Moving Forward: Converting a mess to the right solution
-
@thecreativeone91 said:
@Carnival-Boy said:
@thecreativeone91 said:
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
Isn't it? DNS is replicated across servers, right? And you can have two DHCP servers giving out a different range of IP address but all on the same subnet, can't you? Why down time?
I've never seen anyone do that. you'd have two ranges at all times like that. Most of the time I see just DHCP turned off with scopes setup ready to go but will still cause down time.
No, DNS and DHCP in Windows are full enterprise services and are designed for failover. There is not a conflict.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
NTG now has much if not all of their stuff in Office 365.
Assuming they are mostly working from home, there's little if any need for the workstations they are using to join/log into a Domain.
But we remain 100% AD. We extend AD to all homes. Always have.
Why?
It's a business environment. Why do you have AD anywhere? Same reasons. How else do you manage access, password resets, etc.? How else do you easily manage AV, push updates, use GPOs, provide access for techs to support, etc.?
Most IT people I see feel that AD is a foregone conclusion even for just ten users or so. I'm surprise anyone would be surprised that we see value in AD.
-
I'm not surprised to see the value in AD, just the value in such a spread out (I'm assuming most people work out of their homes, not a central office or branch).
If you've decentralized everything through Office 365, is it still worth maintaining AD?
Are you using Direct Access? or do you put GPOs over VPN?
The NTG network setup would be an awesome thing to see. -
@Dashrender said:
I'm not surprised to see the value in AD, just the value in such a spread out (I'm assuming most people work out of their homes, not a central office or branch).
If you've decentralized everything through Office 365, is it still worth maintaining AD?
Are you using Direct Access? or do you put GPOs over VPN?
The NTG network setup would be an awesome thing to see.DirectAccess is still a VPN, just an IPv6-only IPSec VPN. We use a Pertino SDN / VPN solution and have both IPv4 and IPv6 that way. We use Office 365 for some things but still have AD as O365 does not address managed desktops and laptops. Pertino is surprisingly similar to DirectAccess but without needing Windows Servers as aggregators and with the ability to talk directly between nodes and the ability to run on Mac and Linux, which we do heavily. Most of our servers are Linux and we have some Mac users (Danielle and Katie, for example.)
Do you really need AD? It really depends on your goals. If you want that slick, fully managed, corporate desktop experience yes, there is little alternative. But can you get away without it? Sure. It's not uncommon for a small business to not need it. But without AD desktop management is a nightmare.
-
Being that everyone is at home using their home computer (or do you build and send them all one, so now they have to have two at home?) I'm wondering what the advantage is for a tech company to maintain that type of tight control vs using something like VDI? If you even need that level of control?
Do the users have local admin rights (perhaps with a second account that they always have the password to?)?
-
@Dashrender said:
Being that everyone is at home using their home computer (or do you build and send them all one, so now they have to have two at home?) I'm wondering what the advantage is for a tech company to maintain that type of tight control vs using something like VDI? If you even need that level of control?
VDI is crazy expensive. And very hard to deliver well over the WAN. It is an incredibly rare business in the SMB that can make VDI financially viable. The licensing cost is just completely out of this world.
No one uses a home computer. It's company gear. Company desktops, company laptops, company tablets, company phones (lots of people opt out of that for their own mobile devices.)
-
@Dashrender said:
Do the users have local admin rights (perhaps with a second account that they always have the password to?)?
Most do as most are IT people who have the rights to support the internal desktop environment. But it is separate accounts, never, ever their main accounts, and it is all controlled via AD. As we grow the number of people with that access will decrease as there are more and more non-desktop support people.
-
Without AD it is also a pain to deal with working on shared equipment. Since we have AD, all desktops and laptops are interchangeable. I can go to Danielle's office and sit at the computers and work with my own accounts and security, just like she can when she is here. I can't imagine wanting to run a company even of our size without AD. What a mess that would be trying to maintain everything.
-
@scottalanmiller said:
I can't imagine wanting to run a company even of our size without AD.
Me neither. But how do you cope when AD is down for a week, as I think you said happens at NTG?
-
@Carnival-Boy said:
@scottalanmiller said:
I can't imagine wanting to run a company even of our size without AD.
Me neither. But how do you cope when AD is down for a week, as I think you said happens at NTG?
It does. We could prevent that but it is of no concern. AD outages literally have zero impact. That's the great thing about AD. If designed in a "non-tightly coupled way", AD outages can go literally weeks before anyone is affected by it. We've never had it be an issue, although it could have been.
The only times that we would be at "risk" is if AD was down at a time that a new person (or computer) were joining the domain or at a time when someone went to work on a machine that they had not worked on previously. Neither of those cases happens all that often. By and large day to day work is done on machines you work on regularly. I use maybe five company machines on a weekly basis but all of those already have my credentials.
AD is not down often and we have failover AD. AD outages are normally networking issues due to the large mesh that we are on and only take minutes to fix. The risk during at outage is tiny and if we were to be impacted (someone couldn't log in) a ticket to get that fixed would generally only take five minutes. So even an impact is minor.
-
AD is only down for long periods of time because no one notices. If we were monitoring the AD environment closely, which we certainly need to do but it isn't a priority, we wouldn't have those long outages. It's because being down for a week has zero impact that no one investigates the issues until a convenient time or someone notices because they were attempting a ping test or something.