Moving Forward: Converting a mess to the right solution
-
@DenisKelley said:
@ajstringham said:
Considering AD has almost zero system load, is there really any reason to separate out AD from the file and print services? If anything, use the license of Windows server you would have used for File/Print on a secondary DC.
Yeah, little load, but rebooting is a likely candidate for separating the roles. A second DC is a good idea, but we don't know how large this company is.
A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?" Why is rebooting an issue? It's not like you'll be doing that during production time. It'll be during off-hours. Also, he said it's for ten counties, or more. I still say have your main DC with File/Print on it. Use the next license for your secondary DC, and go from there.
-
@ajstringham said:
A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?" Why is rebooting an issue? It's not like you'll be doing that during production time. It'll be during off-hours. Also, he said it's for ten counties, or more. I still say have your main DC with File/Print on it. Use the next license for your secondary DC, and go from there.
Because it might be silly to have 2 DCs for a company with say 5 PCs. Sometimes having the ability to selectively reboot a server has it uses. Not saying it has be split, but there are use cases for that.
-
@ajstringham said:
@DenisKelley said:
@ajstringham said:
Considering AD has almost zero system load, is there really any reason to separate out AD from the file and print services? If anything, use the license of Windows server you would have used for File/Print on a secondary DC.
Yeah, little load, but rebooting is a likely candidate for separating the roles. A second DC is a good idea, but we don't know how large this company is.
A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?" Why is rebooting an issue? It's not like you'll be doing that during production time. It'll be during off-hours. Also, he said it's for ten counties, or more. I still say have your main DC with File/Print on it. Use the next license for your secondary DC, and go from there.
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
It would be great if issues only happen after hours when no one would be bothered by them but in my experience they happen during the day. You don't want to have to restart your DC because of an issue on your file/print server. Sometimes printing issues require the server to be restart to fix not just the services. Are you going to tell the CEO he has to wait til the next day to print his golf dates because you didn't separate out the DC & File/print services? Remember in a organization with AD implemented well many if not most things will authenticate against the domain. not just the local login. You have to plan for issue that will occur, it's just when.
-
@thecreativeone91 said:
@ajstringham said:
@DenisKelley said:
@ajstringham said:
Considering AD has almost zero system load, is there really any reason to separate out AD from the file and print services? If anything, use the license of Windows server you would have used for File/Print on a secondary DC.
Yeah, little load, but rebooting is a likely candidate for separating the roles. A second DC is a good idea, but we don't know how large this company is.
A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?" Why is rebooting an issue? It's not like you'll be doing that during production time. It'll be during off-hours. Also, he said it's for ten counties, or more. I still say have your main DC with File/Print on it. Use the next license for your secondary DC, and go from there.
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
It would be great if issues only happen after hours when no one would be bothered by them but in my experience they happen during the day. You don't want to have to restart your DC because of an issue on your file/print server. Sometimes printing issues require the server to be restart to fix not just the services. Are you going to tell the CEO he has to wait til the next day to print his golf dates because you didn't separate out the DC & File/print services? Remember in a organization with AD implemented well many if not most things will authenticate against the domain. not just the local login. You have to plan for issue that will occur, it's just when.
Fair enough. I guess it goes back to the size of the organization, and how critical uptime is. No one likes downtime, no matter how brief. However, it's certainly true that it's more acceptable for some companies than others, and in different lengths.
-
@ajstringham said:
A second DC is always a good idea. It's never really "should I have two DCs?" It's "when should I add a third?"
The bulk of SMBs should only have one. DCs, of all things, rarely have noticeable downtime. NTG can go a week with the DC down and no one would realize it. The cost of downtime for many SMBs is literally zero. Even a day or two or ten. Some companies tie other things to AD that doesn't cache like logins and downtime can impact them. But a typical SMB can definitely take a few hours of AD downtime with possibly zero impact.
Considering that - the cost of a second server hardware (say $2K minimum) and another Windows Server license (say $750 minimum) and the electric and cooling to keep that running and the IT time to administer it. Likely you are talking $4K or more for a failover system that has no means of ever recouping its costs no matter how bad the outage(s) are.
There is pretty much no risk mitigation system that is an "always", especially in the SMB. The closest thing would be RAID 1 disks - if you are putting a disk in a server, it should be in RAID always... is almost true. But even that there are exceptions. Just very few.
-
@thecreativeone91 said:
Sure a Second DC is great but, it only provides a active backup for data. It's not going to be handing out DHCP/DNS on the network (or at least not on the same subnet) so their will still be down time.
It should be doing DNS and DHCP if needed. Secondary DNS is more important than secondary AD.
