ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Need Two AD Domain Controllers?

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleractive directoryhigh availabilitybest practicesyoutubead dcdomain controller
    72 Posts 14 Posters 11.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

      @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

      @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

      In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

      OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

      Sure, same as I've seen 300+ person shops do. You need to make them all anyway. So no additional effort. And if you have any kind of central control, that can all be automated.

      In my environments, AD might add value, but it does so at the cost of an increase in effort. Few things are as trivially easy and simple as local logins.

      How do you manage 300 local logins? What if you need user portability?

      You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD. That's probably all you're really saying.. buy/use the correct solution for your needs.. which may or may not be the use/purchase of AD.

      scottalanmillerS 3 Replies Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

        @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

        In reality today, AD should be the exception, not the rule, at least in the SMB. A common exception, but still not the rule.

        OK - in a 15+ user shop.. how do you handle logins? manually make accounts at each location?

        Sure, same as I've seen 300+ person shops do. You need to make them all anyway. So no additional effort. And if you have any kind of central control, that can all be automated.

        In my environments, AD might add value, but it does so at the cost of an increase in effort. Few things are as trivially easy and simple as local logins.

        How do you manage 300 local logins? What if you need user portability?

        How do you manage 300 remote logins? Same effort.

        User portability is a different matter and requires some ammount of effort, but very little. It's non-zero, though. Portability is, however, surprisingly rare in business. Not to say it is rare, just much more rare than people think. Even places where I'd totally expect it, like a doctor's office or clinic, I often find that they have no need for it.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

          You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

          I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

          DashrenderD S 2 Replies Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

            That's probably all you're really saying.. buy/use the correct solution for your needs.. which may or may not be the use/purchase of AD.

            Correct. but don't be surprised that AD makes way less sense than people expect. Most of the value that it brings is for its own purposes. AD for AD's sake.

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

              @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

              You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

              I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

              I'm happy to use SAMBA in it's place. The ability for users to log into any machine on the network without me having to setup a user for them is nice.

              scottalanmillerS 2 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

                I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

                I'm happy to use SAMBA in it's place. The ability for users to log into any machine on the network without me having to setup a user for them is nice.

                SAMBA is not in place of AD, Samba is AD.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                  The ability for users to log into any machine on the network without me having to setup a user for them is nice.

                  You mean another user for that. But we get this without AD (from any source) so the two are not connected. I only need make a user once, but they are available on every machine. Just a trivial script does that.

                  1 Reply Last reply Reply Quote 0
                  • S
                    StorageNinja Vendor @scottalanmiller
                    last edited by

                    @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    @dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

                    I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

                    AD takes no effort to setup or deploy. GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

                    CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

                    I worked for a MSP and the amount of "maintenance" we did on AD was really non-existent. If you want to be fancy, you have your RMM script a backup once a day doing a LDIFDE -f backupad.ldif but beyond that, there's just not a lot to it. Any RMM worth it's salt (get it, a SALT joke) can manage 100 domain controllers with RMM tools without any real overhead, etc.

                    I agree that AD isn't providing as much value these days for small shops as it used to, but the overheads are smaller than ever.

                    scottalanmillerS jmooreJ 5 Replies Last reply Reply Quote -1
                    • scottalanmillerS
                      scottalanmiller @StorageNinja
                      last edited by

                      @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                      AD takes no effort to setup or deploy.

                      It takes a lot of effort. You have to finance it, purchase it, figure out CALs, buy CALs, get a server, install it, configure it.

                      You live in a world of unlimited budgets and unlimited dedicated staff for tasks. You see purchasing as something handled by the purchasing department, as budgeting done by the CFO, as $700 being something you don't mention.

                      In the SMB, those things are huge. $700 isn't even remotely trivial, and setting up AD, in fact just buying AD, is generally double the effort of the alternative.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @StorageNinja
                        last edited by

                        @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

                        GPO is unnecessarily complicated and unreliable. It's pushed as a miracle product, but takes huge amounts of effort to learn and maintain and rarely works flawlessly. And AD isn't what provides GPO, that's one of the common myths that cause people to buy AD without actually looking into their needs. GPO doesn't come with AD, you already have it.

                        S 1 Reply Last reply Reply Quote 1
                        • S
                          StorageNinja Vendor @scottalanmiller
                          last edited by

                          @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                          @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                          GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

                          GPO is unnecessarily complicated and unreliable. It's pushed as a miracle product, but takes huge amounts of effort to learn and maintain and rarely works flawlessly. And AD isn't what provides GPO, that's one of the common myths that cause people to buy AD without actually looking into their needs. GPO doesn't come with AD, you already have it.

                          It does, but AD and OUT structures are the way most people use to deploy it (As well as the central policy store for deploying 3rd party). You could push it out with SALT etc, but in a SMB internal staff will not know how to use something like that.

