Moving Forward: Converting a mess to the right solution
- 
 What resources we havve are grossly mismanaged and poorly configured. There is no way I could ever 'fix' in one weekend, or even one 'action' Some general Stats: Two main business units, One organization but comprised of different ares. We are a Non Profit, so pricing isn't going to be an issue. Between the two, there are roughly 300 to maybe 400 staff. Transportations has about 40 (including drivers); Each program has about 15 each, Admin staff is about 30 or so, teachers about 140 - 200 depending on the time of year. One side runs Server 2003 with AD and Exchange, File and Print services: 200-250 users. 
 Other side is the big mess:- Fiscal server - SQL Abilia MIP Fund accounting
- HR Server - Sage software
- Transportation server - SQL - Routematch (which is crap)
- WX server - FS - access db
- Shared server - FS
 No AD, F&P services are running, email is being moved to O365, so reduction of services needed. We have offices in nine counties, but only six or so persons per site. The idea behind the thin client is that documents in the remote offices are at risk. But the idea is to have a off site back up as well. We have a few places to put it,.. so that's not a problem. File and Print services are 'hogs' nor is AD, but I want to make sure that it's done right as opposed to the crap shot S&&) that's there now. I figure, built an AD and FS box, then start pulling things in, setting up prper file shares and security. I have 2 boxes that could be just rebuilt and put back into service... 
- 
 @g.jacobse Really, You don't like Routematch? I'm surprised I've head good things about it from school bus garages. I've never used it though. 
- 
 @scottalanmiller said: But even at 500, why would you spend money on AD integrated content filtering for an average business? What's the financial (business) benefit? That's pretty small to be doing that stuff. What's expensive about it? Webroot web filtering includes AD integration in it's basic offering, as does GFI's MailMax spam filtering. Do you mean the expense of securing your AD after exposing it to the internet? 
- 
 @thecreativeone91 said: @scottalanmiller I guess it depends on the area. around here most companies are either larger or part of another large company. there are very few successful small under 100 - Most are either failing or have already failed. I've managed to make a decent living working for companies this size. They're not always independently owned, just independently run. For example, I worked for a 150 user company that was part of a $12 billion turnover US company. I was given almost complete autonomy on everything. The only time I ever engaged with the CIO of the head office was when he turned down my proposal to buy Oracle Financials. A lot of big companies effectively operate as a series of connected SMBs, rather than one big enterprise. 
- 
 @thecreativeone91 said: Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time. Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time? 
- 
 @scottalanmiller said: The bulk of SMBs should only have one. DCs, of all things, rarely have noticeable downtime. NTG can go a week with the DC down and no one would realize it. The cost of downtime for many SMBs is literally zero. Even a day or two or ten. Some companies tie other things to AD that doesn't cache like logins and downtime can impact them. But a typical SMB can definitely take a few hours of AD downtime with possibly zero impact. This is interesting. I need to know more! How do services that rely on AD authentication work when AD isn't available? I'm thinking specifically of File & Print, Exchange and Sharepoint? Do they all use cached credentials, and if so, how does that work? DNS server runs on a DC. So if your only DC is down, how are DNS requests handled? What happens when the lease on an IP address expires and DHCP is down? Will it continue to use the same IP address? 
- 
 NTG now has much if not all of their stuff in Office 365. This has decoupled their need for AD for the most part. Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. Print services will all come locally (again, they are at home). File permissions are handled by O365. I've been wondering what a good solution for a company is that is smaller, say less than 20 - at what point do you implement AD these days? Considering the host of new solutions (namely Office 365 and intune or some other PC management software) I think that number has grown. 
- 
 Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number. But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down? 
- 
 @Carnival-Boy said: Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number. But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down? Everyone works on cached credentials until the server comes back up. Besides, their shared files and such are not available anyway. Most times email was not either because it was a SBS server. 
- 
 I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC. 
- 
 @Carnival-Boy said: I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC. That setup is not what I have seen in a typical SMB. Maybe more towards the M side where I have not done a lot of work. 
- 
 @Carnival-Boy said: Depends on the structure of the organisation and the type of roles people do as much as headcount, I'd have thought. There's no magic number. But for a typical SMB, without O365, do you need at least two DCs, and if not, what happens when one goes down? Definitely no magic number. It is all about workload. A company of 1,000 pure AD login users doesn't care about DC downtime for days. But an LOB app tied to AD might care very quickly. 
- 
 @Dashrender said: NTG now has much if not all of their stuff in Office 365. Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. But we remain 100% AD. We extend AD to all homes. Always have. 
- 
 @Carnival-Boy said: I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC. Same here I've never seen or used SBS. I'm begin to think what I call "small" most people here must consider medium to large.... If the DC goes down they lose access to some things. 
- 
 @Carnival-Boy said: @thecreativeone91 said: Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time. Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time? I've never seen anyone do that. you'd have two ranges at all times like that. Most of the time I see just DHCP turned off with scopes setup ready to go but will still cause down time. 
- 
 @scottalanmiller said: @Dashrender said: NTG now has much if not all of their stuff in Office 365. Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. But we remain 100% AD. We extend AD to all homes. Always have. Why? 
- 
 @thecreativeone91 said: @Carnival-Boy said: I don't really know anything about SBS. I've never used it. SBS users typically wouldn't run two DCs anyway though, would they? I'm talking about a typical SMB running a separate file server, Exchange server, Sharepoint server and DC. Same here I've never seen or used SBS. I'm begin to think what I call "small" most people here must consider medium to large.... If the DC goes down they lose access to some things. Yes, you suffer from "IBM Syndrome." Seeing the world as enterprise only and SMB as rather large and forgetting 80% of the business market. What you consider small is larger than the median size of US companies. 
- 
 @thecreativeone91 said: @Carnival-Boy said: @thecreativeone91 said: Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time. Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time? I've never seen anyone do that. you'd have two ranges at all times like that. Most of the time I see just DHCP turned off with scopes setup ready to go but will still cause down time. No, DNS and DHCP in Windows are full enterprise services and are designed for failover. There is not a conflict. 
- 
 @Dashrender said: @scottalanmiller said: @Dashrender said: NTG now has much if not all of their stuff in Office 365. Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain. But we remain 100% AD. We extend AD to all homes. Always have. Why? It's a business environment. Why do you have AD anywhere? Same reasons. How else do you manage access, password resets, etc.? How else do you easily manage AV, push updates, use GPOs, provide access for techs to support, etc.? Most IT people I see feel that AD is a foregone conclusion even for just ten users or so. I'm surprise anyone would be surprised that we see value in AD. 
- 
 I'm not surprised to see the value in AD, just the value in such a spread out (I'm assuming most people work out of their homes, not a central office or branch). If you've decentralized everything through Office 365, is it still worth maintaining AD? Are you using Direct Access? or do you put GPOs over VPN? 
 The NTG network setup would be an awesome thing to see.



