Hi, Sorry if this is posted in the wrong area - I have tried to find an AD area, but search hasnt provided much else useful so far. Please move if necessary. I have a question relating to managing remote site machines. Let me give the scenario, then ask the question, that would probably prevent more questions before answers. I manage several thousand Windows XP machines which are installed on remote sites. Each site contains an ADSL router and 1-10 machines on that site. Each site has its own local DHCP scope provided by the router, so in essence there should not be any 2 machines out there with the same IP. (I have checked this). Each site is currently set up so that local site machines are members of a local workgroup with all machines running Windows XP Pro 32bit. There is currently no domain infrastructure on site. Machines are managed via a number of 3rd party technologies (PCanywhere, Everdream, Afaria) which we pay for, but Im hoping to centralise the management of these machines by introducing AD and move away from these disparate technologies where possible. My question is, from our head office location, is there any reason why these sites couldnt be configured as domain machines, where the domain controller is at our head office. What Im wanting to achieve is a central method of being able to inventory each machine for installed software and hardware configuration, as well as deploy software / files as and when needed. I also want to be able to create GPOs which I can apply to these machines in order to maintain a more uniform estate as currently we dont have any such meaningful way of managing this. Would AD be the best way to go for this? I am currently about to begin rolling out new hardware which will replace the existing estate site by site, and includes Windows7 Pro 32bit rather than XP. I understand that there may be some firewall changes required at both our head office and local site routers etc, but as the entire infrastructure exists on a secured ADSL line, (not public BT / Sky / Cable ADSL etc) I dont see any security concerns around this. That aside, while security may be a follow-up question, thats not my initial concern. Im primarily keen to know are there any pitfalls or issues with trying to adopt this approach to managing a large distributed estate? Thanks for any comments. Dusty

Hello, several thousands PCs means also several thousands of users, how many in total? Changing from workgroup to domain result in loss of local users and user profiles must be migrated to domain user profiles, as in a domain you will not work with local users, makes a domain senseless. Running a domain that size requires at least 2 DC/DNS/GC in the main site, which is always recommeneded. Depending on the load on the DCs there can be also more DC/DNS/GC required. For GPO applying on domain machines in the remote site you need at least bandwitdh from 500KB otherwise parts from GPOs are NOT processed because of determining a "slow link" http://technet.microsoft.com/de-de/library/cc781031(v=ws.10).aspx http://support.microsoft.com/kb/227260 Site machines have to use the domain DNS servers on the NIC ONLY and the DNS servers have to use FORWARDERS to the ISP so internet access is possible, if required. You can also manage the remote machine with RDC, if routers are configured to forward connections to the machines.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi Meinolf, From a users perspective, we have only 3-4 logons as these are almost kiosk machines. Note the almost. The daily users of these machines use 1 of 3 accounts for day to day use. Each site will use the same account consistently, and will not be switching from one account to another. So from a user maintenance side the overheads on this would be minimal. Bandwidth is typically 512Mb or better downstream to the sites, with 128 upstream or better. Thanks iamrafic for the mention of RDC, but one of the constraining factors which is preventing the switch to this (to my misery) is a requirement for both the remote and the local user to be able to see the screen at the same time. This is for occasional training requirements which saves us site visits and hours on the phone. For this we currently use PCAnywhere (spit!) which I cant wait to replace with something else once I find something which provides logging of access, as well as allows screen sharing during remote sessions. Currently the local routers on each site provide DNS and internet access which is our preference as we dont want to overload our internal machines with such traffic. Is this (DNS & internet access) something which will absolutely need to change or something which can be worked around?