Large network of Windows machines without AD - GO!
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@notverypunny said in Large network of Windows machines without AD - GO!:
Would something like Zentyal be appropriate?
Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD."
If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.
Great point - and one I have been waiting for someone to make.
So - which is really better way to go? Ditch it altogether and try a LANless solution, or AD alternative?
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
How do you manage and get knowledge that systems are updated?
How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.
/sigh.. yeah, you're right.
Let me rephrase - using all of the tools that come along with Standard Windows Licensing, and typcially seen deployed in an AD environment - how would you do these things without AD/Windows Server/etc.
That's a very different question. Nothing wrong with moving away from Windows, just it's very different than moving away from AD.
Now, really, Windows doesn't come with much in that vein, either. Group Policy is weak and non-deterministic, only marginally qualifying as "management". WSUS has gotten so bad, it's almost a stumbling block to updates.
All of Group Policy and WSUS functions (other than local caching) can pretty easily be replaced deterministically with something like Salt or Ansible. Even if you have AD, they'd be the way I'd want to tackle those problems.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.
We do it very often. Small environments, AD is a huge problem.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
So - which is really better way to go? Ditch it altogether and try a LANless solution, or AD alternative?
Really depends. Basically it's LAN-centric vs LANless (LAN-agnostic.) Samba 4 will pretty much give you all the AD features you normally use, plus GPO and the like, but not WSUS, for free. But it becomes only a cost savings, not a change of approach. You are tied to the LAN, whether local or VPN extended, and have all of the headache that that brings still. But you can do things in a traditional way.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.
It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.
It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.
For 200 users, you would just need one person to set it up.
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.
Except you don't need one hanging around for that stuff. If you don't have the skills in house, farm that out to an MSP for one time cost way less than the cost of AAD or whatever. Yes, it requires more expertise than many other solutions, but like most things in IT... the higher the expertise needed, the lower the overall cost.
Once Samba, Ansible, etc. is up and running (and you don't need it on premises at all) you've got a near zero cost, easily to maintain infrastructure.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.
What does on prem have to do with any of it? Other than AAD being off prem only (unless you use Azure for your desktops, then it is on prem) all solutions (AD, Samba, State) are both on or off prem and work the same either way.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.
I've seen shops do AAD and have it have so many problems that it cost them too much in IT labor time and moved away because it was the opposite of easy or "out of the box." Not that that is normal, but just saying that it's magic and easy and doesn't require IT or knowing what you are doing or whatever isn't the case. It might require less, but at a staggering cost. For less than the cost of AAD you can have your department outsourced and everything handled for you. So somewhere, the math doesn't add up. It would only be "expensive" if trying to do it with resources that can't handle it (like how underpowered cars aren't fuel efficient because the engine is working too hard.)
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
If you assume that you need P1 for $6/u/m and Intune, you are at $12/u/m just for AAD and Intune. That's $2,400/mo or $28,800 a year. And if you grow, that cost goes up linearly. And the cost ever goes away, it's a monthly cost for forever and you get very tied to it.
Now moving to it is anything but free. You'll need an engineer to do a lot of work setting this up and implementing it in the environment. So there is a large labour cost in the transition. After that, management would be trivially easy.
Similarly, if you were to hire out an MSP to do Ansible and/or Samba you would also have an up front engineering fee, likely higher than the one for AAD (but not necessarily), and almost no ongoing costs unless you want to have all of your maintenance done for you. This solution scales and would cost essentially no more for 400 users than for 200.
Both have big upfront effort and cost, transitions aren't cheap. But one has tons of ongoing cost and one has essentially none.
If you go with Samba for AD, you can make the setup cost almost as low as anything with MS products. You give up the flexibility of being LANless, but you can meet in the middle with a low up front transition, immediately monthly savings.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment.
That's the beauty of outsourcing. Doesn't matter how much of a PITA it is, you can put it into monetary numbers. And the cost of using AAD is higher than the cost of "having someone else do it all." And nothing beats that. Lower cost, zero effort. It's a guaranteed win.
-
Also, AAD only supports limited operating systems. Not often a problem, but if you are looking at more flexible workstation options it might not support what you need whereas Samba / Ansible / Salt handle everything commonly on the market.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.
This is completely bullshit argument. Setting up Samba as DC takes 5-10 mins, installing Ansible literally takes seconds, setting up windows machines for Ansible management is a single powershell script. Neither is time consuming or complex, it's even easier than setting up native Windows DC. I bet just signing up for Intune or AAD is more complex and much bigger pain. And if your IT staff can't handle basic stuff, it's time to replace them with competent ones, or outsource it.
It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.
Again, nonsense. It does take some work to create Ansible playbooks or roles, but so it does setting up things in AAD or Intune.
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.
Nonsense. I work with all Windows environments and Ansible is pure pleasure to use. Native Windows tools are real pain, including Powershell. Ever tried equivalent of
journalctl -fin Powershell? -
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment.
That's the beauty of outsourcing. Doesn't matter how much of a PITA it is, you can put it into monetary numbers. And the cost of using AAD is higher than the cost of "having someone else do it all." And nothing beats that. Lower cost, zero effort. It's a guaranteed win.
I suppose it's all possible, but is that MSP already set up and prepared for when they want all 200 users to use their local desktop/laptop logins to access their existing email (likely Google or Microsoft) services, printing services/follow-me printing, github/lab, network access / 802.1x, SSO/2FA everywhere, any and all other systems? Samba/Ansible/Salt supports a lot, I know, but it's a complete re-do. Rip out/ gut, and in with the new.... without anything existing breaking or having bugs, stopping work, etc.
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.
We do it very often. Small environments, AD is a huge problem.
you're environments must just be a disaster then.. I don't have this issue.
In those cases, have you pitched to them to remove AD completely?
-
If you use a service like jumpcloud you can require MFA to do things like login to systems with separate accounts (just like ad) systems need to have an agent installed, but you get the same centralized management and its done locally.
If you want even more features you integrate that with something even more advanced like Okta Advance Server Access which creates groups and sets permission on fly from a centralized location. It is certficate based and allow you to authenticate once with short lived cert, but anytime you call action it reaches out to directory to make sure account still has appropriate permissions.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.
It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.
It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.
For 200 users, you would just need one person to set it up.
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.
Those system's aren't any more "just ready to go" than SAMBA/Ansible, etc.. you still need IT staff to manage and maintain the AAD stuff, granted after it's initially setup, it might be less maintenance...
But you don't just decide - hey I'm going the AAD/Intune way and just buy licenses and poof it's done, there is a tone of work there to make that stuff work. -
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
-
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
