what windows server should I choose for Active directory?
-
@Alan said in what windows server should I choose for Active directory?:
@Dashrender said in what windows server should I choose for Active directory?:
You need to decide if you are going to approach this from a BOYD type setup or from a total lockdown setup.
In the case of BOYD, you protect your data/applications from the PC - i.e. the apps don't run locally, therefore there is no local data, and you really don't care about the endpoint.
For total lockdown, well, then you have to control the whole thing. You're at a good point right now to make this decision.. heck, you're just a half step off a greenfield setup considering what you've told us so far.
Don't lock yourself into old school thinking that Windows and AD are required. I visited DropBox corporate office last year... no AD running there, and they have thousands of computers.
BOYD setup is what we have been using. the only issue with it is that we own all the devices. and we want a way to control and manage those devices. I'm not tied to AD Idea. what I want is some type of a system that will allow me to secure, manage and limit the access on some computers or from some users!
with the company getting biger a some sort of system should be in place!Ask yourself, why do you want those things? What do you gain? As long as you protect the data, what more do you care about?
I know it's hard to let go of some concepts/feelings - I own it so I should control it. But really, why does ownership matter?
If you can save money by not worrying about that and only concerning yourself with server side apps and data, isn't that the better way to handle it?
Now maybe that's not an option, maybe you have to have locally installed apps, and VDI/Remote Desktop Services isn't viable for you, then going the other way, fully controlling the PCs might be a requirement.
-
@Grey said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.
-
@Grey said in what windows server should I choose for Active directory?:
Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design.
I couldn't disagree with this more. Perhaps the GreenGuy over on SW would be worth talking to, but in general the MS sales reps I've spoken to will contradict each other on the licensing requirements.
if you don't know what you need for licensing, you either a) need post in groups like this and get their opinion, or b) hire a consultant who you will accept their guidance on these matters.
Actually, every aspect of this project needs to go one of these two directions. Since you can't be the head of IT (lack of experience), you need to find experience who can be.
-
@art_of_shred said in what windows server should I choose for Active directory?:
@Grey said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.
I haven't seen anything myself yet - I really need to download and install it.
-
@art_of_shred said in what windows server should I choose for Active directory?:
@Grey said in what windows server should I choose for Active directory?:
@Alan said in what windows server should I choose for Active directory?:
@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experienceI wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.
You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.
Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.
How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.
I've been using and implementing Windows Server 2016 and many of its different services in Enterprise (production) environments. It's very firm and stable, no reason not to use it. I also became familiar with it during all of the technical previews, so that helped with the academic parts of it.
-
@Dashrender said in what windows server should I choose for Active directory?:
@Grey said in what windows server should I choose for Active directory?:
Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design.
I couldn't disagree with this more. Perhaps the GreenGuy over on SW would be worth talking to, but in general the MS sales reps I've spoken to will contradict each other on the licensing requirements.
if you don't know what you need for licensing, you either a) need post in groups like this and get their opinion, or b) hire a consultant who you will accept their guidance on these matters.
Actually, every aspect of this project needs to go one of these two directions. Since you can't be the head of IT (lack of experience), you need to find experience who can be.
The OP has no licensing experience and, as much as I love Chris @ Microsoft, I doubt that it's an easy discussion to have with him. I imagine it would be something like, "I know nothing about licensing Microsoft products. Tell me everything." This is a much easier discussion with a CDW rep where you can say, "I want to get Hyper-V set up and start my AD. Please put together a quote."
-
Talking to the sales rep like this is hugely frowned upon by most at ML. Sales people are directly at odds with your job as the IT manager. If you don't have the experience to be the IT manager, then you need to hire this job out. Going to CDW in this case will often leave you with a one server VM host with a SAN and a bunch of SPOF setup. Why, because selling that to you is in CDWs best interest - they make the most money.
And sure, while it's not free to hire someone to consult on what the company needs, it will almost certainly cost them less than what CDW or any reseller will try to sell them that they don't need.
-
One of the things we don't know is - what capacity was this person hired in?
Does management think this hire was/is an IT manager who is well versed in these things and therefore won't allow the hiring of consultants to assist, or
Do they know that he's a brand new IT person who will rely heavily for years (in reality forever - because we all do in one way or another forever rely on others) to make the right decisions while learning these lessons and are therefore allow him to hire help as needed?
-
@Dashrender I completely agree. In most circumstances, you and I would go a different route. For someone that needs licensing as a Jr. level, the path I suggested can be more expedient. Obviously, it depends on the CDW rep you get. My experience with CDW has been fairly good, the opposite of what you describe in fact. Once an understanding is reached on the endgame goal for licensing, every CDW licensing rep has been very good, in fact.
-
@Grey said in what windows server should I choose for Active directory?:
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
You make this blanket recommendation of a dual physical server setup without knowing the environment at all. If there is no need for a second physical server, this is a pretty huge expense that probably isn't needed, for something that doesn't fail that often - and even if it does, can often be easy to get around while repairs are made.
Is it the best, of course it is, but is it necessary? Often it's not.
Just like the idea of an AD in general. Does he need it? He already had 100+ devices deployed and has no AD, it might be better to go another direction altogether.These are things your CDW sales rep won't consider for you - instead they will simply ask you how many servers you have - OK you need that many server CALs, how many end points, ok that many CALs, etc. But one thing they won't offer is that you don't use AD all, instead use Atera to manage the PCs, and don't worry about local logons. (now that doesn't mean that during deployment you still couldn't setup a local admin account that you know the username/password to and setup the user as a non local admin).
-
@Dashrender said in what windows server should I choose for Active directory?:
@Grey said in what windows server should I choose for Active directory?:
Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.
