Do I need to run AD if I install Server 2019?



  • I own a small business. I have about a dozen Axis IP cameras currently recording (via Samba) to a physical Debian server I built. While it works ok, the free Axis camera software is pretty basic. I also use the Debian server as my OpenVPN server so I can remote in.

    I’m wanting to move to Blue Iris camera software which only runs on Win 8/10/Server. Originally I was just going to spin up a VM via KVM on the Debian host and install it that way. What I quickly found out is that Blue Iris requires Intel Quick Sync to decode the H.264 stream. It can’t access that in a VM. Running the software in a test KVM Win 10 VM I spun up produced very high CPU usage. Checking around on the internet, people recommend installing Win 10/Server bare metal so that Blue Iris can access Quick Sync on the Intel CPU.

    So what I’m thinking is that I can either (a) install Win 10 bare metal or (b) install Server 2019 bare metal. Blue Iris can then be installed directly. I can then enable a Hyper V role on either choice so I can install Debian again (via a VM) and get OpenVPN AS installed again.

    I don’t host anything inside my business other than camera stuff. We are a retail gift shop and use a cloud based POS system so I don’t have to keep up with any of that.

    So my needs are pretty simple. I’m just wondering if I go the Server 2019 route, do I need to set up an AD? Currently, my router handles all DHCP. I don’t even mess with internal DNS since I don’t host anything that we need to get to internally. I mean, I could setup AD as a learning tool (almost like a lab). I’m just wondering if there are any downsides to not using Server 2019 as an AD.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    Quick answer to the title before reading the details...

    No, running Windows Server, or Windows desktops, never creates a "need" for Active Directory. None of those things even imply it. It's an optional feature only, and there are loads and loads of times you would not use it.



  • You could also do PCI passthrough of a graphics adapter to the VM. Then it has full access to the hardware needed for quick sync.

    That said, I don't understand why Blue Iris has to decode the h264 streams.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    So what I’m thinking is that I can either (a) install Win 10 bare metal or (b) install Server 2019 bare metal. Blue Iris can then be installed directly. I can then enable a Hyper V role on either choice so I can install Debian again (via a VM) and get OpenVPN AS installed again.

    Keep in mind the licensing quagmire you will create here. To use Hyper-V as a role or to run Server 2019 on bare metal, you are going to have to license every single user in your organization for it, not just buy the server. This will increase the cost above what you are picturing, not just today, but for the indefinite future until you phase this out. You will need to manage licenses and track how your system is used, all for an Axis camera system. I'd dump the camera system before I'd consider this option.

    If you were just running a Windows 10 desktop bare metal, you only have to ensure that it is not used as a server. Then there is no licensing beyond buying the computer. But the moment you consider Windows Server and/or Hyper-V as a role, you've entered the expensive and complicated world of Windows Server licensing and it is going to be a nightmare.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    I don’t host anything inside my business other than camera stuff. We are a retail gift shop and use a cloud based POS system so I don’t have to keep up with any of that.

    Definitely, so taking on all the cost and problems of a Windows licensing infrastructure for some cameras seems like it should be an instant non-starter.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    So my needs are pretty simple. I’m just wondering if I go the Server 2019 route, do I need to set up an AD?

    From the description, it sounds like something that shouldn't even be considered, even if you do decide to install Server 2019. Even by Microsoft's own guidelines at the peak of AD (something that waned long ago), you only really consider it when you are using it to manage a minimum of ten users, and generally a few more. Today the rule of thumb is not well known, but certainly higher than ten. More like twelve or higher. And there is never a number where you just choose it, it's just that under that number you rule it out. Above the threshold number you consider its benefits and caveats to see if the benefits are enough to make it worth it.

    AD works best when you have a large number of users in a single site (or a large number at multiple single sites). Once you have many sites with small numbers, mobile users, or a LANless architecture, it's effectively worthless.

    Caveats are many, it makes it hard to stop paying licensing fees, it makes it more important to constantly get the latest updates, it takes an isolated server and ties it to the machines, it creates an extremely likely path for ransomware (AD itself isn't the risk per se, it's how almost everyone uses it), it creates complexity that greatly increases the overhead of system management, it creates management risks, etc.

    As someone who runs a company that makes a load of money fixing AD from companies that deploy it when not needed and then get stuck bringing in people like us to fix it (literally have a team doing this right now on a Sunday for a nine person company), I can tell you that a small $800 decision today to buy Windows and then use the "free included" Active Directory because "you already paid for it" will easily cost you a few thousand dollars extra over the years in unneeded licensing, and will easily cost you five to ten thousand dollars someday in the future when you have to hire a team to come in and clean things up.

