SAMIT: Do You Need Two AD Domain Controllers?

StorageNinja

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

CALs are either cheap or they are $50 per user, but they aren't both. For an SMB, $50 per user for no reason is expensive. What do they get from that $50?

And that's hardly the full cost... let's look at a ten person business:

• Server: $1,000
• Windows License: $700
• CALs: $500
• Windows Pro Upgrades: $1,500
• Admin Time to Set Up: 2-5 days

That's $3,700 or $370 per user just to set up, plus around half a day of effort, per user to get set up. In many SMBs, it could take a week of effort just to get that kind of spending approved!

1/2 a day of effort per user? Explain....

StorageNinja

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

. let's look at a ten person business:

Server: $1,000
Windows License: $700
CALs: $500
Windows Pro Upgrades: $1,500
Admin Time to Set Up: 2-5 days

With 10 users you could use essentials or foundation edition. I can buy a Dell T130 with that ~$700.

StorageNinja

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Yeah, but you can outsource that stuff to qualified people for a fraction of the cost of AD.

Qualified people cost money

You ever see a rate sheet for Continuums outsourced India desk?
Good luck finding SALT talents that's cheap (even in Bangalore).

StorageNinja

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Central authentication, while it does have value, in the SMB seems to be primarily deployed out of confusion, rather than out of solving a problem

The general issue I've seen is a lot of (idM) systems have weird quirks when working with things other than AD. Yes on paper LDAP will work with quite a few I suspect didn't get a lot of QE testing...

I do think (idM) systems and SSO brokers are breaking the final biggest tie of AD (Authentication). Setting up federated services was always a pain in the ass and turnkey SAML integrations for common web apps are a lot nicer to manage.

scottalanmiller

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Yeah, but you can outsource that stuff to qualified people for a fraction of the cost of AD.

Qualified people cost money

Unqualified people cost way more, though.

scottalanmiller

Hey look, as soon as we say AD is easy, someone posts on SW that they screwed up their little AD install, again. We get these like once a week, maybe every two weeks. For SMBs, even what should be a trivially easy single server AD install is regularly a major problem. Just picking a domain name is beyond the common skill level. People don't get tripped up by advanced AD techniques, they are regularly stumped by just the most basic install process.

StorageNinja

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Hey look, as soon as we say AD is easy, someone posts on SW that they screwed up their little AD install, again. We get these like once a week, maybe every two weeks. For SMBs, even what should be a trivially easy single server AD install is regularly a major problem. Just picking a domain name is beyond the common skill level. People don't get tripped up by advanced AD techniques, they are regularly stumped by just the most basic install process.

If you can't figure out that you should use a domain you own, you shouldn't be setting up a cloud SSO deployment either...

scottalanmiller

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Hey look, as soon as we say AD is easy, someone posts on SW that they screwed up their little AD install, again. We get these like once a week, maybe every two weeks. For SMBs, even what should be a trivially easy single server AD install is regularly a major problem. Just picking a domain name is beyond the common skill level. People don't get tripped up by advanced AD techniques, they are regularly stumped by just the most basic install process.

If you can't figure out that you should use a domain you own, you shouldn't be setting up a cloud SSO deployment either...

Agreed. Wouldn't suggest that either.

Reid Cooper

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Hey look, as soon as we say AD is easy, someone posts on SW that they screwed up their little AD install, again. We get these like once a week, maybe every two weeks. For SMBs, even what should be a trivially easy single server AD install is regularly a major problem. Just picking a domain name is beyond the common skill level. People don't get tripped up by advanced AD techniques, they are regularly stumped by just the most basic install process.

If you can't figure out that you should use a domain you own, you shouldn't be setting up a cloud SSO deployment either...

Agreed. Wouldn't suggest that either.

KISS. If you don't need complexity, don't introduce it.

dave247

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

I haven't watched your video yet but I've heard a lot of people (non-sales) say having only one DC is a good way to get fired.

bigbear

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

I haven't watched your video yet but I've heard a lot of people (non-sales) say having only one DC is a good way to get fired.

Probably if you have a boss that knows about domain controllers and best practices, you are big enough to be following Microsoft "best practices"

And besides... RDSH in the cloud or bust

dave247

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

And besides... RDSH in the cloud or bust

I don't understand what you mean here..

scottalanmiller

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

I haven't watched your video yet but I've heard a lot of people (non-sales) say having only one DC is a good way to get fired.

Yup..... sales people would say that.

bigbear

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

And besides... RDSH in the cloud or bust

I don't understand what you mean here..

I am a big fan of Remote Desktop Session Host on Server 2016, Microsoft officially supports DC on the same box. For $80/month on Vultr plus $16/month for Server 2016 license, and about $100/user one time license fee... you can support 15 to 20 users.

The "or bust" part is that I really wouldnt be interested in doing IT any other way.

dave247

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

And besides... RDSH in the cloud or bust

I don't understand what you mean here..

I am a big fan of Remote Desktop Session Host on Server 2016, Microsoft officially supports DC on the same box. For $80/month on Vultr plus $16/month for Server 2016 license, and about $100/user one time license fee... you can support 15 to 20 users.

The "or bust" part is that I really wouldnt be interested in doing IT any other way.

oh you mean you have a hosted 2016 RDS server/DC? That's pretty cool... I currently have on-site terminal servers but they are 2008 R2 Enterprise and I have a separate server for the connection broker (I hate this setup). I have been meaning to take a look at going to a 2016 RDS setup but haven't had the chance to dig in as I am a freaking "IT generalist" where I work.

bigbear

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

All these best practices seems to be carried over from the days of physical servers.

The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

And besides... RDSH in the cloud or bust

I don't understand what you mean here..

I am a big fan of Remote Desktop Session Host on Server 2016, Microsoft officially supports DC on the same box. For $80/month on Vultr plus $16/month for Server 2016 license, and about $100/user one time license fee... you can support 15 to 20 users.

The "or bust" part is that I really wouldnt be interested in doing IT any other way.

oh you mean you have a hosted 2016 RDS server/DC? That's pretty cool... I currently have on-site terminal servers but they are 2008 R2 Enterprise and I have a separate server for the connection broker (I hate this setup). I have been meaning to take a look at going to a 2016 RDS setup but haven't had the chance to dig in as I am a freaking "IT generalist" where I work.

You will be presently surprised. The performance is amazing, you really cant even tell you are in a session anymore.

scottalanmiller

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

.... haven't had the chance to dig in as I am a freaking "IT generalist" where I work.

Youtube Video

I have a video for everything these days.

dave247

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video:

.... haven't had the chance to dig in as I am a freaking "IT generalist" where I work.

Youtube Video

I have a video for everything these days.

yep I just watched that one.. guess I can't call myself a Systems Administrator anymore (jk I totally am)