Operating System
Chapter 1
Overview of Planning Active Directory for Branch Office
Environments
Planning Guide
Abstract
This chapter presents the purpose and scope of this Active Directory Branch Office Planning Guide.
The following chapters discuss the concepts and steps necessary to plan for a deployment of the
Microsoft® Windows® 2000 operating system and Windows 2000 Active Directory™ service in a
branch office environment.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy
of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced,
stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
 2000 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Active Directory, and Microsoft SQL Server, are either
registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries/regions.
1200
CONTENTS
INTRODUCTION .......................................................................... 1
Concepts
1
Chapter Overview
1
SCOPE ......................................................................................... 4
Branch Office
4
Large Number of Locations with Domain Controllers
4
Small Number of Users Per Location
4
Large Number of Domain Controllers
4
Slow Network Connectivity to Branch Locations
6
Management Models for Handling Branch Office Scenarios
6
Managing Users and Groups
7
Managing Group Policies in a Distributed Environment
7
MORE INFORMATION .................................................................. 9
Resource Centers on the Web
9
Publications
9
White Papers
9
SUMMARY ................................................................................. 10
INTRODUCTION
Microsoft® Windows® 2000 is a relatively new operating system, capable of being
deployed in both large and small corporate environments. While the Windows 2000
Resource Kit is the first resource for companies planning to deploy Windows 2000,
in corporate branch environments, additional planning, configuring, and monitoring
is necessary to ensure a smooth branch office deployment. The objective of this
guide is to present a recommended method of planning the deployment of Windows
2000 Active Directory™ service in a branch office environment. Note that the Active
Directory Deployment and Operations Guide is a companion to this guide. It uses
the plan developed here and guides the reader, step by step, through the Windows
2000 branch office deployment, providing scripts to simplify and speed the process.
Although this guide discusses branch office deployments, much of the information
can be adapted to other environments, including the sections on staging domain
controllers, monitoring domain controllers, and the associated scripts.
A branch office deployment, in terms of this guide, is one where there are numerous
branch offices, with slow links to a corporate hub or data center. While this guide
focuses on the planning for a simple hub and spoke deployment, the planning can
be extended to a more complex, multilevel multi-hub and spoke deployment. For the
more complex environment, breaking the corporate network design into smaller hub
and spoke modules will allow you to use the guidelines and configuration presented
here and in the Active Directory Deployment and Operations Guide.
Concepts
This guide is written for readers who have an understanding of Windows 2000,
Active Directory, Domain Name System (DNS), and replication as can be found in
the Windows 2000 Resource Kit, and other recommended White Papers (see More
Information at the end of this chapter for a list of resources). We have, however,
included a review of basic concepts and terms. This is not intended to replace the
aforementioned resources; it is not possible to summarize all of the prerequisite
knowledge assumed in the presentation of this paper. The objective of this guide is
to build on information presented elsewhere, and to omit information that is
available in other Microsoft sources.
Chapter Overview
This guide consists of six chapters, each dealing with a specific aspect of planning
an Active Directory branch office deployment.
Chapter 2 – Structural Planning for Branch Office Environments
This chapter will guide you through the process of planning the logical structure for
your Active Directory branch office environment.
Topics covered include:



Structural Planning
Domain Controller and Global Catalog Placement
DNS Design Recommendations
Active Directory Branch Office Planning Guide
1.1

Determining the Number of Sites
Chapter 3 – Planning Replication for Branch Office Environments
This chapter will guide you through the process of planning your bridgehead servers
and connection objects, based on Active Directory and File Replication Service
(FRS) replication.
Topics covered include:






Replication Fundamentals
Components of the Replication Topology
Determining the Choice of Bridgehead Servers
Determining the Number of Bridgehead Servers
Configuring Replication Topology for Large Branch Office Deployments
Using KCC with a Small Number of Sites (<100)
Chapter 4 – Planning the Hub Site for Branch Office Environments
This chapter will guide you through the process of planning your hub site, including
building and maintaining your root and branch office domains.
Topics covered include:







Data Center Strategy
Building the Root Domain
Building the Branch Office Domain
Monitoring and Key Performance Indicators
Server Sizing
Disaster Recovery
Firewalls
Chapter 5 – Planning the Staging Site for Branch Office Environments
This chapter will guide you through the process of planning your staging site.
Topics covered include:





Best Practices for Building a Staging Site
Configuring the Replication topology
Capacity Planning
Software Installed on Domain Controllers
Monitoring
Chapter 6 – Building the Forest Root Domain and Central Hub Site
This chapter will guide you through the process of planning how to build, verify, and
monitor branch office domain controllers. This includes everything from installation
at the staging site through moving the domain controller to its branch office.
Topics covered include:
1.2 Active Directory Branch Office Planning Guide







Design Considerations
Installing Software
Promoting the Server to a Domain Controller
Preparing the Computer for Transport
Alternative Configuration
Documentation
Post-Deployment
Active Directory Branch Office Planning Guide
1.3
SCOPE
Branch Office
The characteristics of a branch office deployment as discussed in this guide include
most, if not all, of the following:





