office branch, and then roughly 8 sub-branches, possibly more in the future (Max ~20 or so)...

Just wondering what the best way to set up a windows server running AD on it is. I've seen some people say sites, some say forests, and others say just use a site-site VPN. What is the most efficient way to do this? Also if I do use sites and have a DC in each site, do I need to pay for licensing for each DC?

sk flag

Solution could run the gamut, from a single DC and Site-to-Site VPNs, to redundant DCs at each site. If you're not a heavy AD user already, I'd look into Azure AD, see if it fits your needs. You wouldn't have to license, install, or maintain any hardware. Azure AD is included with E3 or E5 (popular plans for medium and larger businesses that build business processes around Office 365). I would highly recommend talking with a local consultant or MSP (managed service provider) about your particular situation (FD: I work for an MSP).

LeeM avatar
cn flag
I agree this would probably be the best way to go if there's no requirement for AD - like no on-prem file or print servers, etc - given the obvious level of expertise here.
Christian avatar
tz flag
For compliance purposes we need GPO's
sk flag
The bulk of GPO options can be accomplished with AzureAD and InTune. Both part of E3.
cn flag

I support the previous response to just skip it. Some reasons:

  1. What would you actually be using AD for? If it's an established business, you obviously don't have on-prem Exchange and probably not file/print. Perhaps there's some line-of-business application/database that supports AD, but not Azure, and would benefit from centralised authentication. But if there's no use-case for AD, don't use it.

  2. You apparently don't know much about AD. To cover a partial list of AD design choices just from what you mentioned in one sentence: every AD instance consists of a forest and at least one domain (often just the one and same, these days); an AD site is not really tied to physical locations; if you have multiple DCs in well-connected locations, you can have them all in the same default "site" (all the ports needed for clients to auth with a DC are needed for DC <-> DC communications anyway); but, running just a single DC for a business is risky at best. So if you have at least two locations, you should use them to spread your DCs around. This doesn't even scratch the surface of designing an AD site topology, let alone any of the other concerns involved in creating/administering an AD forest and its users.
    (Here's another - do you have server rooms in these locations? Or would you have the servers in the office stationery cupboards where they can overheat, be turned off by cleaners or someone charging their phone, or be stolen - complete with all the security information like account IDs and passwords - by any passer-by?)

  3. It introduces complexity with licensing and so on - how will the AD server OSes be licensed? While the E3/E5 licences for Office aren't cheap, plus whatever the licence is that covers Windows (and Defender?), if you're using Office products (including Exchange Online and/or Sharepoint Online/Teams), you may find it works out economically to go that route and use the 365 licensing instead. AD isn't required if you simply "join" your Windows devices in AzureAD and manage them and the users there. If you don't want 365 services, you need "Client Access Licenses" (CALs) to allow your users (and Windows machines) to use Active Directory. I think you get 10 CALs out-of-the-box with one Windows Server licence. You must have at least one CAL per user. You need additional per-product CALs if you're using products like on-prem Exchange or SQL, etc.

  4. Many many other considerations, which mostly depend on why you'd want it at all.

I have set up a greenfields AD in the past couple of years, and that was to migrate from an existing eDirectory environment with on-prem services to an environment that supports integration with 365 services (including EXO/Teams/SPO etc). Something like that, or creating a predominantly on-prem environment with file/print/application services that integrate with AD, are pretty much the only reasons I'd recommend setting up a new AD these days. Especially for a small business and even more so if there is no in-house expertise.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.