    AD is a great tool with loads of benefits for the right organization. But in the SMB, it doesn't make sense all that often and the risks are way higher than most people will tell you... because nearly everyone in IT from internal IT people to MSPs and VARs make huge loads of their revenue from managing or fixing unnecessary AD deployments.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    mean, I could setup AD as a learning tool (almost like a lab).

    And learn why this was a bad idea 🙂

    35nksf.jpg



  • If you want to learn AD itself, and there are loads of reasons to want to, I would do it in a real lab where you can shut it off anytime you want and don't tie your running business to it. AD is great and I recommend knowing it. But I recommend extreme caution rolling it out without a very compelling reason.



  • For companies like you describe, who want the majority of AD benefits, Microsoft has already moved you to AzureAD (AzureAD is wholly unrelated to AD, it's just a marketing thing in the name.) And there are lots of alternative options, from cloud hosted products to DevOps tools that are free like Ansible and SaltStack. And that's only if there are specific benefits that you are looking for (like central password management, automated printer deployment, etc.)



  • @scottalanmiller said in Do I need to run AD if I install Server 2019?:

    AD works best when you have a large number of users in a single site (or a large number at multiple single sites). Once you have many sites with small numbers, mobile users, or a LANless architecture, it's effectively worthless.

    Yes, then you are stuck with it (on-prem AD) only to keep supporting old bad choice software that requires it until you can replace it.



  • @Obsolesce said in Do I need to run AD if I install Server 2019?:

    @scottalanmiller said in Do I need to run AD if I install Server 2019?:

    AD works best when you have a large number of users in a single site (or a large number at multiple single sites). Once you have many sites with small numbers, mobile users, or a LANless architecture, it's effectively worthless.

    Yes, then you are stuck with it (on-prem AD) only to keep supporting old bad choice software that requires it until you can replace it.

    That too. It's primary a legacy thing today. Still loads of good uses, but legacy is the primary use case. Technical debt.



  • Ok wow. Well that clears up that I DONT WANT to run Win Server...

    The issue is really Blue Iris. It decodes the H.264 byte stream. It doesn’t play well with Nvidia so it’s recommended to run it bare metal and let the Intel CPU and Quick Sync handle that. The folks that are running Win 10 or Server bare metal and then connected all their cameras to that I guess aren’t in proper licensing.

    I guess I can look at some other VMS options. I know that NX Witness can run on Ubuntu so I could install Hyper-V core and run an Ubuntu VM for that. It’s just costly since NX Witness chargers per camera for licensing.

    Having to think about it some more... Thanks for the suggestions guys. I knew I could count on advice here.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    I guess I can look at some other VMS options.

    Here's a couple of open source options.
    https://zoneminder.com/
    https://kerberos.io/



  • @black3dynamite said in Do I need to run AD if I install Server 2019?:

    @biggen said in Do I need to run AD if I install Server 2019?:

    I guess I can look at some other VMS options.

    Here's a couple of open source options.
    https://zoneminder.com/
    https://kerberos.io/

    Zoneminder is pretty bad. It very antiquated. But I’ve never tried Kerbos. I’ll check it out. Thanks!



  • I’m guessing that cameras are like Unifi APs, they are the clients reaching out to the server software running in the closet. Therefore, I’m guessing that windows 10 would be legal to use.

    Scott?



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    It's just not efficient to have the camera do h264, decode that with B.I into raw video and then have B.I reencode that into h264 again.



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?



  • As far as your remote access, why not use a VPN from your firewall? A $60 ER-X can do that for you.



  • @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?

    All browsers can show h264 streams directly.



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?

    All browsers can show h264 stream directly.

    I don’t know boo about BI, but assuming it’s a security camera type software that can show 12 (blah blah number) of cameras, I’m guessing the desire would be to have that multi camera view up at most times, so that’s not browser based, but again I don’t know boo about BI.



  • @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?

    All browsers can show h264 stream directly.

    I don’t know boo about BI, but assuming it’s a security camera type software that can show 12 (blah blah number) of cameras, I’m guessing the desire would be to have that multi camera view up at most times, so that’s not browser based, but again I don’t know boo about BI.

    You mean it reencodes all cameras into one big stream? It's possible but I doubt it. I don't know anything about it but have worked with ip cams and Axis in the past. If you have for instance 4 ip cams on the screen there will be 4 streams.

