Moving Forward: Converting a mess to the right solution
- 
 @ajstringham said: A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?" The bulk of SMBs should only have one. DCs, of all things, rarely have noticeable downtime. NTG can go a week with the DC down and no one would realize it. The cost of downtime for many SMBs is literally zero. Even a day or two or ten. Some companies tie other things to AD that doesn't cache like logins and downtime can impact them. But a typical SMB can definitely take a few hours of AD downtime with possibly zero impact. Considering that - the cost of a second server hardware (say $2K minimum) and another Windows Server license (say $750 minimum) and the electric and cooling to keep that running and the IT time to administer it. Likely you are talking $4K or more for a failover system that has no means of ever recouping its costs no matter how bad the outage(s) are. There is pretty much no risk mitigation system that is an "always", especially in the SMB. The closest thing would be RAID 1 disks - if you are putting a disk in a server, it should be in RAID always... is almost true. But even that there are exceptions. Just very few. 
- 
 @thecreativeone91 said: Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time. It should be doing DNS and DHCP if needed. Secondary DNS is more important than secondary AD. 
- 
 @ajstringham said: I've heard Thin Clients is kind of dead. Maybe I heard wrong but VDI is more what people are doing now. In any case... I think that you are confused as to these terms. Thin clients and VDI are not opposing concepts. All early and many current VDI implementations use thin clients. And VDI is in no way the "path forward." It has a place but remains an "only when other things are not an option." Don't get caught in the VDI and Zero Clients everywhere hype. VDI is insanely expensive and an extremely niche solution for special cases. In enterprise where there is huge scale to make it pay off, VDI is starting to creep in more and more, but in the SMB, it has almost no place at all. 
- 
 @thecreativeone91 said: It's not about system load, It's about priority/and potential down time and loss of services to end users. Your DC is always your most important server once implemented in a network. Quite often it is the least important, especially in an SMB. 
- 
 Because AD and File Services are probably tightly coupled here, having them on the same VM makes sense. If you need to do a reboot, both go down and come back together. If there is a dependency of one on the other, which there is, then having them on separate VMs doesn't really help much. I think that one Windows Server Standard license is adequate. Two VMs. Keep it simple. 
- 
 If doing a single, stand alone server, generally HyperV is the way to go because it supports backups whereas VMware ESXi does not. 
- 
 So... one VM for AD/DNS/FS and one VM for SQL Server? That should work fine. 
- 
 @scottalanmiller said: @thecreativeone91 said: It's not about system load, It's about priority/and potential down time and loss of services to end users. Your DC is always your most important server once implemented in a network. Quite often it is the least important, especially in an SMB. How small are we talking? if AD goes down and you have a content filter with AD integration no one is getting out to the web. If you talking ma & pop shop maybe. Anything much larger it's highly important. It's been very important everywhere I've been. VPNs, Webservices, filter etc all using LDAP. 
- 
 @thecreativeone91 Even 100 person SMBs rarely have AD integrated networking. That's extremely expensive and cumbersome (and risky) with little to no payoff. Not a place where SMBs are likely to spend money. 
- 
 @scottalanmiller I'm more talking about 300-500 people that's what I tend to call an average SMB. 
- 
 @thecreativeone91 said: @scottalanmiller I'm more talking about 300-500 people that's what I tend to call an average SMB. That's an extremely large SMB. The vast majority of SMBs are under 100 people. But even at 500, why would you spend money on AD integrated content filtering for an average business? What's the financial (business) benefit? That's pretty small to be doing that stuff. But at 500 you'd have more than one server for lots of reasons. But the average company when ALL companies are considered is far less than forty people. Take just the SMBs and that number drops quite a bit, obviously. 
- 
 @scottalanmiller I guess it depends on the area. around here most companies are either larger or part of another large company. there are very few successful small under 100 - Most are either failing or have already failed. 
- 
 Most companies are failing. The vast majority of businesses will never see eight years. But I guarantee that there are tons and tons of small companies all around you that you just don't realize. 
- 
 What resources we havve are grossly mismanaged and poorly configured. There is no way I could ever 'fix' in one weekend, or even one 'action' Some general Stats: Two main business units, One organization but comprised of different ares. We are a Non Profit, so pricing isn't going to be an issue. Between the two, there are roughly 300 to maybe 400 staff. Transportations has about 40 (including drivers); Each program has about 15 each, Admin staff is about 30 or so, teachers about 140 - 200 depending on the time of year. One side runs Server 2003 with AD and Exchange, File and Print services: 200-250 users. 
 Other side is the big mess:- Fiscal server - SQL Abilia MIP Fund accounting
- HR Server - Sage software
- Transportation server - SQL - Routematch (which is crap)
- WX server - FS - access db
- Shared server - FS
 No AD, F&P services are running, email is being moved to O365, so reduction of services needed. We have offices in nine counties, but only six or so persons per site. The idea behind the thin client is that documents in the remote offices are at risk. But the idea is to have a off site back up as well. We have a few places to put it,.. so that's not a problem. File and Print services are 'hogs' nor is AD, but I want to make sure that it's done right as opposed to the crap shot S&&) that's there now. I figure, built an AD and FS box, then start pulling things in, setting up prper file shares and security. I have 2 boxes that could be just rebuilt and put back into service... 
- 
 @g.jacobse Really, You don't like Routematch? I'm surprised I've head good things about it from school bus garages. I've never used it though. 
- 
 @scottalanmiller said: But even at 500, why would you spend money on AD integrated content filtering for an average business? What's the financial (business) benefit? That's pretty small to be doing that stuff. What's expensive about it? Webroot web filtering includes AD integration in it's basic offering, as does GFI's MailMax spam filtering. Do you mean the expense of securing your AD after exposing it to the internet? 
- 
 @thecreativeone91 said: @scottalanmiller I guess it depends on the area. around here most companies are either larger or part of another large company. there are very few successful small under 100 - Most are either failing or have already failed. I've managed to make a decent living working for companies this size. They're not always independently owned, just independently run. For example, I worked for a 150 user company that was part of a $12 billion turnover US company. I was given almost complete autonomy on everything. The only time I ever engaged with the CIO of the head office was when he turned down my proposal to buy Oracle Financials. A lot of big companies effectively operate as a series of connected SMBs, rather than one big enterprise. 
- 
 @thecreativeone91 said: Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time. Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time? 
- 
 @scottalanmiller said: The bulk of SMBs should only have one. DCs, of all things, rarely have noticeable downtime. NTG can go a week with the DC down and no one would realize it. The cost of downtime for many SMBs is literally zero. Even a day or two or ten. Some companies tie other things to AD that doesn't cache like logins and downtime can impact them. But a typical SMB can definitely take a few hours of AD downtime with possibly zero impact. This is interesting. I need to know more! How do services that rely on AD authentication work when AD isn't available? I'm thinking specifically of File & Print, Exchange and Sharepoint? Do they all use cached credentials, and if so, how does that work? DNS server runs on a DC. So if your only DC is down, how are DNS requests handled? What happens when the lease on an IP address expires and DHCP is down? Will it continue to use the same IP address? 
- 
 NTG now has much if not all of their stuff in Office 365. This has decoupled their need for AD for the most part. Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. Print services will all come locally (again, they are at home). File permissions are handled by O365. I've been wondering what a good solution for a company is that is smaller, say less than 20 - at what point do you implement AD these days? Considering the host of new solutions (namely Office 365 and intune or some other PC management software) I think that number has grown. 


