I had a question today thats actually a fairly common one. Essentially its about the choice whether to place services like domain controllers in a distributed fashion rather than centralisation of service.
The question essentially was: "...A customer has a few main sites with quite a number of users and then another several sites with 3-5 users on average. Is it possible to get away with no DC onsite given logon traffic, Group Policy etc...They won't be using Outlook from these sites, it's mainly for workstation management/security. All applications are used over Citrix..."
Theres no right answer here as it depends on the customer but Ill present the case on either side for service delivery in a centralised and a de-centralised architecture.
If you can withdraw all the core authentication services back to a central datacenter or hub sites then disaster recovery, troubleshooting and backup becomes a whole lot easier with less copies of the directory services database to worry about. You have the opportunity to save costs with less servers to manage and in some cases can save money with less administrators required to do the same job. Additionally security improves because the risk becomes more contained. In many branch offices, security is an afterthought and the spectre of a domain controller theft becomes a serious concern. I cite the case of Australian Customs who actually had this happen to them - even with good physical security in place though clearly poor identity verification was performed. They did the right response in that situation - they reset every password. And thats what you have to do if a DC is stolen - you need to reset every password in the domain including service accounts and administrative accounts. So consolidating services to a central point has some significant benefits including security, management and cost savings. That said, this all depends on your WAN infrastructure. If you have the worlds worst link that goes up and down on a daily basis with continual outages then its probably not a good idea to consolidate. If you did implement DC service consolidation in this kind of environment and the link went down, not only would people not have access to any centralised email or web services but local file and print servers that might be located in the branch are also inaccessible because the local fileserver cannot authenticate the user without the DC being accessible. Along those lines - decentralisation has some good benefits. Its long been said that placing resources closer to the users is the right thing to do. Faster performance due to the resources being closer has benefits on productivity for the users due to them waiting less. Its also great if the WAN infrastructure is poor and you know security in the small branch is good. And it doesnt have to cost extra to manage provided you have the right tools. Lets turn this into a bulleted list:
- Potential cost savings through less servers
- Security Improvement (risk) if physical security is poor
- Easier management if management tools are lacking
- Simplified directory database disaster recovery/backup
- Reliable WAN services
- Faster resources closer to the user - improved productivity
- A degree of autonomy in the event of WAN failure
- Can be manageable provided good management tools are used
- Physical security is crucial
- Good processes for directory database backup and recovery
This all points to consolidation being a great objective to strive for. In fact Microsoft operates a lot of its smaller branch offices like this with local file/print resources and services like Active Directory, Exchange and SharePoint centralised into major regional datacenters. We can do this as we do have reliable WAN infrastructure - and if a link to a branch office goes down which in my nearly 7 year time at Microsoft has only happened twice - then we go home and VPN in across ADSL.
So to answer the original question - pursue it as it will likely improve security and probably reduce cost though if the WAN goes down and given youre running workstation app services across Citrix anyway it probably doesnt matter if they cant authenticate locally 🙂
There is one thing that must be thought about - especially in relation to Group Policy. If the workstation is required to discover policy across the WAN link - be aware that this is dependent on ICMP (ping) to detect bandwidth and if the link is latent then the policy applied gets reduced significantly...