ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Need Two AD Domain Controllers?

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleractive directoryhigh availabilitybest practicesyoutubead dcdomain controller
    72 Posts 14 Posters 11.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jmooreJ
      jmoore
      last edited by

      Good points here. Every environment is unique. I could be wrong but i think some people try to use "best practices" reasoning because they do not know how to go about figuring out if something like this makes sense or not. its the "easy" button for them.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @jmoore
        last edited by

        @jmoore said in Do You Need Two AD Domain Controllers? SAMIT Video:

        Good points here. Every environment is unique. I could be wrong but i think some people try to use "best practices" reasoning because they do not know how to go about figuring out if something like this makes sense or not. its the "easy" button for them.

        Right, when really best practices is always "determining what is right for your environment" and "hiring people competent enough to make good decisions."

        1 Reply Last reply Reply Quote 1
        • bigbearB
          bigbear
          last edited by

          If you think about small biz server 2000 - with ISA server, AD, Exchange, File shares all on the same box, directly connnected to your LAN and your internet connection, you really have to perceive MS best practices we're designed for very large companies. SMB was an after thought once it was identified as a growth market.

          Lotus had a server product called Foundations that I thought was kick ass before the cloud arrived. You got Domino server, file services and the Domino App/Database servers.

          scottalanmillerS 1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @bigbear
            last edited by

            @bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

            If you think about small biz server 2000 - with ISA server, AD, Exchange, File shares all on the same box, directly connnected to your LAN and your internet connection, you really have to perceive MS best practices we're designed for very large companies.

            That, by definition, means it isn't a best practice. A true best practice is not affected by size of company.

            1 Reply Last reply Reply Quote 1
            • S
              StorageNinja Vendor
              last edited by StorageNinja

              There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
              Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

              bigbearB scottalanmillerS 2 Replies Last reply Reply Quote -1
              • bigbearB
                bigbear @StorageNinja
                last edited by

                @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
                Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                Honestly I cant believe we arent at the point where everyones cell phone doubles as a desktop CPU and all business apps arent pushed through app streaming.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @StorageNinja
                  last edited by

                  @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                  Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                  1. Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
                  2. Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.
                  bigbearB 1 Reply Last reply Reply Quote 1
                  • bigbearB
                    bigbear @scottalanmiller
                    last edited by

                    @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                    1. Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
                    2. Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.

                    I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.

                    scottalanmillerS Reid CooperR 2 Replies Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @bigbear
                      last edited by

                      @bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

                      @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                      There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
                      Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                      Honestly I cant believe we arent at the point where everyones cell phone doubles as a desktop CPU and all business apps arent pushed through app streaming.

                      Well, I can tell you, some major reasons I don't want that are....

                      • I want my cell phone free for other tasks, I don't want it locked up being tied to a monitor all day.
                      • Doing this would interfere with my battery management regime, not impossible to work around, but would take something simple and make it complex.
                      • I need my computer as a backup device, the more I tie to my cell phone, the more issues I have if it gets broken or lost
                      • Most phones are single user devices, they lack user control mechanisms, which could easily fall under your "why don't they make this work" feeling, but is a current problem that people see them as an identifying object like an RSA card, but treat them as a computer a la Windows 98
                      • If all we are doing is app streaming and nothing else, I don't want the hassle of attaching my phone or anything else, I want that minimal logic built into the monitor or, for trivial effort, bolted onto it like we already do today.

                      Honestly, I think where we are today is better than it would be if we used our phones for it.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @bigbear
                        last edited by

                        @bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                        1. Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
                        2. Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.

                        I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.

                        Right, exactly. The need to have a central authentication authority is often assumed, I think based on conversations I've had about this, to do things that are not actually related to it. Central authentication, while it does have value, in the SMB seems to be primarily deployed out of confusion, rather than out of solving a problem.

                        S 1 Reply Last reply Reply Quote 1
                        • Reid CooperR
                          Reid Cooper @bigbear
                          last edited by

                          @bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

                          @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                          @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                          Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

                          1. Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
                          2. Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.

                          I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.

                          You can generally do that without any infrastructure, just using scripts or something.

                          1 Reply Last reply Reply Quote 1
                          • dbeatoD
                            dbeato
                            last edited by

                            If we are going to talk about AD (MIcrosoft Active Directory) Then I would still debate that even when you don't need to have 2 DC you need to separate some functions from a DC such as Exchange or SQL (If you are using that still in-house) which then begs the question where are we moving forward with technologies and the cloud.

                            There are many IaaS and DaaS that can cover the need for a DC, OwnCloud and then like for file collaboration and something like PrintLogic for PrintServers
                            https://www.printerlogic.com/
                            That combined with a centralized scripting deployment will work well. That is why something like Sodium or RMM tool comes into play. Even the policies are applied much faster (As soon as the agent or services are contacted).

                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @dbeato
                              last edited by

                              @dbeato said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              If we are going to talk about AD (MIcrosoft Active Directory) Then I would still debate that even when you don't need to have 2 DC you need to separate some functions from a DC such as Exchange or SQL (If you are using that still in-house) which then begs the question where are we moving forward with technologies and the cloud.

                              There are many IaaS and DaaS that can cover the need for a DC, OwnCloud and then like for file collaboration and something like PrintLogic for PrintServers
                              https://www.printerlogic.com/
                              That combined with a centralized scripting deployment will work well. That is why something like Sodium or RMM tool comes into play. Even the policies are applied much faster (As soon as the agent or services are contacted).

                              Yes, you commonly don't need AD at all. The video is really focused on "if you have AD, do you need two?" Certainly that AD is not needed at all is a real consideration.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

                                DashrenderD 1 Reply Last reply Reply Quote 1
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                  In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

                                  OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

                                    OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

                                    Sure, same as I've seen 300+ person shops do. You need to make them all anyway. So no additional effort. And if you have any kind of central control, that can all be automated.

                                    In my environments, AD might add value, but it does so at the cost of an increase in effort. Few things are as trivially easy and simple as local logins.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

                                      OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

                                      Sure, same as I've seen 300+ person shops do. You need to make them all anyway. So no additional effort. And if you have any kind of central control, that can all be automated.

                                      In my environments, AD might add value, but it does so at the cost of an increase in effort. Few things are as trivially easy and simple as local logins.

                                      How do you manage 300 local logins? What if you need user portability?

                                      You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD. That's probably all you're really saying.. buy/use the correct solution for your needs.. which may or may not be the use/purchase of AD.

                                      scottalanmillerS 3 Replies Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

                                        OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

                                        Sure, same as I've seen 300+ person shops do. You need to make them all anyway. So no additional effort. And if you have any kind of central control, that can all be automated.

                                        In my environments, AD might add value, but it does so at the cost of an increase in effort. Few things are as trivially easy and simple as local logins.

                                        How do you manage 300 local logins? What if you need user portability?

                                        How do you manage 300 remote logins? Same effort.

                                        User portability is a different matter and requires some ammount of effort, but very little. It's non-zero, though. Portability is, however, surprisingly rare in business. Not to say it is rare, just much more rare than people think. Even places where I'd totally expect it, like a doctor's office or clinic, I often find that they have no need for it.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                          You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

                                          I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

                                          DashrenderD S 2 Replies Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                            That's probably all you're really saying.. buy/use the correct solution for your needs.. which may or may not be the use/purchase of AD.

                                            Correct. but don't be surprised that AD makes way less sense than people expect. Most of the value that it brings is for its own purposes. AD for AD's sake.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 3 / 4
                                            • First post
                                              Last post