Currently the NLS is located on the DA server that is located in the main office, will be moved to another server when deploying it in the production network. There are several offices, each office has it's own AD site and has it's own ip range. In each AD site there's and RODC. All sites are routed.
Before enabling DA on the clients other than in the main office i want to check if it's necessary to deploy an NLS for each site/office.
What happens if the connection between the main office and the branch office is lost, the clients will not be able to ping the NLS server located in the main office and will not be able to connect to the DA server in the main office. Will it then turn on the
NRPT? If not, it shouldn't be a problem if i don't configure a NLS in each site. But then why does Microsoft recommend that you create a NLS website on a highly available server? Because if the NLS and DA are located on the same server the clients won't be
able to initiate a connection when the server, for example, is rebooted or crashed.
But if the clients do turn their NRPT even though they cannot connect to the DA server it can cause issues. Then i need to deploy a NLS website in each site. From what i've been reading i must do the following :
1. Duplicate a webserver template and set the permissions so that the RODC's can enroll the certificate for the NLS site
2. Create a DNS record named : nls.corp.contoso.com for each site in which the NLS website is configured
site 1 : 192.168.1.2 --> nls.corp.contoso.com
site 2 : 192.168.2.2 --> nls.corp.contoso.com
site 3 : 192.168.3.2 --> nls.corp.contoso.com
3. Install the IIS role with domain and ip restrictions
4. Create a simple website
5. Setup SSL binding
(CRL checking for the certificate assigned to NLS website happens on the intranet, so i don't need to publish a CRL so it can be accessed over the internet)
6. Configure the DA server to use another NLS server
In short : Do i need to deploy a NLS in each site/office? If so, are the steps above correct? I just want to make sure i don't run into any issues when deploying the DA server in the production network.