    Most ip cams can send several streams so you could have a low bandwidth and a high bandwidth stream from the camera at the same time. So you can use one for viewing and the other for storage.


  • Banned

    Why not just use Ubiquiti cameras and nvr?.

    Professional equipment and software to back it up with a server backend you're already familiar with.



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?

    All browsers can show h264 streams directly.

    This brings another question.... the OPsaid BI require direct hardware access and sync something ( on my phone, hard to lookup when posting) , if that’s true and running that inside a VM kills the CPU, why would decoding in a browser not also kill the CPU in that same VM?



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    It's just not efficient to have the camera do h264, decode that with B.I into raw video and then have B.I reencode that into h264 again.

    So CPU usage isn’t bad when no one is viewing via the Web GUI. On my test VM (gave it 2 cores) two cams with direct to disk recording were using about 50% of one core on an i3 Ivy Bridge (2C/4T). I was simply going to head to eBay and pickup an i7 4c/8t Ivy Bridge, drop it in, and off I go. But viewing the cams kills the CPU without Quick Sync being used. I opened two Web GUI streams of Blue Iris on two different computer and all of a sudden both cores of the VM were pegged at 100% and it became unresponsive. It’s the viewing the cams using the Blue Iris web GUI that kills it. The recording isn’t too bad.



  • @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Dashrender said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    Maybe you can’t view it in real-time with out the decoding?

    All browsers can show h264 streams directly.

    This brings another question.... the OPsaid BI require direct hardware access and sync something ( on my phone, hard to lookup when posting) , if that’s true and running that inside a VM kills the CPU, why would decoding in a browser not also kill the CPU in that same VM?

    Because all low powered clients decode h264 in hardware and decoding is cheap. However B.I. both decodes and reencodes which is much more expensive in CPU power.



  • @biggen said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Pete-S said in Do I need to run AD if I install Server 2019?:

    That said, I don't understand why Blue Iris has to decode the h264 streams.

    I'd like to get back to my earlier question. I think something is wrong with the Blue Iris setup.

    Why does Blue Iris need to decode the H264 stream? Axis cameras already encode H264 and you save that to disk. The setting is called Direct-to-disc in Blue Iris.

    According to B.I. website you won't get image overlay with camera name and time but who cares about that when the ip cam does that already by itself.

    It's just not efficient to have the camera do h264, decode that with B.I into raw video and then have B.I reencode that into h264 again.

    So CPU usage isn’t bad when no one is viewing via the Web GUI. On my test VM (gave it 2 cores) two cams with direct to disk recording were using about 50% of one core on an i3 Ivy Bridge (2C/4T). I was simply going to head to eBay and pickup an i7 4c/8t Ivy Bridge, drop it in, and off I go. But viewing the cams kills the CPU without Quick Sync being used. I opened two Web GUI streams of Blue Iris on two different computer and all of a sudden both cores of the VM were pegged at 100% and it became unresponsive. It’s the viewing the cams using the Blue Iris web GUI that kills it. The recording isn’t too bad.

    That's interesting. Then it has to be what @Dashrender suggested - a reencoding of the h264 stream for viewing.



  • Yeah I see that now with his last post... it’s when he has to re encode for client viewing that kills his system...

    So that sync thing is supposed to use hardware encoding.... is anyone sure that any hypervisor passes those calls along? Sounds like XS doesn’t.



  • @Dashrender said in Do I need to run AD if I install Server 2019?:

    Yeah I see that now with his last post... it’s when he has to re encode for client viewing that kills his system...

    So that sync thing is supposed to use hardware encoding.... is anyone sure that any hypervisor passes those calls along? Sounds like XS doesn’t.

    I think the quick sync question has been up here before. Now that I think about it, I think it's a CPU feature so it cannot be passed through hence no hypervisors can do it.



  • It's probably so that B.I reencodes for mobile clients and other low bandwidth users.

    If you are running on the LAN you should be able to take the streams as they are.



  • @Pete-S said in Do I need to run AD if I install Server 2019?:

    @Dashrender said in Do I need to run AD if I install Server 2019?:

    Yeah I see that now with his last post... it’s when he has to re encode for client viewing that kills his system...

    So that sync thing is supposed to use hardware encoding.... is anyone sure that any hypervisor passes those calls along? Sounds like XS doesn’t.

    I think the quick sync question has been up here before. Now that I think about it, I think it's a CPU feature so it cannot be passed through hence no hypervisors can do it.

    It was back in December 208. Here is the post


Log in to reply