Number of Domain Controllers needed?

You only need one DC but it is by far preferred to have at least two DCs for redundancy. One or two DCs per geographical location will be fine.

With modern hardware, 3000 users shouldn't strain a DC. (Though Exchange can certainly pound a DC with ambiguous name resolutions.) Since you're well-connected to your remote sites, you could have your domain controllers all in one location, but I'd still recommend a DC at the remote locations in case the network connection goes down. (You could use RODCs at the remote locations, then you'd be a real IT pro!)


One DC should be able to handle the authentication load from that just fine. If you have all authentication traffic centralized at a single location, I'd start with just two and make both Global Catalogs (for redundancy) and only add more if you need it.


Before you get too wrapped up with how many DC's are needed and whether or not they're needed in remote locations, take a look at the bigger picture:

Are there local resources (Exchange, file and print, etc.) at each remote location that users need to authenticate to the domain in order to access?

If the answer is yes then it behooves you to place at least one DC in each remote location so that in the event that the network connection is down users will still be able to authenticate to the domain and access those local resources.

If the answer is no, then having a DC at each remote location is pointless as the users won't have access to the main office resources if the network is down. Being able to log on to the domain via the local DC does them no good. Users will be able to log on with cached domain credentials, possibly browse the internet (depending on the nature of the network problem and on which side it is occurring) but that's about it. So what good will having a local DC do?