                          You could have your RMM or MDM manage push outs though (and I am seeing Stuff like Airwatch positioned as a replacement). the big gap is MAM as a lot of apps had GPO's and need to have API's for management to make the transition smooth.

                          scottalanmillerS 2 Replies Last reply Reply Quote -1
                          • scottalanmillerS
                            scottalanmiller @StorageNinja
                            last edited by

                            @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                            CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

                            CALs are either cheap or they are $50 per user, but they aren't both. For an SMB, $50 per user for no reason is expensive. What do they get from that $50?

                            And that's hardly the full cost... let's look at a ten person business:

                            • Server: $1,000
                            • Windows License: $700
                            • CALs: $500
                            • Windows Pro Upgrades: $1,500
                            • Admin Time to Set Up: 2-5 days

                            That's $3,700 or $370 per user just to set up, plus around half a day of effort, per user to get set up. In many SMBs, it could take a week of effort just to get that kind of spending approved!

                            S 2 Replies Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @StorageNinja
                              last edited by

                              @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

                              GPO is unnecessarily complicated and unreliable. It's pushed as a miracle product, but takes huge amounts of effort to learn and maintain and rarely works flawlessly. And AD isn't what provides GPO, that's one of the common myths that cause people to buy AD without actually looking into their needs. GPO doesn't come with AD, you already have it.

                              It does, but AD and OUT structures are the way most people use to deploy it (As well as the central policy store for deploying 3rd party). You could push it out with SALT etc, but in a SMB internal staff will not know how to use something like that.

                              Right, that's the point. most people do because other people tell them that it is all one thing. AD, like many things in IT, is primarily deployed in the SMB by mistake because people think that they are deploying something else.

                              1 Reply Last reply Reply Quote 0
                              • jmooreJ
                                jmoore @StorageNinja
                                last edited by

                                @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                Any RMM worth it's salt (get it, a SALT joke)

                                Hilarious!

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @StorageNinja
                                  last edited by

                                  @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                  I agree that AD isn't providing as much value these days for small shops as it used to, but the overheads are smaller than ever.

                                  I'd say the opposite. As the cost of everything else comes down, and the raw cost of AD is climbing (ever so slightly, just a few percentage) both its raw cost and its relative costs are getting worse.

                                  What's more, I get the impression that the knowledge and skill necessary to support it are waning. Look at SW, the average person would have been able to deploy AD eight years ago. Today, no way, not the average. It's way too much for the average SMB admin to know how to deploy with any reliability.

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @StorageNinja
                                    last edited by

                                    @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    You could push it out with SALT etc, but in a SMB internal staff will not know how to use something like that.

                                    Yeah, but you can outsource that stuff to qualified people for a fraction of the cost of AD.

                                    S 1 Reply Last reply Reply Quote 1
                                    • S
                                      StorageNinja Vendor @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      @storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

                                      CALs are either cheap or they are $50 per user, but they aren't both. For an SMB, $50 per user for no reason is expensive. What do they get from that $50?

                                      And that's hardly the full cost... let's look at a ten person business:

                                      • Server: $1,000
                                      • Windows License: $700
                                      • CALs: $500
                                      • Windows Pro Upgrades: $1,500
                                      • Admin Time to Set Up: 2-5 days

                                      That's $3,700 or $370 per user just to set up, plus around half a day of effort, per user to get set up. In many SMBs, it could take a week of effort just to get that kind of spending approved!

                                      1/2 a day of effort per user? Explain....

                                      1 Reply Last reply Reply Quote -1
                                      • S
                                        StorageNinja Vendor @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        . let's look at a ten person business:

                                        Server: $1,000
                                        Windows License: $700
                                        CALs: $500
                                        Windows Pro Upgrades: $1,500
                                        Admin Time to Set Up: 2-5 days

                                        With 10 users you could use essentials or foundation edition. I can buy a Dell T130 with that ~$700.

                                        1 Reply Last reply Reply Quote -1
                                        • S
                                          StorageNinja Vendor @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                          Yeah, but you can outsource that stuff to qualified people for a fraction of the cost of AD.

                                          Qualified people cost money 🙂

                                          You ever see a rate sheet for Continuums outsourced India desk?
                                          Good luck finding SALT talents that's cheap (even in Bangalore).

                                          scottalanmillerS 1 Reply Last reply Reply Quote -1
                                          • S
                                            StorageNinja Vendor @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                            Central authentication, while it does have value, in the SMB seems to be primarily deployed out of confusion, rather than out of solving a problem

                                            The general issue I've seen is a lot of (idM) systems have weird quirks when working with things other than AD. Yes on paper LDAP will work with quite a few I suspect didn't get a lot of QE testing...

                                            I do think (idM) systems and SSO brokers are breaking the final biggest tie of AD (Authentication). Setting up federated services was always a pain in the ass and turnkey SAML integrations for common web apps are a lot nicer to manage.

                                            1 Reply Last reply Reply Quote -1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 3 / 4
                                            • First post
                                              Last post