More and more IT admins are looking for alternatives to setting up a remote domain controller (DC) for each branch office. For a growing organization with a lean IT department, it could be ideal to avoid the travel, configuration and maintenance labor, and hardware costs associated with additional DCs. Many admins also view unnecessary writeable DCs at remote locations as a security liability.
There’s some debate about the best way to avoid managing fully functional domain controllers at each remote location. Some organizations connect computers at smaller remote offices directly back to their home DC over a VPN or WAN, and others use read-only domain controllers (RODCs). Still others are pursuing a more modern cloud-based approach to extend user identities from their home DC to remote workers in all locations, without any additional network infrastructure.
If you’ve been managing Active Directory® (AD) environments for a long time, you may still be tempted to have at least one DC (probably two for redundancy) at each remote office as a best practice to ensure availability and connectivity for user authentication. But the characteristics of remote facilities can vary, and with those individual factors and the convenience of modern solutions in mind, you may want to reconsider. Let’s look at some of the scenarios that can make an alternative approach more appealing.
Remote Office Facility Considerations
Consider the following questions when planning your domain configuration for a new branch office:
- Will the space be shared or private? What physical security measures will be in place?
- Servers housed in a shared office or one with less-than-optimal building protection can be vulnerable to attacks and may not meet industry compliance regulations.
- Is the office temporary or permanent?
- For a temporary space, configuring a DC and the necessary WAN and/or VPN connections back to your home office could be an inefficient use of resources.
- How many employees will work there?
- A branch office without on-site IT staff for ongoing maintenance and troubleshooting still needs a reliable solution for user authentication and system management, but is the upkeep of additional DCs justified?
- How reliable is the network connection infrastructure?
- If the facility doesn’t have a fast, dependable internet connection, managing and syncing remote hardware can be an issue.
- Do the end users at the remote location have any unique requirements for their roles?
- You may want to consider whether the same policies and management approaches you use at the home office will be applicable to employees at the remote location.
If you’re faced with any of the above scenarios, your organization’s new branch office is probably a good candidate for one of the following alternatives to setting up a remote DC.
Direct Connections to the Home DC
Some IT admins prefer to focus their energy on network infrastructure rather than server setup, allowing users’ workstations to authenticate directly against the home domain controller. There are a couple of different ways to go about this: You can configure the office as part of a WAN or have each user connect to a VPN. The WAN approach can sometimes be more reliable and secure, but it tends to require more configuration labor and an expensive utility bill. VPNs can be a hassle for users, but they can be more straightforward on the IT side and more cost-effective if the office doesn’t have enough users to justify a WAN.
In both networking scenarios, you’re taking advantage of a feature that was originally built into AD to reinforce availability. You configure workstations to query a hierarchy of nearest DCs, so that if one is down, the next closest one can still authenticate the user. With modern internet speeds, this method can usually work across longer distances without significant delays at login for the user. The possibility of hiccups when syncing AD credentials over VPN, however, does exist. If the networking involved in this solution sounds frustrating, you may want to consider another approach.
Read-Only Domain Controllers (RODCs)
Recognizing some of the challenges that come with fully writable remote domain controllers, Microsoft® introduced the RODC option back in 2008. Because it stores a read-only copy of the Active Directory database, an RODC is less vulnerable to attacks than its writable counterparts. Bad actors may still be able to scrape important data — including user credentials — from an RODC, but they won’t be able to make changes to the database or access the writable home DC. And because data syncs in only one direction, from the home DC to the RODC, little on-site IT interaction is required after initial setup.
With an RODC, instead of connecting each end user’s workstation directly to the home DC via VPN or WAN, you establish one secure connection between the RODC and the home DC and let each computer interface locally with the RODC. This can create a smoother user experience and reduce the number of secure network connections IT staff needs to monitor and maintain. An RODC can also be configured to maintain an available authentication point even in the face of an internet outage. In order for this to work, you need to make sure the RODC settings allow replication and offline caching of credentials. The RODC solution can be an appealing alternative to a full DC, though it still requires additional on-prem hardware and may not be as efficient, flexible, or cost-effective as a more modern approach to managing remote offices. Instead, you may be able to extend your home AD instance to branch offices and remote workers without any new hardware or tunneling.
Managing Remote Offices With a Universal AD Extension
Over the last few years, a modern cloud solution has emerged that lets you securely extend Active Directory identities from your home DC to any remote location without any additional networking or hardware. Layered on top of AD, this solution can act as a two-way identity bridge between remote workstations and the home DC, securely writing user credential changes back to the AD database.
This AD integration is designed to be OS-agnostic, allowing Mac® and Linux® systems in any location to integrate with your on-prem directory. It even extends remote system management capabilities to these machines, with the ability to push GPO-like functions to all three major operating systems.
By incorporating this kind of AD extension, known as a cloud directory service, you may also be able replace other third-party AD add-ons, rolling SSO functions for SaaS apps and cloud computing platforms into a single solution that provides MFA/2FA, network authentication, cloud LDAP servers, and more. If this approach to remote office IT sounds appealing, learn more about JumpCloud’s AD Integration.