We are planning to centralize our AD DC’s, but what with the local user managent in other locations.

If they connect to the centralized AD DC’s through AD Users and Computers it responds slow. Are there any suggestions, so that local system administrators don’t see performance issues in managing their own local users?

Thanks for your reply,

David.

Without local DC's the only way to speed up remote administration would be to use temrinal services.

The main issue here is, "are the remote admin's responcible for the whole domain/forest or just a partial OU,..."

If they are full domain / enterprise admins then there is no problem they could logon to a DC in the remote site.

Better practice and my advice is to create a management station. A management station is a member server that holds all the MMC snapins and/or other tools required to administer your network environment close to your DC's. You can grant / restrict access to this system allowing remote admins to logon but without giving them any DC logon rights. Using normal AD delegation delegate controle over the specific OU's,...

Downside to this setup is that you can have only 3 admins doing local administration at any time, but this should be enough.

Tom

Thanks for your quick reply Tom. That is indeed what we are looking to do, although it is more inconvenient than administering their own OU's through AD Users and Computers on the local machine.

Maybe MS one day will offer a better solution for this.

Cheers,

David.