Domain Analysis
osaddict
London, UK
We currently have around 50 workstations, 1 server which is used for development, internet access/dhcp and fileserver (read everything lol)
Our current infrastructure is NOT domain based, after a lengthly discussion it seems we will be moving to a domain, I need to prepare something outlining the motivation for this.
As I see it this includes:
Can anyone think of anything else? (I've never worked/been a user in a domain based environment or had any part in setting one up etc)
Drawbacks:
Would people consider these the main points for and against?
I'll stress again, I've never worked in a domain based environment - either as a humble user or a techie, or had anything to do with configuring one - so, no OMFG how could you forget that! Type remarks!
(Oh and we would get in someone to configure this for us, so it was set up properly from the offset)
Our current infrastructure is NOT domain based, after a lengthly discussion it seems we will be moving to a domain, I need to prepare something outlining the motivation for this.
As I see it this includes:
- Centralised management of PCs
- More secure - can lock down access to specific resources for specific users
- Allows use of the VPN facility offered as standard in SBS2003
- Rolling out anti-virus updates or changes is quicker
Can anyone think of anything else? (I've never worked/been a user in a domain based environment or had any part in setting one up etc)
Drawbacks:
- Cost - converting old XP home PCs to Vista business
- Cost - setting up domain
- Time - administering domain
- Added hassle for users?
Would people consider these the main points for and against?
I'll stress again, I've never worked in a domain based environment - either as a humble user or a techie, or had anything to do with configuring one - so, no OMFG how could you forget that! Type remarks!
(Oh and we would get in someone to configure this for us, so it was set up properly from the offset)
0
Comments
Time is CONSIDERABLY lessened with a domain. Any updates, security fixes, or changes can be deployed to all clients simultaneously. Even fixing one machine is as easy as remoting into it with RDP and going to work. A domain is the easiest and fastest way to manage a network.
Hassle: if the domain is set up correctly, the users will never notice.
Such as:
Single sign on capability on any machine with in that domain. Single user and pass get access to those PCs. Users can share desktops/laptops as and when needed.
Complete security for individuals files while providing the correct level of adminstration & management for IT.
Roaming profiles (implemented correctly of course).
Automatic mappings to the correct network shares and resources (printers for example) through logon scripts.
There are just a couple more for your pot.
I'll mirror Thrax's suggestion of either using XP Pro or waiting for 7 though. I'm in the "Vista is radioactive" camp.
... no never mind.
As for the rest of your synopsis the domain controller will allow you to use group policy rules to lock down any pc connected to it.
You can use it's VPN tools, but that's a rather significant security risk in allowing outside people direct access to your DC for VPN authentication. What you should be doing is using a secondary VPN access point that just authenticates against the domain controller.
Rolling out anti-virus means you'd need a corporate anti-virus solution that is centrally installed on a server and then pushes out clients and handles the updates. If you, for example, have 50 copies of AVG pro. Adding in a domain controller isn't going to centralize that processes.
What you can freely centralize though is windows updates. You also add a Windows Update Server role to the domain controller. It then downloads the windows updates and all the workstations grab the updates from it. It also then keeps track of which clients have updates etc... It saves bandwidth and time.
If all you are adding in is a DC the cost should come in around $6000 for server and licensing if I'm doing my math right. Upgrading all your desktops to the business version of windows is going to be the most significant portion of this project. Also keep in mind some *free for home use software won't work on windows pro editions. Also some of your software may not work with vista so you should test any of your apps first before upgrading everything.
Administering the domain will offset some time of having to micromanage 50 accounts so time saved in one area is transfered so it's a wash there. Once you have everything running smoothly then the time it takes to administer the domain is very minimal.
Added hassle for users will be in switching over all their user accounts which again is part of the upgrade process. This is going to be the biggest headache for you. Once it's done though the end user hassle is gone.
Not main, but still!