You make this blanket recommendation of a dual physical server setup without knowing the environment at all. If there is no need for a second physical server, this is a pretty huge expense that probably isn't needed, for something that doesn't fail that often - and even if it does, can often be easy to get around while repairs are made.
Is it the best, of course it is, but is it necessary? Often it's not.
Just like the idea of an AD in general. Does he need it? He already had 100+ devices deployed and has no AD, it might be better to go another direction altogether.These are things your CDW sales rep won't consider for you - instead they will simply ask you how many servers you have - OK you need that many server CALs, how many end points, ok that many CALs, etc. But one thing they won't offer is that you don't use AD all, instead use Atera to manage the PCs, and don't worry about local logons. (now that doesn't mean that during deployment you still couldn't setup a local admin account that you know the username/password to and setup the user as a non local admin).
¯_(ツ)_/¯
We have different design philosophies and implementations. My goal is reliability. Yours is ... well, something else.
http://i.imgur.com/YrO0tQg.jpg -
@Grey said in what windows server should I choose for Active directory?:
@Dashrender I completely agree. In most circumstances, you and I would go a different route. For someone that needs licensing as a Jr. level, the path I suggested can be more expedient. Obviously, it depends on the CDW rep you get. My experience with CDW has been fairly good, the opposite of what you describe in fact. Once an understanding is reached on the endgame goal for licensing, every CDW licensing rep has been very good, in fact.
CDW has tried to sell me more SANs than I care remember - I've never asked them for recommendations on licensing, I've only told them what I want - so I can't talk about those guys.
But it's critical to remember, CDW is never on your side. They can't be - their job is sales, to sell you as much as possible, your job at IT manager is to buy what your company needs and nothing more. To see through the sales pitch/hype and decide what the will use.
I fully admit that the hype has caught me, but reading these threads and continuing experience has me understanding these things better and helping me make better decisions. -
@Grey said in what windows server should I choose for Active directory?:
We have different design philosophies and implementations. My goal is reliability. Yours is ... well, something else.
Reliability for the sake or reliability is harmful to the business.
If it costs $5000 to save $1000 is that worth while? Not in business it isn't.
Let's assume my business uses AD, file and print and one server based application. Let's also assume all of this can easily run on a single VM host (Hyper-V, VM1 - AD, VM2 - F/P, VM3 - app).
Let's assume we go with Unitrends backups appliance, where we can run the VMs in the case of the main server being down.
Do you really need another VM host, along with the licensing needed for it?
Talking about licensing, if you do spin those VMs up on the Unitrends box, you have leave those VMs running there for 90 days before you can move them back to the VM host, or you'll need to license the Unitrends box itself.
-
okay, maybe the AD is not the way to go! based on some comments here and some other groups as well. what is the alternative way to manage around 100-150 device without active directory?really what we are looking for is being able to access those computers when needed and being able to restrict some users from changing things or open some website or apps. For example one of the managers was asking me if we can have the same background on all the devices and restrict users from changing it.in short what is or are the alternative solution to manage and administrate that number of users and devices without AD?
-
There are alternatives, but none are as mature and in the same range of ease of set up. I don't know that much is to be gained by branching out to another solution in the long run. I would recommend taking to heart many of the comments in this thread about virtualizing and careful planning/following Best Practices.
Migrating to this is going to be painful. It is going to take a long time to migrate user profiles over. If there is a means to doing it given their infrastructure, I would see if you can do it in phases, perhaps a team at a time.
-
@Alan said in what windows server should I choose for Active directory?:
okay, maybe the AD is not the way to go! based on some comments here and some other groups as well. what is the alternative way to manage around 100-150 device without active directory?really what we are looking for is being able to access those computers when needed and being able to restrict some users from changing things or open some website or apps. For example one of the managers was asking me if we can have the same background on all the devices and restrict users from changing it.in short what is or are the alternative solution to manage and administrate that number of users and devices without AD?
This is a typical question we hear a lot. The very hard to give answer is - why? Why do we want to give that wallpaper? what purpose does it serve to the company's mission statement?
As for logging into the machine remotely, that makes sense, so an account that IT is aware of to use is good for this, but does have drawbacks, i.e. if breached, then anyone with that info has admin rights on the machine.
As for websites, there are a few options - but again, this is really not an IT problem, this is an HR problem. HR should have policies in place that say no non company surfing, if broken, then this consequence. But if you still need to do this from an IT perspective, then you use a web filter at the border to the network, not on the PCs, normally.
-
A huge thing that needs to happen in tons of companies around the world is realizing that they shouldn't be lazy and try to get technology to do some one else's job. i.e. you don't want users surfing the web at work, that's an HR policy, same goes for installing software on the PCs. Now - that's not to say that you don't use technology (like not giving them local admin rights) to keep your environment safer, it should be purely seen as a secondary line of defense, not the primary - again, that's HR.
-
For 100 users, I would definitely say that a single Hyper-V host will be enough and no need for a second DC VM.
With the ability to backup to unitrends for free (do they still offer that free for up to 1TB?) and the ability to just overnight replacement parts, things could easily handle a hardware failure.
-
When it comes to deciding if you should even use AD or not, my question comes down to this, "What do you gain?"
Would centralized accounts actually gain you anything? Because if the applications are hosted, then you are not likely going to get AD benefits to that.
-
You can use a product like Atera (https://www.atera.com/pricing/) for $80 a month to gain insight into your devices.
- It includes a ticketing system.
- You can force patching.
- You can make a script (example) and push it from Atera (or any service really) to setup a local admin account and update it whenever you need.
- You gain remote support functionality for a single user.
- Atera offers antivirus integration and backup integration if you want to pay for that also.