-
@ajstringham said:
I've heard Thin Clients is kind of dead. Maybe I heard wrong but VDI is more what people are doing now. In any case...
I think that you are confused as to these terms. Thin clients and VDI are not opposing concepts. All early and many current VDI implementations use thin clients. And VDI is in no way the "path forward." It has a place but remains an "only when other things are not an option."
Don't get caught in the VDI and Zero Clients everywhere hype. VDI is insanely expensive and an extremely niche solution for special cases. In enterprise where there is huge scale to make it pay off, VDI is starting to creep in more and more, but in the SMB, it has almost no place at all.
-
@thecreativeone91 said:
It's not about system load, It's about priority/and potential down time and loss of services to end users. Your DC is always your most important server once implemented in a network.
Quite often it is the least important, especially in an SMB.
-
Because AD and File Services are probably tightly coupled here, having them on the same VM makes sense. If you need to do a reboot, both go down and come back together. If there is a dependency of one on the other, which there is, then having them on separate VMs doesn't really help much.
I think that one Windows Server Standard license is adequate. Two VMs. Keep it simple.
-
If doing a single, stand alone server, generally HyperV is the way to go because it supports backups whereas VMware ESXi does not.
-
So... one VM for AD/DNS/FS and one VM for SQL Server? That should work fine.
-
@scottalanmiller said:
@thecreativeone91 said:
It's not about system load, It's about priority/and potential down time and loss of services to end users. Your DC is always your most important server once implemented in a network.
Quite often it is the least important, especially in an SMB.
How small are we talking? if AD goes down and you have a content filter with AD integration no one is getting out to the web. If you talking ma & pop shop maybe. Anything much larger it's highly important. It's been very important everywhere I've been. VPNs, Webservices, filter etc all using LDAP.
-
@thecreativeone91 Even 100 person SMBs rarely have AD integrated networking. That's extremely expensive and cumbersome (and risky) with little to no payoff. Not a place where SMBs are likely to spend money.
-
@scottalanmiller I'm more talking about 300-500 people that's what I tend to call an average SMB.
-
@thecreativeone91 said:
@scottalanmiller I'm more talking about 300-500 people that's what I tend to call an average SMB.
That's an extremely large SMB. The vast majority of SMBs are under 100 people. But even at 500, why would you spend money on AD integrated content filtering for an average business? What's the financial (business) benefit? That's pretty small to be doing that stuff.
But at 500 you'd have more than one server for lots of reasons.
But the average company when ALL companies are considered is far less than forty people. Take just the SMBs and that number drops quite a bit, obviously.
-
@scottalanmiller I guess it depends on the area. around here most companies are either larger or part of another large company. there are very few successful small under 100 - Most are either failing or have already failed.
-
Most companies are failing. The vast majority of businesses will never see eight years. But I guarantee that there are tons and tons of small companies all around you that you just don't realize.
-
What resources we havve are grossly mismanaged and poorly configured. There is no way I could ever 'fix' in one weekend, or even one 'action'
Some general Stats:
Two main business units, One organization but comprised of different ares. We are a Non Profit, so pricing isn't going to be an issue.
Between the two, there are roughly 300 to maybe 400 staff. Transportations has about 40 (including drivers); Each program has about 15 each, Admin staff is about 30 or so, teachers about 140 - 200 depending on the time of year.
One side runs Server 2003 with AD and Exchange, File and Print services: 200-250 users.
Other side is the big mess:- Fiscal server - SQL Abilia MIP Fund accounting
- HR Server - Sage software
- Transportation server - SQL - Routematch (which is crap)
- WX server - FS - access db
- Shared server - FS
No AD, F&P services are running, email is being moved to O365, so reduction of services needed.
We have offices in nine counties, but only six or so persons per site. The idea behind the thin client is that documents in the remote offices are at risk. But the idea is to have a off site back up as well. We have a few places to put it,.. so that's not a problem.
File and Print services are 'hogs' nor is AD, but I want to make sure that it's done right as opposed to the crap shot S&&) that's there now.
I figure, built an AD and FS box, then start pulling things in, setting up prper file shares and security. I have 2 boxes that could be just rebuilt and put back into service...
-
@g.jacobse Really, You don't like Routematch? I'm surprised I've head good things about it from school bus garages. I've never used it though.
-
@scottalanmiller said:
But even at 500, why would you spend money on AD integrated content filtering for an average business? What's the financial (business) benefit? That's pretty small to be doing that stuff.
What's expensive about it? Webroot web filtering includes AD integration in it's basic offering, as does GFI's MailMax spam filtering. Do you mean the expense of securing your AD after exposing it to the internet?