I can give this answer from an SMB perspective. I feel like I am probably really close to the majority of SMB that try and deploy AD, specifically "because we already have it". In my implementation, we had two locations and two hosts initially, so it seemed a no brainer to use to DC's. However, I would guess that a lot of people that are setting up AD don't really know what AD even actually does. I have confused other things built into windows or NTFS with being AD simply because I manage the from my DC. I am talking about things like group policy, security groups, file permissions, etc. I would bet that the majority of SMB that deploy AD do so because they want to leverage these things and because owning windows servers gives them access to AD which is included.

With all that said, I know that AD's simplicity can be deceiving and there is a high chance that just because you have two DC, it doesn't mean that you have them configured correctly, I know that I don't.

How often does the real SMB actually have people that already know AD and what it actually does, and know that there are any other options in a windows ecosystem? I didn't even know I had a choice until recently.

what are you trying to actually accomplish? From what I understand, the synology HA is an active/passive system and it takes a long time to actually fail over. I say this having no personal experience, but I have researched it because I have 3 synology's. The general consensus seems to be that their HA should not be considered a business level protection and its performance compared to other proper HA solutions reflects this.

Is there some sort of jbod mode or something that is common for wanting a larger drive, giving up the performance of R0? Then, when a drive does fail, it only takes out that drive and not the whole shebang? Is that actually a thing in production use?

Wow. Why even let that go on? Why not just instaban?

@scottalanmiller maybe they should have HA?

I dont know about you guys, but I worry a lot more about accident stupidity than targeted attacks.

Where I work, I dont have control over my colleagues. I am sure most places suffer from those people that are just there to stay in their lane and keep the status quo, at least everywhere I have ever worked. This sometimes applies to department heads and those people that should be taking charge of things like training. Generally, I find myself training users on specific tasks that they need to do their job, but a lot of times it comes down to how to process a specific task within our ERP, or somehow relating to how they use the technology we provide. I dont train our estimators how to make an estimation, but I will show them how to enter that into our ERP, or show then where to put all related documents. In a company our size, if there is no one that will take charge and try and force some sort of consistency and order, there will be chaos. A great example is the idea of a classic file server, whether it is a NAS or something else. Without proper permissions and forethought, you will end up with multiple users trying to share the same resources in multiple ways, that are often mutually exclusive. It also doesnt help, when talking about training, that some 'department managers' or other mid level managers are not really managing as much as they are just the most senior person in that department. We have a lot of these types of managers where their workload is still doing the primary task of the department, instead of managing their workers who do the actual work. It makes it hard to have consistency for training, when no one seems to even have the time to train any properly, let along work up any training materials and document any procedures ahead of time. It pays off in the end when it happens, but its never an organic thing that happens, that's not how entripy works. This is one of the primary struggles for our company, and I have taken on some of this (not all of it mind you), possibly because I happen to be able to find a solution that fits our variables, and other people are not as well suited to the task.

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@jmoore said in Handling DNS in a Single Active Directory Domain Controller Environment:

We are still a long ways from this being universal. Is that kind of what you meant?

Good design will never be universal. Most networks, most admins, most software will always be bad. Nothing good becomes the norm, not how the world works.

the law of averages apply.

I am also a firm believer in the idea that I am being paid to solve problems. If the company really thinks that I need to be the one fixing the sink, they may have me do that. But in the end, I am valuable for way more than just IT. I get involved in high level business decisions because they value my input.

@dustinb3403 said in User Training Who is responsible:

@scottalanmiller So let me ask you this than.

In the world of not outsourced IT, do you believe that the IT personal should know how to use and operate every piece of software or hardware that a business has?

I believe that I should know everything about everything that is in my environment. This has a lot to do with my lack of trust in people, and that I need to know and understand it for myself. But I also believe that this is just an example of me going above and beyond and taking pride in my work. That being said, I do not know everything about all my things yet, nor is that really physically possible.

@scottalanmiller a few years ago we had a bolt strike the neighbors tree. You could taste the ozone in my house.

I havent watched any MCU or starwars movies since the first avengers. I plan on binge watching them in about a decade.

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

@phlipelder yes, that is probably the last piece I would need before I would switch to using reservations more. I have just never looked it up to make sure it was doable. I like the idea of reservations, but I would also want similar devices in similar parts of the scope for organizational purposes.

Basically, other than for your router and DHCP server, you never need static.

that's basically how I feel now. Now I've just got to change the 40 or so static that I currently have.

@phlipelder yes, that is probably the last piece I would need before I would switch to using reservations more. I have just never looked it up to make sure it was doable. I like the idea of reservations, but I would also want similar devices in similar parts of the scope for organizational purposes.

This is a tangent, but can you tell a DHCP reservation to use a particular IP in the scope? Like if it comes in with something random, you can make a reservation for that mac and then change the IP to something else and restart the device?

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

It's anecdotal, but I just had this happen a few weeks ago. In my case I had a host go down that had my AD VM on it. It took me while to get it all resolved, but that is because I had to physically remove my server from the rack to get access to the usb drive where ESXi was installed (we will be getting a new rack soon). DNS was probably the biggest hit because a lot of our internal services use the DNS name.

I'm guessing you'll be like me and updating DHCP to include the router's IP as DNS (assuming yours supports DNS) and having the router point to internal DNS before external. I'm really loving this idea.

So using this example, If the DHCP server (mine is on the AD VM) points first to the router, outside DNS still works if AD goes out. If the router goes down though, internal DNS wont work unless the internal DNS was listed second under DHCP. Does this make sense?

You point to AD first, router second. If the router goes down, you are down either way.

Then the router points to AD first, public second.

We recently had a router outage. I would still want internal DNS so we can still work from internal resources.

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

It's anecdotal, but I just had this happen a few weeks ago. In my case I had a host go down that had my AD VM on it. It took me while to get it all resolved, but that is because I had to physically remove my server from the rack to get access to the usb drive where ESXi was installed (we will be getting a new rack soon). DNS was probably the biggest hit because a lot of our internal services use the DNS name.

I'm guessing you'll be like me and updating DHCP to include the router's IP as DNS (assuming yours supports DNS) and having the router point to internal DNS before external. I'm really loving this idea.

So using this example, If the DHCP server (mine is on the AD VM) points first to the router, outside DNS still works if AD goes out. If the router goes down though, internal DNS wont work unless the internal DNS was listed second under DHCP. Does this make sense?

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

It's anecdotal, but I just had this happen a few weeks ago. In my case I had a host go down that had my AD VM on it. It took me while to get it all resolved, but that is because I had to physically remove my server from the rack to get access to the usb drive where ESXi was installed (we will be getting a new rack soon). DNS was probably the biggest hit because a lot of our internal services use the DNS name.

I'm guessing you'll be like me and updating DHCP to include the router's IP as DNS (assuming yours supports DNS) and having the router point to internal DNS before external. I'm really loving this idea.

I am not sure. I am in the process of reevaluating my entire network and willing to take suggestions. I think that there is a lot of inefficiency in our current system due mostly to inexperience.

It's anecdotal, but I just had this happen a few weeks ago. In my case I had a host go down that had my AD VM on it. It took me while to get it all resolved, but that is because I had to physically remove my server from the rack to get access to the usb drive where ESXi was installed (we will be getting a new rack soon). DNS was probably the biggest hit because a lot of our internal services use the DNS name.