Greetings!
Scenario:
There are two offices of the same company, one in Moscow and the other in Vladimir. Both offices have a 100Mbps internet connection. The goal is to establish seamless communication between the branches for efficient document exchange and remote management. Additionally, the plan is to deploy Active Directory (AD).

Constraints:
It is not possible to allocate a separate room for a server; at best, a cabinet with a switch, UPS, and one or two HP microservers (2-core Gen10) can be installed.

Proposed Solution:
One solution is to rent a dedicated server in Europe (Germany or the Netherlands). This server should have the following specifications: 8 cores, 64GB RAM, 2TB HDD, and a 1Gbps connection. Proxmox will be installed on this server, enabling the creation of several virtual machines. The virtual machines will include 2 domain controllers, a Zimbra mail server, Asterisk, Zabbix, Jira, and Jabber.

Approximately 50 individuals, mostly programmers, will utilize this setup. The AD will not experience significant load as document exchange within each branch will occur through local networks or unrelated services.

In each office, a Read-Only Domain Controller (RODC) and a local file server should be deployed on a microserver. MikroTik routers will be installed in both locations and connected to the dedicated server via a VPN (either openvpn or ipsec). Proxmox itself or a virtual machine running pfSense will handle the tunnel from the dedicated server's side. Appropriate routing configuration will be set up.

Regarding already existing servers, the ping between branches ranges from 44 to 46ms.

Question:
Is this proposed connection scheme problematic for AD operation? Will it impact user login speed and other operations? Are there any equipment-related flaws in the scheme?

This is my first attempt at organizing such office interaction. Therefore, I kindly request your feedback and suggestions for a more successful solution considering the given data and potential nuances. Additionally, I would appreciate any insights on aspects that require attention.

Thank you in advance!

Could it be simpler to establish a VPN directly at the headquarters if there are only 2 offices? This would eliminate the need for a "round trip" journey.

This solution would be sufficient for basic AD requests and small file transfers within the branch networks. However, for heavier tasks such as handling large files or databases, speed may be compromised.

Implementing a routed VPN (IPsec site-to-site) and utilizing DFS on both sides should be adequate to meet the requirements.

By definition, any scheme that involves an AD domain controller outside its own infrastructure is inherently flawed.

While I don't intend to delve into political matters, I do keep up with the news.

Regarding AD, Microsoft products have provided comprehensive tools for building forests and sites since 2000. You can choose a model that suits your preferences in terms of hierarchy (head-forest or trusts).

As you have rightly pointed out, DFS is designed for collaborative work. However, it is important to note that there are nuances and specific considerations to take into account.

To establish an AD in each office, utilize a VPN to connect the offices. The AD nodes can be configured to trust each other.

It is important to acknowledge that Internet service providers may experience sporadic and unforeseen failures.

If you choose to place the AD server outside the office network, it's crucial to prepare for the potential scenario where work in the office comes to a halt during internet outages. This is because access to various services will be lost.

Additionally, it may be worth considering backup solutions or redundant internet connections to mitigate the impact of such failures.

Deploying Domain Controllers (DCs) in both offices is a best practice, as it provides fault tolerance and resilience in case of network connectivity issues between the offices. By having a Read-Only Domain Controller (RODC) in each office, you can reduce the authentication traffic over the VPN and provide local authentication and administrative capabilities, while still maintaining a level of security and performance.

In terms of VPN connectivity, utilizing MikroTik routers and establishing a secure VPN tunnel between the offices using either openvpn or ipsec is indeed a prudent choice. However, it's important to consider network latency, bandwidth, and reliability when choosing the VPN protocol to ensure seamless and efficient communication between the offices. Depending on the specific requirements and network conditions, it may be beneficial to conduct thorough testing to determine the optimal VPN configuration.

Regarding the dedicated server in Europe, the specifications you've mentioned, including 8 cores, 64GB RAM, 2TB HDD, and a 1Gbps connection, are suitable for hosting the virtual machines required for running services like Zimbra mail server, Asterisk, Zabbix, Jira, and Jabber. However, I would recommend that you not only consider the technical specifications but also the data sovereignty and privacy regulations when selecting the location for hosting the dedicated server, especially if it involves sensitive user data from the Moscow and Vladimir offices.

While the 100Mbps internet connection in both offices is sufficient for most document exchange and remote management tasks, it's important to consider potential bandwidth constraints during peak usage times. This is especially crucial if large files need to be transferred between the offices, as it may impact the performance of the communication and the overall user experience. Conducting bandwidth utilization analysis and potentially implementing Quality of Service (QoS) policies on the network may help mitigate potential bandwidth contention issues.

As for any potential impact on user login speed and other AD operations, the network latency between the offices (44-46ms ping) should not significantly affect user experience, considering that the document exchange within each branch will occur through local networks or unrelated services. It's also important to ensure that the local file servers deployed on the microservers in each office are optimized for efficient file access and storage replication to support local operations effectively.
Your proposed solution seems well-designed and takes into account the necessary components for seamless communication and efficient document exchange. Regular monitoring and maintenance of the network infrastructure and servers will be crucial to address any potential issues that may arise. It's also important to document the network and server configurations to facilitate troubleshooting and future expansion.