Do I really need domain controllers at every remote office?

I’d say ditch the DCs and reinvest those funds into a more reliable failover ISP instead. It could potentially improve your overall network performance!

You can definitely remove those local DCs if you ensure good connectivity to the DCs in your colo. Just keep in mind your plans for DHCP and DNS. If it’s all running smoothly, then you should be fine. However, a larger number of clients or increased latency might make an onsite DNS necessary.

Think about what would happen if the internet goes down. It’s easy to assume that nobody can work without internet access, but having a local DC can allow some work to continue offline. You might really want to weigh the difference in functionality between sites with and without a DC during an outage. If users are completely locked out of their systems without a DC, that’s a significant risk. Just documenting the implications of losing internet access could save you some headaches later.

Having just one domain controller is risky. If you only have one DC and there’s an outage, you could be in serious trouble. It's better to have redundancy and make sure you’re configured correctly so that users can always connect to a DC, wherever they are.

For small teams of 5-10 people with a solid site-to-site VPN to your main office and colo, keeping local DCs seems unnecessary. You'd just be complicating things with added security risks and potential failure points if someone misconfigures something. Just make sure your VPN is reliable. If it goes down, users might struggle to log in, as they’d be relying on cached credentials. So, definitely consider testing your network reliability before making the switch.