RE: Large number of Branch Offices - Q
- From: TC-UK <TCUK@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 1 Apr 2006 14:04:01 -0800
Hi thanks for getting back. I do think that they have little choice but to
include a domain controller at each site. We agree there are work arounds but
none of them are considered best practice. It is a frustrating design
implication of kerberos.
Thanks for the feedback, I'll stick with the domain controller requirement
recommendation.
Terry
"Brian Delaney" wrote:
The reality is, if you end goal is for it to be transparent to the user when.
the WAN link goes down, you need a DC in the branch offices with appropriate
GC placement and use of UGC.
Why would they get rid of this design when it was already configured this way?
As for your workarounds:
"Local shadow accounts on the member file server with dual permissions"
-this is going to take a great deal of administrative overhead based on how
many sites you say the customer has. Also, how do you plan on keeping the
passwords in sync between the local account on the member server and the
domain account? If you never plan on changing the local account passwords
that a major security issue.
Some implementation of offline folders
-this may provide some relief however there are quite a few considerations.
Does each client have enough hard drive space to cache all the data they
need? If the server is still online and the machines can connect, they will
not go offline and allow you to use your offline cache. So you will either
need to use csccmd to disconnect them and go offline or unplug the nic on the
file server in event of a wan outage. What about conflict resolution? If the
WAN connection is down all day when it comes back up if multiple changes have
been made by different users to the same file the last writer will win.
Emergency modem - vpn access with acl for member server --> DC auth-a backup WAN connection is really the only way you can properly do
this..... but if you have a backup WAN connection that's really not a WAN
outage. Plus you will need to have appropriate speed connections based on
the number of users and of course the cost may be a factor
Manually defined site links and effective overiding of KCC to simulate a-not quite sure what you mean by this. but there is no simulation of a
'read-only' type of hub and spoke system if a domain controller is implemented
read-only hub and spoke. Please clarify.
--
Brian Delaney, MCSE
"TC-UK" wrote:
Hello,
I am a Technical Architect working in a team, designing an upgrade for a
client who has a very large number of remote sites. Initially there were
domain controllers in each site but before we arrived these were all demoted
and now act as simple file servers. The problem is with Authentication as
you'd expect.
The IT team here assumed that local file access from a member server would
still authorise a user based on their cached credentials. This error has
bitten them hard lately as a few sites have lost WAN connectivity and not
been able to have local file access. The business requirement is for ALL
sites with local file access to be able to work in the event of a WAN
failure.
During the design this requirement has made us provision for the
infrastructure master FSMO roles, GC placement, UGC etc and for the provision
of a detailed site / service and KCC design.
My question (finally getting to it) is what options are there to allow
users continued access to their local file server if a domain controller was
not deployed at every site and all authentication was central. I have thought
of the following:
Local shadow accounts on the member file server with dual permissions
Some implementation of offline folders
Emergency modem - vpn access with acl for member server --> DC auth
Manually defined site links and effective overiding of KCC to simulate a
'read-only' type of hub and spoke system if a domain controller is implemented
I know this is a typical issue but I think the problem is very much enlarged
here with the sheer number of remote sites and the business requirement of
local file access and contued working as much as possible.
Thanks for any feedback
- References:
- RE: Large number of Branch Offices - Q
- From: Brian Delaney
- RE: Large number of Branch Offices - Q
- Prev by Date: Folder redirection by group policy
- Next by Date: Re: Domain Local/Roaming Profile Problems
- Previous by thread: RE: Large number of Branch Offices - Q
- Next by thread: Folder redirection by group policy
- Index(es):
Relevant Pages
|
