Avoiding Remote Domain Controller Setup for Remote Offices

More and more IT admins are looking for alternatives to setting up a remote domain controller (DC) for each remote office. For a growing organization with a lean IT department, it could be ideal to avoid the travel, configuration, and maintenance labor, as well as the hardware costs associated with additional DCs. Many admins also view unnecessary writeable DCs at remote locations as a security liability. And, since the global pandemic kicked off over a year ago, those users may not even be going into those remote offices and just working remotely, so managing that change is critical.

There’s debate around how to manage people in remote locations all at once, rather than managing fully functional domain controllers at each remote location. Some organizations connect computers at smaller remote offices directly back to their home DC over a VPN or WAN, and others use read-only domain controllers (RODCs). Still, others are pursuing a more modern cloud-based approach to extend user identities from their home DC to remote workers in all locations, without any additional network infrastructure. And, others still, are opting to just go fully remote and eliminate the need for a domain controller. With the COVID-19 pandemic still impacting the world, IT admins are completely rethinking how to build their IT infrastructure along with what tools to use.

If you’ve been managing Microsoft Active Directory^® (AD) environments for a long time, you may still be tempted to have at least one DC (probably two for redundancy) at each remote office as a best practice to ensure availability and connectivity for user authentication. However, the characteristics of remote facilities can vary, and with those individual factors and the convenience of modern solutions in mind, you may want to reconsider – especially as the world continues to push for and expect a hybrid workplace. Let’s look at some of the scenarios that can make an alternative approach more appealing. 

Remote Office Facility Considerations 

Consider the following questions when planning your domain configuration for a new branch office or decommissioning a remote location: 

• Will the space be shared or private? What physical security measures will be in place?
  • Servers housed in a shared office or one with less-than-optimal building protection can be vulnerable to attacks and may not meet industry compliance regulations. 
• Is the office temporary or permanent? Are you eliminating the office?
  • For a temporary space, configuring a DC and the necessary WAN and/or VPN connections back to your home office could be an inefficient use of resources.
  • If you are eliminating the office, how will remote workers be able to connect to their IT resources? Will they VPN into the main on-prem network, or are you contemplating a complete shift to the cloud? 
• How many employees will work there? 
  • A remote office without on-site IT staff for ongoing maintenance and troubleshooting still needs a reliable solution for user authentication and system management; but, is the upkeep of additional DCs justified? 

• How reliable is the network connection infrastructure? 
  • If the facility doesn’t have a fast, dependable internet connection, managing and syncing remote hardware can be an issue.
• Do the end users at the remote location have any unique requirements for their roles?
  • You may want to consider whether the same policies and management approaches you use at the home office will be applicable to employees at the remote location.
  • Is your organization looking to shift any of the employees at this location to full-time remote work?
• Are you shifting to remote work or even hybrid workplace scenarios?
  • Will your users need to be able to function in the office and at home similarly?
  • Is there a shift to be more flexible on work location and how does that impact your access management approach? 

If you’re faced with any of the above scenarios, your organization’s remote office is probably a good candidate for one of the following alternatives to setting up a remote DC. 

Direct Connections to the Home DC 

Some IT admins prefer to focus their energy on connecting their users to the IT resources they need and making their team productive rather than server setup and management, allowing users’ workstations to authenticate directly against the home domain controller. There are a couple of different ways to go about this: 

1. You can configure the office as part of a WAN using an MPLS network
2. You can have each user connect to a VPN 

The WAN approach can sometimes be more reliable and secure, but it tends to require more configuration labor and results in an expensive utility bill. It also assumes that users are in the office, which may not be a great assumption at this point in time. VPNs can be a hassle for users, but they can be more straightforward on the IT side as well as more cost-effective if the office doesn’t have enough users to justify a WAN. The VPN can also be connected to from really anywhere, so it gives IT more flexibility.

In both networking scenarios, you’re taking advantage of a feature that was originally built into AD to reinforce availability. You configure workstations to query a hierarchy of nearest DCs, so that if one is down, the next closest one can still authenticate the user. With modern internet speeds, this method can usually work across longer distances without significant delays at login for the user. However, the possibility of hiccups when syncing AD credentials over VPN does exist. If the networking involved in this solution sounds frustrating, you may want to consider another approach. 

Read-Only Domain Controllers (RODCs) 

After recognizing some of the challenges that come with fully writable remote domain controllers, Microsoft^® introduced the RODC option back in 2008. Because it stores a read-only copy of the Active Directory database, an RODC is less vulnerable to attacks than its writable counterparts. Bad actors may still be able to scrape important data — including user credentials — from an RODC, but they won’t be able to make changes to the database or theoretically access the writable home DC. And because data syncs in only one direction, from the home DC to the RODC, little on-site IT interaction is required after initial setup (assuming that the network and servers are stable). 

With an RODC, instead of connecting each end user’s workstation directly to the home DC via VPN or WAN, you establish one secure connection between the RODC and the home DC and let each computer interface locally with the RODC. This can create a smoother user experience and reduce the number of secure network connections IT staff needs to monitor and maintain. An RODC can also be configured to maintain an available authentication point even in the face of an internet outage. In order for this to work, you need to make sure the RODC settings allow replication and offline caching of credentials. 

The RODC solution can be an appealing alternative to a full DC, though it still requires additional on-prem hardware and may not be as efficient, flexible, or cost-effective as a more modern approach to managing remote offices. Of course, a RODC still doesn’t solve the problem if you are transitioning away from remote offices or having hybrid workplace options. Instead, you may be able to extend your home AD instance to remote offices and remote workers without any new hardware or tunneling.  

Managing Remote Offices With a Universal AD Extension 

Over the last few years, a modern cloud solution has emerged that lets you securely extend Active Directory identities from your home DC to any remote location without any additional networking or hardware. Layered on top of AD, this solution can act as a two-way identity bridge between remote workstations and the home DC, securely writing user credential changes back to the AD database. 

This AD integration is designed to be OS-agnostic, allowing Mac and Linux systems in any location to integrate with your on-prem directory. It even extends remote system management capabilities to these machines, with the ability to push GPO-like functions to all three major operating systems.  

By incorporating this kind of AD extension, known as a cloud directory service, you may also be able to replace other third-party AD add-ons, rolling SSO functions for SaaS apps and cloud computing platforms into a single solution that provides multi-factor authentication, network authentication, cloud LDAP servers, hosted RADIUS, and more. In fact, you may not need remote DCs at all, but can still take advantage of your existing AD deployment.

For those organizations that are shifting to a more remote workforce and eliminating remote offices, a cloud identity bridge can be a powerful concept, but even thinking about shifting your directory to the cloud may offer more advantages. IT organizations can completely manage and control access to a wide range of IT resources including systems, applications, files, and networks regardless of platform, protocol, provider, and location. That gives IT a massive amount of flexibility to react to the changing needs of the business — whether expanding or contracting remote offices is the right decision. It will also help shape a decision as to whether shifting to a completely remote workforce is the right answer for the organization.

If this flexible approach to remote office IT sounds appealing, learn more about JumpCloud’s Active Directory Integration and JumpCloud’s Directory Platform.