Moving Forward: Converting a mess to the right solution
-
@scottalanmiller said:
The bulk of SMBs should only have one. DCs, of all things, rarely have noticeable downtime. NTG can go a week with the DC down and no one would realize it. The cost of downtime for many SMBs is literally zero. Even a day or two or ten. Some companies tie other things to AD that doesn't cache like logins and downtime can impact them. But a typical SMB can definitely take a few hours of AD downtime with possibly zero impact.
This is interesting. I need to know more! How do services that rely on AD authentication work when AD isn't available? I'm thinking specifically of File & Print, Exchange and Sharepoint? Do they all use cached credentials, and if so, how does that work?
DNS server runs on a DC. So if your only DC is down, how are DNS requests handled?
What happens when the lease on an IP address expires and DHCP is down? Will it continue to use the same IP address?
-
NTG now has much if not all of their stuff in Office 365. This has decoupled their need for AD for the most part.
Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. Print services will all come locally (again, they are at home). File permissions are handled by O365.
I've been wondering what a good solution for a company is that is smaller, say less than 20 - at what point do you implement AD these days? Considering the host of new solutions (namely Office 365 and intune or some other PC management software) I think that number has grown.
-
Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number.
But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down?
-
@Carnival-Boy said:
Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number.
But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down?
Everyone works on cached credentials until the server comes back up. Besides, their shared files and such are not available anyway. Most times email was not either because it was a SBS server.
-
I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC.
-
@Carnival-Boy said:
I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC.
That setup is not what I have seen in a typical SMB. Maybe more towards the M side where I have not done a lot of work.
-
@Carnival-Boy said:
Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number.
But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down?
Definitely no magic number. It is all about workload. A company of 1,000 pure AD login users doesn't care about DC downtime for days. But an LOB app tied to AD might care very quickly.
-
@Dashrender said:
NTG now has much if not all of their stuff in Office 365.
Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain.
But we remain 100% AD. We extend AD to all homes. Always have.
-
@Carnival-Boy said:
I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC.
Same here I've never seen or used SBS. I'm begin to think what I call "small" most people here must consider medium to large....
If the DC goes down they lose access to some things.
-
@Carnival-Boy said:
@thecreativeone91 said:
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time?
I've never seen anyone do that. you'd have two ranges at all times like that. Most of the time I see just DHCP turned off with scopes setup ready to go but will still cause down time.
-
@scottalanmiller said:
@Dashrender said:
NTG now has much if not all of their stuff in Office 365.
Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain.
But we remain 100% AD. We extend AD to all homes. Always have.
Why?
-
@thecreativeone91 said:
@Carnival-Boy said:
I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC.
Same here I've never seen or used SBS. I'm begin to think what I call "small" most people here must consider medium to large....
If the DC goes down they lose access to some things.
Yes, you suffer from "IBM Syndrome." Seeing the world as enterprise only and SMB as rather large and forgetting 80% of the business market. What you consider small is larger than the median size of US companies.
-
@thecreativeone91 said:
@Carnival-Boy said:
@thecreativeone91 said:
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time?
I've never seen anyone do that. you'd have two ranges at all times like that. Most of the time I see just DHCP turned off with scopes setup ready to go but will still cause down time.
No, DNS and DHCP in Windows are full enterprise services and are designed for failover. There is not a conflict.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
NTG now has much if not all of their stuff in Office 365.
Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain.
But we remain 100% AD. We extend AD to all homes. Always have.
Why?
It's a business environment. Why do you have AD anywhere? Same reasons. How else do you manage access, password resets, etc.? How else do you easily manage AV, push updates, use GPOs, provide access for techs to support, etc.?
Most IT people I see feel that AD is a foregone conclusion even for just ten users or so. I'm surprise anyone would be surprised that we see value in AD.
-
I'm not surprised to see the value in AD, just the value in such a spread out (I'm assuming most people work out of their homes, not a central office or branch).
If you've decentralized everything through Office 365, is it still worth maintaining AD?
Are you using Direct Access? or do you put GPOs over VPN?
The NTG network setup would be an awesome thing to see. -
@Dashrender said:
I'm not surprised to see the value in AD, just the value in such a spread out (I'm assuming most people work out of their homes, not a central office or branch).
If you've decentralized everything through Office 365, is it still worth maintaining AD?
Are you using Direct Access? or do you put GPOs over VPN?
The NTG network setup would be an awesome thing to see.DirectAccess is still a VPN, just an IPv6-only IPSec VPN. We use a Pertino SDN / VPN solution and have both IPv4 and IPv6 that way. We use Office 365 for some things but still have AD as O365 does not address managed desktops and laptops. Pertino is surprisingly similar to DirectAccess but without needing Windows Servers as aggregators and with the ability to talk directly between nodes and the ability to run on Mac and Linux, which we do heavily. Most of our servers are Linux and we have some Mac users (Danielle and Katie, for example.)
Do you really need AD? It really depends on your goals. If you want that slick, fully managed, corporate desktop experience yes, there is little alternative. But can you get away without it? Sure. It's not uncommon for a small business to not need it. But without AD desktop management is a nightmare.
-
Being that everyone is at home using their home computer (or do you build and send them all one, so now they have to have two at home?) I'm wondering what the advantage is for a tech company to maintain that type of tight control vs using something like VDI? If you even need that level of control?
Do the users have local admin rights (perhaps with a second account that they always have the password to?)?
-
@Dashrender said:
Being that everyone is at home using their home computer (or do you build and send them all one, so now they have to have two at home?) I'm wondering what the advantage is for a tech company to maintain that type of tight control vs using something like VDI? If you even need that level of control?
VDI is crazy expensive. And very hard to deliver well over the WAN. It is an incredibly rare business in the SMB that can make VDI financially viable. The licensing cost is just completely out of this world.
No one uses a home computer. It's company gear. Company desktops, company laptops, company tablets, company phones (lots of people opt out of that for their own mobile devices.)
-
@Dashrender said:
Do the users have local admin rights (perhaps with a second account that they always have the password to?)?
Most do as most are IT people who have the rights to support the internal desktop environment. But it is separate accounts, never, ever their main accounts, and it is all controlled via AD. As we grow the number of people with that access will decrease as there are more and more non-desktop support people.
-
Without AD it is also a pain to deal with working on shared equipment. Since we have AD, all desktops and laptops are interchangeable. I can go to Danielle's office and sit at the computers and work with my own accounts and security, just like she can when she is here. I can't imagine wanting to run a company even of our size without AD. What a mess that would be trying to maintain everything.
