Hey guy's.
Recently I've started looking into integrating a mikrotik hotspot solution into an already existing (mainly microsoft based) and very large network.

The network consists of various different locations with a quite a few "child domain controllers" feeding different areas. There obviously needs to be a parent domain controller some where, but with me not having done realy extensive work with Microsoft DC's and Active Directory, I am uncertain just how these interact and affect each other.

What I want to be able to do is have a hotspot at every location and at the same time have the capability of each and every user on any of the domain controllers to be able to login using their domain user name and password.

I came across this post:
How to setup Hotspot AAA Microsoft IAS RADIUS for use with MikroTik – By Rodney Yeo
Now that pretty much explains to you how to make a fresh installation and though I've not been able to test it yet, I'm sure it will work...(I recon)

The scenario I am faced with though will require (as stated before) an integration with an already existing Microsoft setup.

What I want to ask is:
1- How will this effect the configurations required to be done in relation to the post mentioned previously? Will I only need to make changes to the primary controler and set up my mikrotik systems to co-ordenate with it?
2- Will I need to configure each and every child domain controller to run radius? I.E. follow the post mentioned on eac domain controller - parent and child?
3- Kind of falls in with the previouse, is there a way of making my mikrotik AP's just use one central point of authorisation in a network with many child domain controllers without having to make changes to each and every domain controller on the network and have all users be able to log into any mikrotik hotspot at any location?

Lets keep it simple for now (for my own sake) and stop here

Any one with some input?

3- Kind of falls in with the previouse, is there a way of making my mikrotik AP's just use one central point of authorisation in a network with many child domain controllers without having to make changes to each and every domain controller on the network and have all users be able to log into any mikrotik hotspot at any location?

This is the point of architecture
RADIUS server + Routers (access points, HotSpots, etc.).

You have one RADIUS server, that contains information about routers (RADIUS clients).
Every router has configured 'radius' client and appropriate service to run RADIUS for authentication and authorization.

So, all routers share the same database. Client1 could connect to AP1, then go to location AP2 and connect there.
AP1 and AP2 uses the same RADIUS database.

1- How will this effect the configurations required to be done in relation to the post mentioned previously? Will I only need to make changes to the primary controler and set up my mikrotik systems to co-ordenate with it?

When configuration is done. All changes are applied on RADIUS server.

2- Will I need to configure each and every child domain controller to run radius? I.E. follow the post mentioned on eac domain controller - parent and child?

Yes, you need to configure 'radius client' on each client router and configure service (wireless, HotSpot, etc.) to use RADIUS.

Hey sergejs,
thanks for responding.

Now that I think about it, I guess my question is more Microsoft radius & active directory orientated. I'm ok with configuring the mikrotik router - having to enter the radius server details etc.

What I would like to know, I guess if I put it in short terms:
In a network with Primary Domain controller P1 and child domain controllers C1,C2, C3 and C4 -
1- Will I only need to configure P1 to run radius (if it is not doing so already) and then set my mikrotik routers up to check in with P1?
or
2- Will I need to configure P1 + C1 to C4 to run radius and then set up the mikrotik systems in the different sectors to check in with the corresponding Domain Controller?

How does active directory work in such a network, does domain controllers C1 to C4 populate the user tables in P1? If this is the case, then I guess it's just a case of configuring P1 to except my mikrotik routers and visa versa. If not, then I guess I will need to configure C1 to C4 or create a completely new DC where ALL the users will need to be mannualy set up on (like a mikrotik user manager box / router).

Does this make sense to you? Do you know a bit about Active Directory and MS Domain controllers?

Thanks again.

Unfortunately, I cannot help you with Active Directory.
Probably any other user will be able to help you with it.

If all Mikrotik routers are able to connect to the main AD then you only need to configure that one. if not then all the servers that are going to serve radius questions need to be configured. I think that this is answer to the right question.
regards