I have 2 sites, main office and remote office. I would like to be able to use active directory over WAN for my remote office. The office is not large enough to have a RODC so I would like to authenticate to the only DC at the main office.

I`ve been looking around and it seems that this is possible but I want to make sure I configure this correctly and securely.

1. Is there any security that needs to be enabled for this or is this already enabled? Are there any technotes with instructions on configuring this scenario?
2. If I have to use a VPN for security, it there a way to only use the VPN for authentication and allow the user to use any other service using the normal internet connection?

Hello Simon,

Branch office clients can authenticate through the VPN connection.  security of the communications depend on how you configure your VPN. Try going for L2TP/IPsec VPN.
Add the remote network subnet to the site.

What is your bandwidth to site office ? Look at BranchCache deploymnet if have concerns with Low BW

You can deploy a SSTP vpn

About internet traffic have a look to  this (CMAK is a feature on Windows 2012 R2)

You can use a site to site VPN so that your remote users can connect to your DCs. Please note that you need to take in consideration the GPO processing over slow links in case this is a slow link: https://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx

As for using the VPN or internet connection to access your services, it depends of how your routing is configured. So, simply check your routers configuration and adjust it the way you want.

well, if the branch is not big enough to have a RODC I doubt they have a budget for a site to site vpn

This is all good info thank you!

Both office speeds are 40/10.

The main office has a router that can be configured for VPN access. The remote users I would want to use VPN connection in windows with split tunneling.

I think this configuration will work for me *crossing fingers*