what windows server should I choose for Active directory?
-
@Alan 2012 r2 is the current standard here (and my preference), but it is up to you to decide how to move forward with your own implementation. If you're building an AD infrastructure, you really shouldn't have to ask this kind of question, especially if you've been hired as a SysAdmin. Honestly, asking this kind of question makes me wonder about your experience in IT.
-
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experience -
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceHave you setup an AD before?
-
I want to create an IT department and start organising all the mess! I already implement Spiceworks as our ticketing system. start organising all the documents and creating an admin login for each machine...etc
-
@Dashrender no I didn't, but I did create a lab for the purpose
-
@Alan said in what windows server should I choose for Active directory?:
I want to create an IT department and start organising all the mess! I already implement Spiceworks as our ticketing system. start organising all the documents and creating an admin login for each machine...etc
You don't need an individual admin login for each system when you have AD.
You'd get this from the computers being on the domain and setting up proper security groups and permission sets.
What do you plan to do when you join these computers to the domain, and everyones files are missing? - Because they are logged into a new user profile - not that the files actually are missing, but are no longer accessible.
-
@DustinB3403 I know that I'dnot need an admin account when I have AD but I did it because I don't have an AD yet. not sure what would be the best solution. but I can backup every machine and wipe it off just before adding it to the domain and then restore all the data!
@DustinB3403 said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
I want to create an IT department and start organising all the mess! I already implement Spiceworks as our ticketing system. start organising all the documents and creating an admin login for each machine...etc
You don't need an individual admin login for each system when you have AD.
You'd get this from the computers being on the domain and setting up proper security groups and permission sets.
What do you plan to do when you join these computers to the domain, and everyones files are missing? - Because they are logged into a new user profile - not that the files actually are missing, but are no longer accessible.
-
You need to decide if you are going to approach this from a BOYD type setup or from a total lockdown setup.
In the case of BOYD, you protect your data/applications from the PC - i.e. the apps don't run locally, therefore there is no local data, and you really don't care about the endpoint.
For total lockdown, well, then you have to control the whole thing. You're at a good point right now to make this decision.. heck, you're just a half step off a greenfield setup considering what you've told us so far.
Don't lock yourself into old school thinking that Windows and AD are required. I visited DropBox corporate office last year... no AD running there, and they have thousands of computers.
-
Well my question was more how do you plan to migrate users over to their new AD profiles. What happens when a computer has a user, let's say Bob Dole.
Bob Dole logs into the computer as bdole.
So under
c:\users
there is a folder namedbdole
when you join this computer to the domain, the local user account bdole won't login by default any longer.Instead it might be
[email protected]
and this user profile gets a new folder underc:\users
. Which this new folder will bec:\users\[email protected]
and has no account items that the local user account had.No email, no my documents etc.
Backing up the entire computer or user data is a way to copy over files, but they would then have to be restored. Doing that for the 120 people will take an incredible effort to complete quickly.
@Alan said in what windows server should I choose for Active directory?:
@DustinB3403 I know that I'dnot need an admin account when I have AD but I did it because I don't have an AD yet. not sure what would be the best solution. but I can backup every machine and wipe it off just before adding it to the domain and then restore all the data!
-
File and settings wizard can solve the profile issue. Its on the install media of Windows 10, pretty sure it was there in WIn7 too.
-
@Dashrender said in what windows server should I choose for Active directory?:
File and settings wizard can solve the profile issue. Its on the install media of Windows 10, pretty sure it was there in WIn7 too.
It can pull over files, but not all of their customization's. I thought Windows 10 removed this as well... maybe just for certain levels of the OS.
-
I'm very late. But unless you have a very good, strong reason to not use the latest version, you always use the latest.
-
@Dashrender said in what windows server should I choose for Active directory?:
You need to decide if you are going to approach this from a BOYD type setup or from a total lockdown setup.
In the case of BOYD, you protect your data/applications from the PC - i.e. the apps don't run locally, therefore there is no local data, and you really don't care about the endpoint.
For total lockdown, well, then you have to control the whole thing. You're at a good point right now to make this decision.. heck, you're just a half step off a greenfield setup considering what you've told us so far.
Don't lock yourself into old school thinking that Windows and AD are required. I visited DropBox corporate office last year... no AD running there, and they have thousands of computers.
BOYD setup is what we have been using. the only issue with it is that we own all the devices. and we want a way to control and manage those devices. I'm not tied to AD Idea. what I want is some type of a system that will allow me to secure, manage and limit the access on some computers or from some users!
with the company getting biger a some sort of system should be in place! -
This is a handy tool for migrating profiles:
http://www.forensit.com/domain-migration.html -
@DustinB3403 said in what windows server should I choose for Active directory?:
@Dashrender said in what windows server should I choose for Active directory?:
File and settings wizard can solve the profile issue. Its on the install media of Windows 10, pretty sure it was there in WIn7 too.
It can pull over files, but not all of their customization's. I thought Windows 10 removed this as well... maybe just for certain levels of the OS.
I know someone who used this on Windows 10, they swore by it. files and settings. Of course setting might not be perfect for non Windows type things (i.e. third party apps), but it can be tweaked.
-
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
-
@Alan said in what windows server should I choose for Active directory?:
@Dashrender said in what windows server should I choose for Active directory?:
You need to decide if you are going to approach this from a BOYD type setup or from a total lockdown setup.
In the case of BOYD, you protect your data/applications from the PC - i.e. the apps don't run locally, therefore there is no local data, and you really don't care about the endpoint.
For total lockdown, well, then you have to control the whole thing. You're at a good point right now to make this decision.. heck, you're just a half step off a greenfield setup considering what you've told us so far.
Don't lock yourself into old school thinking that Windows and AD are required. I visited DropBox corporate office last year... no AD running there, and they have thousands of computers.
BOYD setup is what we have been using. the only issue with it is that we own all the devices. and we want a way to control and manage those devices. I'm not tied to AD Idea. what I want is some type of a system that will allow me to secure, manage and limit the access on some computers or from some users!
with the company getting biger a some sort of system should be in place!Ask yourself, why do you want those things? What do you gain? As long as you protect the data, what more do you care about?
I know it's hard to let go of some concepts/feelings - I own it so I should control it. But really, why does ownership matter?
If you can save money by not worrying about that and only concerning yourself with server side apps and data, isn't that the better way to handle it?
Now maybe that's not an option, maybe you have to have locally installed apps, and VDI/Remote Desktop Services isn't viable for you, then going the other way, fully controlling the PCs might be a requirement.
-
@Grey said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.
-
@Grey said in what windows server should I choose for Active directory?:
Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design.
I couldn't disagree with this more. Perhaps the GreenGuy over on SW would be worth talking to, but in general the MS sales reps I've spoken to will contradict each other on the licensing requirements.
if you don't know what you need for licensing, you either a) need post in groups like this and get their opinion, or b) hire a consultant who you will accept their guidance on these matters.
Actually, every aspect of this project needs to go one of these two directions. Since you can't be the head of IT (lack of experience), you need to find experience who can be.
-
@art_of_shred said in what windows server should I choose for Active directory?:
@Grey said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.
I haven't seen anything myself yet - I really need to download and install it.