I'm looking for some suggestions! My environment consists of 1 main site and 12 other remote sites on our WAN. I have currently have 2 RWDC at our main office and 1 RWDC at one of the other twelve sites. That site has about 120 people and it made sense to put it a RWDC. For the other 11 sites, they range in size of 20 to 100 users. Our WAN links are stable and locations for servers at each site are secure. Given the fact I would like to run local DHCP servers to handle computers and phones, should I even bother, at the smaller sites, looking into using RODC servers? I know there is a work around for DHCP on and RODC, but is it safe? Also if I introduce printer management on the server I out in place, does that force me to look at only RWDC's? If I do RWDC's at the sites what possible issues should I be looking for? (Oh and we are 1 forest , 1 domain) Any insights, suggestions are appreciated!

Hello,as starting point:http://technet.microsoft.com/en-us/library/dd734758(WS.10).aspxfor known problems see:http://technet.microsoft.com/en-us/library/cc725669(WS.10).aspxhttp://support.microsoft.com/kb/944043For DHCP/Print server i would use a member server instead DCs, doesn'tmatter if RW or RO for security reaons.The biggest concern will be if the WAN link goes down, your users aren't able to change the password for example.http://technet.microsoft.com/en-us/library/cc770854(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

I would only deploy RODCs due to business reasons and security concerns. RODCs do require additional administration (especially in regards to getting the account and password cached) and there are some limitations. Meinolf provided some good starting links.In my experience, at our organization, we deployed two RODCs to some smaller sites, and we just wanted to get more familiar with them in regards to the management and benefits. We really had no business or security concern at these locations so the addtional effort just wasnt worth it.Additionally, if you do deploy them, don't wait for the WAN link to go down. Test it first as you may be surprised that not only can you not make changes to those accounts (of course its a READ ONLY DC), but your users may not be able to authenticate if its not configured correctly.Visit my blog: anITKB.com, an IT Knowledge Base.

In response to using DHCP on a member server: If the current DC's are Windows 2008 (which will be upgraded soon to r2), If the existing files server at the sites are 2003 r2 ENT SP2, do you see any issue in me running the DHCP service on them?

Personally, I like to seperate the roles when possible. If I have to mix roles, I try to keep the type together. DHCP and File Servers are usually not deployed together but from a technical perspective, they can co-exist and it will work. If these offices are small, the traffic for DHCP and File Services should not be too competitive.Visit my blog: anITKB.com, an IT Knowledge Base.

That was my concern, that they can co-exist but aren't supported. From a recent conference it was recommended that if you have the money, time, and can provide users the best experience and performance to put in a RWDC at sites with 20 (sorry only 2 offices are in the 20-30 range, the rest are 50 and up) or more users, do so. Especially if I was concerned about Wan traffic, links going down. I have the means to do that, and was hoping to get more feedback on similar user experiences managing that many DC's. What do I need to watch out for with adding 10- 12 DC's. If the sub net and sites are setup do I need to worry about a user authenticating across the wan to another DC?

When ever I setup additonal sites and subnet objects, I like to verify that the users are indeed being authenticated by one of their local DCs. In the current domain that I manage, we run a login script to capture information about the login process and piece of info happens to be the LOGONSERVER. I can tell you from my experience that Windows 2000 and later clients are site aware and in the majority of the time, they do keep the authenctication traffic local. NT 4.0 clietns will use the DC running the PDC emulator role. You may see some clients randomly using a DC outside of the site, but that could be due to a network hicup or some of mis-configuration at the client.Configuring your sites and subnets is very important when you want to control authentication traffic as well as replication traffic between the DCs in different sites.In regards to the File Server/DHCP Server combo, it is supported. I just wouldn't recommend it. The same goes for DCs. Running SQL or Exchange on a DC can be done and MS will provide support, but its not a good idea. Escpecially when you need to upgrade those DCs. Visit my blog: anITKB.com, an IT Knowledge Base.