More and more IT admins are looking for alternatives to setting up a remote domain controller (DC) for each remote office. For a growing organization with a lean IT department, it could be ideal to avoid the travel, configuration, and maintenance labor, as well as the hardware costs associated with additional DCs. Many admins also view unnecessary writeable DCs at remote locations as a security liability. And, since the global pandemic kicked off over a year ago, those users may not even be going into those remote offices and just working remotely, so managing that change is critical.<\/p>\n\n\n\n
There’s debate around how to manage people in remote locations all at once, rather than managing fully functional domain controllers at each remote location. Some organizations connect computers at smaller remote offices directly back to their home DC over a VPN or WAN, and others use read-only domain controllers (RODCs). Still, others are pursuing a more modern cloud-based approach to extend user identities from their home DC to remote workers in all locations, without any additional network infrastructure. And, others still, are opting to just go fully remote and eliminate the need for a domain controller. With the COVID-19 pandemic still impacting the world, IT admins are completely rethinking how to build their IT infrastructure along with what tools to use.<\/p>\n\n\n\n
If you\u2019ve been managing Microsoft Active Directory\u00ae<\/sup> (AD) environments for a long time, you may still be tempted to have at least one DC (probably two for redundancy) at each remote office as a best practice to ensure availability and connectivity for user authentication. However, the characteristics of remote facilities can vary, and with those individual factors and the convenience of modern solutions in mind, you may want to reconsider – especially as the world continues to push for and expect a hybrid workplace<\/a>. Let\u2019s look at some of the scenarios that can make an alternative approach more appealing. <\/p>\n\n\n\n Consider the following questions when planning your domain configuration for a new branch office or decommissioning a remote location: <\/p>\n\n\n\n If you\u2019re faced with any of the above scenarios, your organization\u2019s remote office is probably a good candidate for one of the following alternatives to setting up a remote DC. <\/p>\n\n\n\n Some IT admins prefer to focus their energy on connecting their users to the IT resources they need and making their team productive rather than server setup and management, allowing users\u2019 workstations to authenticate directly against the home domain controller. There are a couple of different ways to go about this: <\/p>\n\n\n\n The WAN approach can sometimes be more reliable and secure, but it tends to require more configuration labor and results in an expensive utility bill. It also assumes that users are in the office, which may not be a great assumption at this point in time. VPNs can be a hassle for users, but they can be more straightforward on the IT side as well as more cost-effective if the office doesn\u2019t have enough users to justify a WAN. The VPN can also be connected to from really anywhere, so it gives IT more flexibility.<\/p>\n\n\n\n In both networking scenarios, you\u2019re taking advantage of a feature that was originally built into AD to reinforce availability. You configure workstations to query a hierarchy of nearest DCs, so that if one is down, the next closest one can still authenticate the user. With modern internet speeds, this method can usually work across longer distances without significant delays at login for the user. However, the possibility of hiccups when syncing AD credentials over VPN<\/a> does exist. If the networking involved in this solution sounds frustrating, you may want to consider another approach. <\/p>\n\n\n\n After recognizing some of the challenges that come with fully writable remote domain controllers, Microsoft\u00ae<\/sup> introduced the RODC option back in 2008. Because it stores a read-only copy of the Active Directory database, an RODC is less vulnerable to attacks than its writable counterparts. Bad actors may still be able to scrape important data \u2014 including user credentials \u2014 from an RODC, but they won\u2019t be able to make changes to the database or theoretically access the writable home DC. And because data syncs in only one direction, from the home DC to the RODC, little on-site IT interaction is required after initial setup (assuming that the network and servers are stable). <\/p>\n\n\n\n With an RODC, instead of connecting each end user\u2019s workstation directly to the home DC via VPN or WAN, you establish one secure connection between the RODC and the home DC and let each computer interface locally with the RODC. This can create a smoother user experience and reduce the number of secure network connections IT staff needs to monitor and maintain. An RODC can also be configured to maintain an available authentication point even in the face of an internet outage. In order for this to work, you need to make sure the RODC settings allow replication and offline caching of credentials. <\/p>\n\n\n\n The RODC solution can be an appealing alternative to a full DC, though it still requires additional on-prem hardware and may not be as efficient, flexible, or cost-effective as a more modern approach to managing remote offices. Of course, a RODC still doesn\u2019t solve the problem if you are transitioning away from remote offices or having hybrid workplace options. Instead, you may be able to extend your home AD instance to remote offices and remote workers without any new hardware or tunneling. <\/p>\n\n\n\n Over the last few years, a modern cloud solution<\/a> has emerged that lets you securely extend Active Directory identities from your home DC to any remote location without any additional networking or hardware. Layered on top of AD, this solution can act as a two-way identity bridge between remote workstations and the home DC, securely writing user credential changes back to the AD database. <\/p>\n\n\n\n This AD integration is designed to be OS-agnostic, allowing Mac and Linux systems in any location to integrate with your on-prem directory. It even extends remote system management capabilities to these machines, with the ability to push GPO-like functions to all three major operating systems<\/a>.\u00a0\u00a0<\/p>\n\n\n\n By incorporating this kind of AD extension, known as a cloud directory service, you may also be able to replace other third-party AD add-ons, rolling SSO functions for SaaS apps and cloud computing platforms into a single solution that provides multi-factor authentication, network authentication, cloud LDAP servers, hosted RADIUS, and more. In fact, you may not need remote DCs at all, but can still take advantage of your existing AD deployment.<\/p>\n\n\n\n For those organizations that are shifting to a more remote workforce and eliminating remote offices, a cloud identity bridge can be a powerful concept, but even thinking about shifting your directory to the cloud may offer more advantages. IT organizations can completely manage and control access to a wide range of IT resources including systems, applications, files, and networks regardless of platform, protocol, provider, and location. That gives IT a massive amount of flexibility to react to the changing needs of the business \u2014 whether expanding or contracting remote offices is the right decision. It will also help shape a decision as to whether shifting to a completely remote workforce is the right answer for the organization.<\/p>\n\n\n\nRemote Office Facility Considerations <\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
Direct Connections to the Home DC <\/h2>\n\n\n\n
\n
Read-Only Domain Controllers (RODCs) <\/h2>\n\n\n\n
Managing Remote Offices With a Universal AD Extension <\/strong><\/h2>\n\n\n\n