Connect Remote Office to Domain at HQ

JBerrete
Just browsing

Connect Remote Office to Domain at HQ

I currently have a site-to-site vpn setup between HQ and a remote office. Would it be possible to setup the remote office to connect a domain controller at HQ?

6 Replies 6
mmmmmmark
Building a reputation

Yes it's possible but it might not be the best idea. If the internet goes down at either location then the people at the remote office wouldn't be able to log in. Might be better to have a RODC at the remote site that syncs to the HQ DC.

PhilipDAth
Kind of a big deal
Kind of a big deal

That is not correct @mmmmmmark.  You can quite happily log into a Windows machines you have previously logged into (aka your normal work computer) for many months using cached credentials.

 

If you want some evidence, take a work notebook home, reboot it, and notice how you can log into it without any issues.

mmmmmmark
Building a reputation

Thanks @PhilipDAth for that. I wasn't aware that it would work. Might still be a good idea to have an off-site DC too though, but maybe not a RODC, haha.

PhilipDAth
Kind of a big deal
Kind of a big deal

I have now moved a lot of my smaller customers completely to AzureAD (so no onsite AD controllers at all), as part of their Office 365 plan.

 

Some of the medium sized ones I have moved AD into Amazon AWS.  I need thee instances.  Two t2.micro's to be the AD controllers, and a third to run Ubuntu and strongswan.  I then build a non-Meraki VPN back to the sites.

 

A t2.micro is maybe USD$3.50 per month.  So for maybe usd$11 per month you can have redundant AD controllers in the cloud.

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes.  It works best if you configure the remote site DNS servers to point to the AD controllers at the main site.

Kevin_Snyder
Here to help

I agree with mmmmmmark that it may not be the best design if relying on a single MX / Internet connection at the branch office or HQ. A RODC would be ideal at the branch. You could go with redundant MX and Internet connections to try and limit exposure to a failed connection but it may not be worth the cost, depending on your needs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels