I'll use an example to illustrate the authentication and query requirements that a small-to-midsized branch office might have and how they affect branch-office design. Bigtex.net has one branch office in the town of Dripping Springs in the Texas Hill Country. That office is connected to the corporate office in Fort Worth by a 512Kbps WAN circuit. The company has one domain and 200 employees, 150 of whom are in Fort Worth. The branch office has a file and print server to service its 50 employees, who make sales calls.
If the Dripping Springs office has no DC and is part of another site, all authentications must go over the WAN circuit. How would this balance with AD replication traffic if a DC were on site? The entire company has only 200 employees, so the amount of AD traffic to replicate across the WAN is small. Traffic analysis favors landing a DC in the Dripping Springs office.
This example reveals another principle: Smaller companies with large branch offices more quickly get benefits from a branch office DC because authentication traffic will always outweigh replication traffic. A small company's WAN circuits are more likely to have smaller bandwidth than a larger company's WAN circuits for cost reasons, further tilting the balance toward local DCs for a small company with large branch offices.
In fact, placing a DC locally at a branch office has a lot of advantages. Replication traffic is more static and predictable than authentication traffic, which varies according to the time of day and number of users at the branch. Some network applications, whether onsite or offsite, require speedy access to the GC for example, Exchange 2000 Server needs access to the GC for email address lookups. Without an onsite DC, clients can't log on to the network and access resources even local resources if your WAN links are down (something to think about if your links are unreliable). With so many advantages to landing DCs at your branch offices, why wouldn't you choose this option?
I already mentioned one reason lack of physical security. The other big reason is cost. Companies typically have many more small offices than large offices. If a company has three main locations with 2 DCs each and 30 field sales offices across the country, landing a DC in each field sales office increases the DC population from 6 to 36, a 600 percent increase in the hardware cost of your AD infrastructure. The hardware increase is accompanied by equal increases in support-contract costs.
Another reason is management. You've increased the number of sites, site links, and especially subnets that you must maintain from 3 to 33 an 1100 percent increase. You have six times as many DCs to secure physically. How will you manage all these DCs? Administrative access to a DC requires administrative rights to the domain. Are you willing to grant one or two people in every field sales office administrative rights to the entire domain? Let's hope not! Are you going to manage the DCs remotely, then? What will you do if a DC's network card has a problem?
These are all strong arguments for a Keep It Simple, Stupid (KISS) approach and Sean's Maxim of Minimum: Just because you can, doesn't mean you should. AD is powerful, with thousands of individual settings. Unless you have a specific reason to make your site topology more complicated and are willing to keep track of those complications leave it alone.
Figure 1 summarizes much of the DC placement decision process and the different aspects of the process. If you can guarantee that a potential DC would be physically safe in a location (security analysis), you then need to determine whether the location really needs a DC (traffic analysis). If your company has multiple locations in the same mold as the sample office, they probably need the same configuration as this office, and you next must determine whether you can afford a DC for each of the similar offices (cost analysis). Note that costs include hardware, vendor support, and management costs. If the costs are acceptable, place the DCs according to your traffic-analysis results. If the costs are too high, review your analysis to see whether some smaller locations can do without DCs. If you can't stretch your DC budget any thinner without compromising performance or fault tolerance, you need to revisit the budget or begin planning now for trouble in the future.
Another alternative to landing a DC and GC at every branch office is to investigate upgrading the WAN circuits to some of the branch offices. An upgraded WAN circuit to a site might be a more cost-effective approach than landing a DC.
Knut April 26, 2004