Hi, Sorry if this is posted in the wrong area - I have tried to find an AD area, but search hasnt provided much else useful so far. Please move if necessary. I have a question relating to managing remote site machines. Let me give the scenario, then ask the question, that would probably prevent more questions before answers. I manage several thousand Windows XP machines which are installed on remote sites. Each site contains an ADSL router and 1-10 machines on that site. Each site has its own local DHCP scope provided by the router, so in essence there should not be any 2 machines out there with the same IP. (I have checked this). Each site is currently set up so that local site machines are members of a local workgroup with all machines running Windows XP Pro 32bit. There is currently no domain infrastructure on site. Machines are managed via a number of 3rd party technologies (PCanywhere, Everdream, Afaria) which we pay for, but Im hoping to centralise the management of these machines by introducing AD and move away from these disparate technologies where possible. My question is, from our head office location, is there any reason why these sites couldnt be configured as domain machines, where the domain controller is at our head office. What Im wanting to achieve is a central method of being able to inventory each machine for installed software and hardware configuration, as well as deploy software / files as and when needed. I also want to be able to create GPOs which I can apply to these machines in order to maintain a more uniform estate as currently we dont have any such meaningful way of managing this. Would AD be the best way to go for this? I am currently about to begin rolling out new hardware which will replace the existing estate site by site, and includes Windows7 Pro 32bit rather than XP. I understand that there may be some firewall changes required at both our head office and local site routers etc, but as the entire infrastructure exists on a secured ADSL line, (not public BT / Sky / Cable ADSL etc) I dont see any security concerns around this. That aside, while security may be a follow-up question, thats not my initial concern. Im primarily keen to know are there any pitfalls or issues with trying to adopt this approach to managing a large distributed estate? Thanks for any comments. Dusty

Hi, Yes, Active directory provides you the option for centralized management, you can implement it in your environment. But there will be some limitations. What is the bandwidth available between the remote sites and the central office? How the sites are connected, VPN? Because to active directory domain infrastructure work seamlessly network bandwidth places a major role. The bandwidth requirement may increase if you use GPO to deploy softwares or push some login scripts. Active Directory Sizer Tool www.petri.co.il/active_directory_sizer_tool.htm If the users are just only connected to the internet, you can also make use of DirectAccess. DirectAccess, introduced in the Windows 7 and Windows Server 2008 R2 operating systems, allows remote users to securely access enterprise shares, web sites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with a user's enterprise network every time a users DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. DirectAccess http://technet.microsoft.com/en-us/network/dd420463.aspx Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Hello, several thousands PCs means also several thousands of users, how many in total? Changing from workgroup to domain result in loss of local users and user profiles must be migrated to domain user profiles, as in a domain you will not work with local users, makes a domain senseless. Running a domain that size requires at least 2 DC/DNS/GC in the main site, which is always recommeneded. Depending on the load on the DCs there can be also more DC/DNS/GC required. For GPO applying on domain machines in the remote site you need at least bandwitdh from 500KB otherwise parts from GPOs are NOT processed because of determining a "slow link" http://technet.microsoft.com/de-de/library/cc781031(v=ws.10).aspx http://support.microsoft.com/kb/227260 Site machines have to use the domain DNS servers on the NIC ONLY and the DNS servers have to use FORWARDERS to the ISP so internet access is possible, if required. You can also manage the remote machine with RDC, if routers are configured to forward connections to the machines.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi Meinolf, From a users perspective, we have only 3-4 logons as these are almost kiosk machines. Note the almost. The daily users of these machines use 1 of 3 accounts for day to day use. Each site will use the same account consistently, and will not be switching from one account to another. So from a user maintenance side the overheads on this would be minimal. Bandwidth is typically 512Mb or better downstream to the sites, with 128 upstream or better. Thanks iamrafic for the mention of RDC, but one of the constraining factors which is preventing the switch to this (to my misery) is a requirement for both the remote and the local user to be able to see the screen at the same time. This is for occasional training requirements which saves us site visits and hours on the phone. For this we currently use PCAnywhere (spit!) which I cant wait to replace with something else once I find something which provides logging of access, as well as allows screen sharing during remote sessions. Currently the local routers on each site provide DNS and internet access which is our preference as we dont want to overload our internal machines with such traffic. Is this (DNS & internet access) something which will absolutely need to change or something which can be worked around?

Hi, " both the remote and the local user to be able to see the screen at the same time. " For screen sharing, you need to depend on 3rd party softwares. "both the remote and the local user to be able to see the screen at the same time. " Yes, it need to be changed. Active directory fully depends on DNS service, So you can only use active directory DNS servers. You can configure ISP dns servers in the forwarders tab in the DNS server. Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!