- Yes, it should. If not, all authentication and Kerberos ticketing activities will be directed to HQ, which might choke a slow & unreliable WAN link. In the event of WAN link failure, all activities will come to a halt.
- No, it shouldn't. It poises serious security challenges. DC contains the entire domain schema, including all object attributes, such as user secrets & confidential information. If the DC is accessed or stolen, it will compromise the entire AD integrity. Furthermore, if the data in the remote DC is corrupted or outdated from a backup restore, it will be replicated to the entire domain.
Friday, October 2, 2009
Read-Only Domain Controller for Remote Sites
A typical enterprise is characterized by a HQ hub site and several remote branch offices. Should a domain controller (DC) be placed in the branch office?