A large number of locations with domain controllers.
A small number of users per location.
A large number of domain controllers.
A hub and spoke network topology.
Slow network connectivity to the branch office locations.
Large Number of Locations with Domain Controllers
The fact that a deployment has a large number of locations with domain controllers
does not necessarily make it a branch office deployment in the context of this guide.
In some large deployments the network may provide reliable, medium to high speed
network connections which can be used to log on users over the wide area network
(WAN). In this case, a small number of domain controllers could be installed in a
data center or hub and there is no need for domain controllers in all remote
locations. Since a centralized deployment model like this is less complex and easier
to operate and monitor, it is preferred, but only if the network can be trusted to
handle user logon operations at all times.
In the cases where the WAN cannot be trusted for logons 24 hours a day and 7
days a week, planning and deployment require more thought. In most cases, a
domain controller has to be installed in the remote locations. Planning Chapter 2,
“Structural Planning for Branch Office Environments,“ presents when to put domain
controllers into a remote location.
Small Number of Users Per Location
Another feature of the branch office deployment discussed in this guide is that there
are a small number of users in each branch location. Examples of companies that
meet these conditions are insurance companies and banks. Insurance companies
frequently have a large number of subsidiaries and branches, each with a small
number of employees. Again, small in the context of this guide means between 10
and 50 users of computers and network services.
Large Number of Domain Controllers
A large number of domain controllers implies that there may be a need for a staging
site, which may or may not be contracted out, and that the number of branches to
which domain controllers are being deployed is more than 100.
Hub-Spoke Topology
Usually in branch environments the topology is comprised of one or more hub
locations, and spokes that extend from the hub or hubs, as indicated in the following
figure.
1.4 Active Directory Branch Office Planning Guide
Branch Office Scenario
TCP/IP & DNS Settings
FSMO Role Placement
ROOT1- GC
(SM, DNM FSMO Roles)
corp.hay-buv.com
(RRAS - Network Router)
10.10.1.1
DNS P: 10.10.1.2
DNS A: 10.10.1.3
ROOT2 - DC
(IM, RID, PDC FSMO Roles)
corp.hay-buv.com
10.10.1.2
DNS P: 10.10.1.1
DNS A: 10.10.1.3
ROOT3 - DC
corp.hay-buv.com
10.10.1.3
DNS P: 10.10.1.1
DNS A: 10.10.1.2
HUBDC1 - DC
(IM, RID, PDC FSMO Roles)
branches.corp.hay-buv-com
10.10.20.99
DNS P: 10.10.20.99
BH3 - GC
DNS A: 10.10.20.1
BH1 - GC
branches.corp.hay-buv.com
BH2 - GC
branches.corp.hay-buv-com
10.10.20.3
branches.corp.hay-buv.com
10.10.20.1
DNS P: 10.10.20.3
10.10.20.2
DNS P: 10.10.20.1
DNS A: 10.10.20.1
DNS P: 10.10.20.2
DNS A: 10.10.20.2
DNS A: 10.10.20.1
Site-HUB
Staging - GC
branches.corp.hay-buv.com
10.10.30.1
DNS P: 10.10.30.1
DNS A: 10.10.20.1
Site-Stage
Branch Office
Site-Branch1
BODC1
DC
10.10.21.1
DNS P: 10.10.21.1
DNS A: 10.10.20.1
Branch Office
Site-Branch2
BODC2
DC
10.10.22.1
DNS P: 10.10.22.1
DNS A: 10.10.20.2
Branch Office
Site-Branch3
Branch Office
Site-Branch4
Branch Office
Site-Branch5
BODC3
DC
10.10.23.1
DNS P: 10.10.23.1
DNS A: 10.10.20.3
BODC4
DC
10.10.24.1
DNS P: 10.10.24.1
DNS A: 10.10.20.1
BODC5
DC
10.10.25.1
DNS P: 10.10.25.1
DNS A: 10.10.20.2
All branch office domain controllers are part of
branches.corp.hay-buv.com domain.
The simple hub and spoke topology shown above is used for all discussions in this
guide, that is, a single hub with slow links to the branches, acting as spokes. This
Active Directory Planning Guide steps you through the process of planning the
above environment. The accompanying Active Directory Deployment and
Operations Guide then steps you through the process of building the above
environment.
There is little explicit discussion of planning for a complex topology as shown in the
following diagram.
Active Directory Branch Office Planning Guide
1.5
Figure 2. Complex Hub and Spoke Topology
For the complex hub and spoke case, you can use the planning presented here for
each hub and its spokes, as well as the deployment procedures presented in the
Active Directory Deployment and Operations Guide. Each set of hub and spokes
can then be combined in a larger hub and spokes design, in a nested or layered
fashion.
Slow Network Connectivity to Branch Locations
A common scenario in a branch office environment is that locations are often linked
to the corporate data-center or hub by slow WAN links. For our scenario a slow link
is defined as a link with a line speed between 19.2 kilobits and 64 kilobits. Such a
link could be either a dial-up link or a leased line. To plan the right topology when
working over slow links, you should know the following:



The real available bandwidth over 24 hours
The stability of the link
What other services are going to use the link (such as Exchange, Backup,
Systems Network Architecture (SNA), Microsoft SQL Server™, or Internet
access)
Management Models for Handling Branch Office Scenarios
There are basically two different management models to consider in a Windows
2000 deployment scenario: centralized and decentralized. According to the
centralized management model, changes are made at a corporate level and
replicated to the branches. With the decentralized approach, changes are mostly
made at the branches and are replicated through a hub to the rest of the domain
1.6 Active Directory Branch Office Planning Guide
and the forest. Management of users and groups, as well as Group Policy
management should be considered in light of these two models, since each will
have significant effects on replication traffic, and therefore on the load on domain
controllers.
Managing Users and Groups
When managing users and groups, there are pros and cons to each model.
There are advantages and disadvantages to a centralized management model—
where all objects in the organization are managed by one central IT organization:
Advantages
Disadvantages
Good security control and policy
enforcement
Success varies directly with the
availability and speed of the local
area network (LAN) or WAN.
Easy automation of common
management tasks from a single
source point
Propagation changes are timeconsuming, depending on the
replication infrastructure and the
replication schedules.
Problems can be fixed quickly
Time to react and to fix issues
might be longer.
In contrast, in the decentralized management model the IT organization is divided
into smaller divisions based on geographical, political, or organizational needs, and
management of users and groups is distributed. The tradeoffs in this situation are
as follows:
Advantages
Disadvantages
IT organization tends to be closer
to the “customer”
Automation of tasks needs to be
coordinated
Less replication traffic inboundfrom hub to the branches
More replication traffic inboundfrom branches to the hubs
Managing Group Policies in a Distributed Environment
As with user and group management, Group Policy management can be centralized
or decentralized.
In the centralized approach, all Group Policies are created by administration staff in
the data centers (or hubs) and flow from the data centers to the branch offices.
Changes will never occur at the branch level. Typically, there is no local personnel
with complete administrator rights available in the branch.
In a decentralized environment, the regional IT organizations will have the
knowledge and ability to add to the group policies and be able to override certain
settings. Just as with decentralized user and group creation, this will cause more
replication to originate at the branches, causing more inbound replication traffic at
Active Directory Branch Office Planning Guide
1.7
the hub site.
Warning: The biggest problem with decentralized group policy management is that the
changes are focused on the Primary Domain Controller (PDC) Emulator for the domain, which
is located at the hub. We recommend, therefore, that you centralize the creation of Group
Policies.
For the purposes of the planning discussions in this guide, assume a centralized
model. Realize, however, that where your organization’s administration model
differs, you must consider the effect this has on your replication traffic patterns. The
purpose of this guide is to present the basic building blocks of the planning process,
which will enable you to complete a plan that suits your organization, and its
administrative and network structure.
1.8 Active Directory Branch Office Planning Guide
MORE INFORMATION
Resource Centers on the Web
For more information, refer to the following external resources on the Internet at
microsoft.com.
Windows 2000 Technical Library:
http://www.microsoft.com/windows2000/library/
Windows 2000 Technologies Index
http://www.microsoft.com/windows2000/library/technologies/default.asp
TechNet: Windows 2000 Technology Center
http://www.microsoft.com/technet/win2000/win2ksrv/default.asp
MSDN: Windows 2000 Development Center
http://msdn.microsoft.com/windows2000/
Microsoft Press Online: Windows 2000
http://mspress.microsoft.com/windows2000/
Microsoft Training and Certification Course
http://www.microsoft.com/train_cert/winmoc/win2000_data.htm
Microsoft Training and Certification Windows 2000 Learning Center
http://www.microsoft.com/train_cert/learncenter/win2000/default.htm
Publications
Windows 2000 Resource Kit (Microsoft Press)
Building Enterprise Active Directory Services, Notes from the Field (Microsoft Press)
Optimizing Network Traffic, Notes from the Field (Microsoft Press)
White Papers
Windows 2000 Domain Name System Overview
http://www.microsoft.com/windows2000/library/howitworks/communications
/nameadrmgmt/dnsover.asp
Windows 2000 Domain Name System White Paper
http://www.microsoft.com/windows2000/library/howitworks/communications
/nameadrmgmt/w2kdns.asp
Windows 2000 Active Directory
http://www.microsoft.com/windows2000/library/technologies/activedirectory
/default.asp
Active Directory Branch Office Planning Guide
1.9
SUMMARY
1.10 Active Directory Branch Office Planning Guide
While this guide is focused on the planning for a branch office deployment within the
parameters defined in this chapter (a large number of locations with domain
controllers, where each location has a small number of users and has slow WAN
connectivity) the issues and concepts discussed here are frequently relevant in
other scenarios. The following chapters discuss the structural planning
considerations, the planning needed for replication, and the planning that should
take place to have a successful hub site and staging site. Quality assurance steps
are presented, including monitoring. While the specifics of this guide relate to large
branch office deployments, the general concepts and issues are helpful in many
other scenarios.