Overseeing a remote office/branch office site often requires significant computing resources, but on-site IT staff is typically lacking. Deploying and managing a branch office server therefore requires IT managers to think differently about hardware and management tool selection, domain controller placement, and monitoring and automation strategies than they would for a traditional data center.
Some organizations place branch office server resources in the public cloud. While this approach can greatly simplify the management of such resources, bandwidth constraints and operational requirements might prevent cloud-based operations from being a viable option.
Before deploying computing resources to a remote office/branch office (ROBO) site, you must consider the operational requirements beyond simply running the required workload. Specifically, the IT infrastructure must function in the absence of on-site IT staff and support remote administration. Additionally, a branch office environment might be less physically secure than an organization's primary data center. The IT resources you deploy must keep the organization's data secure, even if someone gains physical access to the servers: Think VM-level encryption. Finally, the resources you deploy at remote locations should work with the organization's existing management tools.
Unfortunately, there is no such thing as a universal platform for ROBO environments. What works for one organization might not necessarily work for another. Even so, there are four best practices to keep in mind as you plan to support a branch office server.
1. Use fully redundant hardware
Because of the budgetary constraints often associated with operating a remote site, you might be tempted to use lower-cost server hardware. However, without on-site IT support, any outage could be prolonged, leading to significant financial loss. The best way to mitigate this risk is by using fully redundant server hardware.
2. Carefully plan domain controller placement
If the branch office server has its own Active Directory (AD) domain, a minimum of two virtualized domain controllers should be created, and anti-affinity rules should be used to ensure that these domain controllers always reside on separate hosts. Remember that the AD is dependent on the domain name system, so it's a good idea to ensure similar redundancy for your domain controllers.
If the remote site shares an AD domain with the main office, you should still place a couple of virtualized domain controllers in the ROBO environment. Otherwise, a WAN outage could prevent remote office users from logging in. In addition, with security being so important at ROBO sites, consider using read-only domain controllers for this purpose.
3. Consider management tools
It goes without saying that you need a VPN connection between your main office and any ROBO locations. Otherwise, you'll have to perform management tasks on-site. This VPN connectivity should enable you to use the same virtualization-level management tools, such as vCenter Server or System Center Virtual Machine Manager, to manage both the main office and any other locations.
Even so, the fact that ROBOs commonly lack any on-site IT staff means you must also think about branch office server management as it applies to other layers of the stack. For example, many hardware vendors offer out-of-band management tools that can provide BIOS-level management capabilities for servers. These types of tools can be extremely helpful if you must remotely diagnose a hardware failure or force a reboot on a cluster node.
4. Look for ways to implement monitoring and automation
The idea is to automate common maintenance tasks, such as load balancing VMs, while also automatically remediating small problems. The monitoring software can also alert you to conditions that need your attention.
The key to managing a successful branch office server is to avoid having a single point of failure. While it might be tempting to solely focus redundancy efforts on the virtualization infrastructure and the underlying hardware, it's equally important to ensure that VPN connectivity is also redundant. After all, without some form of connectivity, remote management becomes impossible.