UCS Design for Home and Branch Office Help


#1

Hello All,

I am trying to use UCS to achieve the following design specifications as per what Microsoft refers to as Flexible Single Master Operation (FSMO):

i. I want all clients at the remote offices to authenticate and use resources using their local DC. The DC at the Home or Head Office should be their secondary choice. They should use this whenever there is a hardware failure.

ii. I want the Home office DC be used by the people at the Home office, domain changes, creation of users, groups, GPOs should also be done here, and all these should be pushed to the DCs at the branch office (or what we call replication). Changes should only be pushed out for replication by the DC at the Home Office.

What combination can achieve this with UCS? Master at Home office and Backup at Remote Offices? / Master at Home Office and Slave at Remote Offices? / Master at Home and Master at Remote?

Thanks in Advance.


#2

Hey,

when referring to UCS server roles the terms “master” and “backup” are used somewhat differently than how they were used when referring to Windows domain servers. In UCS terms a “DC backup”'s sole purpose is to provide an up-to-date machine that can be used to permanently replace the “DC master” in case of a fatal problem (e.g. machine stolen, unrecoverable hard disk defects etc.). In that instance the “DC backup” can be elevated to be the new “DC master” (the old one must be retired and removed from the network).

Therefore placing a “DC backup” in a branch office is not all that helpful.

The “DC slave” servers, on the other hand, are designed for exactly such a case. You place a “DC master” (and optionally a “DC slave”) in the home/main office. For local authentication you place a “DC slave” in your branch office. All of those servers run Samba 4.

Additionally you’ll have to create a second Active Directory Site for the branch office using the usual Active Directory tools (RSAT) and place all the computers and servers running at that branch office in the new AD Site. That way authentication will be done against the local “DC slave”.

Kind regards,
mosu


#3

Thank you Mosu, you have been very helpful.

Regards,
Tobi