A vast majority of the machines already have Vista business, so I was thinking of sticking with this so they all have the same OS - think 40 on vista business, the rest are xp home or ancient xp pro machines that need replacing.
The RDP point is great - so if a user calls me with an issue I need not leave my seat and can RDP to them as I would our server and tweak stuff over the phone etc?
Re: RDP
Yep, you'll be able to touch every computer in your network remotely without leaving your seat. Very convenient! You could probably do this now, but a domain will only make it easier.
Ah, I see - so user X belongs to group Y which is allowed access to network drives A, B, and C - they can go to a machine typically used by another user, belonging to a basic group with access only to drive B and login with their credentials and get access to A,B,C as they would from their PC? -Nice, I hadn't realised it would be that simple.
I guess it's a case of changing the thought of PCs as 'XX's PC vs 'an office workstation'
Our plan is to get a new server and get the domain setup on the server, migrate the files from the current server to this one and then use the old one as a DEV server - so 2008 is very likely.
I was keen for 64bit too so that we could have more than 4gb ram, but not sure what other implications this would have in a basically 32bit environment.
I appreciate the Antivirus point, I reckon that's something where when the subscriptions for the majority are due to expire we would move to a centralised method.
The ongoing administration side of things doesn't sound too heavy going, which is attractive as it will probably fall down to me and I have plenty to keep me busy!
Vista wise it's not a problem - most users just use office 2007 / ie / firefox - which we know works fine for all the vista users.
Then when setting up the server you probably want to do a Raid 1 for the OS and if you are going to be storing files or anything else on it raid 5 with hot spare is the way to go.
We currently have a dell poweredge 2900 with sbs2003, I believe the intention was to get similar but beefier.
I was thinking, 2x quad core processors
8gb ram
raid 1
you really reckon raid 5 is necessary for a file server?
we've always had raid 1 in the past and never needed it...
Unless your server is going to be doing a lot of heavy processing, dual quad cores is overkill. If you're using SBS2003 as your domain controller, you're going to see diminishing returns for RAM over 4GB - only specific applications that are PAE-enabled will use the extra RAM. The new version of SBS is 64-bit, and if you're planning on using SBS2008 I would then suggest you go with the 8-core setup. Exchange 2007 consumes more resources (processor and memory) than Exchange 2003, so it would make sense. Be advised that you cannot upgrade SBS 2003 to SBS 2008 - it's a rip and replace upgrade, since one is 32-bit and the other is 64-bit.
RAID 1 is not an option, it's a necessity. Believe me, when one of your hard drives fails, you will be thankful you had RAID 1. If you're going to use SBS, RAID 5 will save you some money by increasing the amount of storage you have available, but your Exchange and SQL server performance will not be so great. Presuming your server has a real RAID controller, multiple RAID 1 arrays would give you the best performance and fallback capability for your company's size. RAID 5 is ok for fileserver tasks, but even a RAID controller with a cache is going to take a pretty significant hit for write operations. Remember that with SBS, you're running a mail server that uses a database to store messages, as well as SQL Server itself, in addition to any files that you're sharing and (if you've enabled it) the Windows Update Services. I think I/O isolation is the best policy in a situation like this - having two or three RAID 1 arrays will make sure that your Exchange server is not sharing I/Os with the SQL Server writer and with the user who is copying a 650MB ISO to the fileserver.
I think you'll find that while Active Directory is complex, once you get even a basic understand of the way it works, the management of your workstations will become much easier. WSUS in particular will make the management of the patch levels of your workstations much easier to monitor, and group policy is a godsend.
Please excuse my ignorance, but roaming profiles - would these allow one to log on to the domain from say a laptop at home or something?
We have two physical locations - one being 2 guys both on laptops!
Roaming profiles are a bit of a pain though. Home user had better have a good internet connection because when they logon their profile needs to be downloaded then again when they logoff, they have to upload their profile. Depending on the size of their profile and speed of their connection, it can take minutes to 10 minutes.