29

I manage a shop of arround 30 machines and 2 terminal servers (one production, one standby.) Should I really deploy Active Directory in our network?

Are there any really benefits, that could ballance the existence of another AD server? Our Terminal Server is to run independent, with no other services on it, except our corporate APP.

What great features am I missing if I will still run it without AD?

update: but are any of you running a successful shop without AD?

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
s.mihai
  • 1,511
  • 6
  • 23
  • 27
  • How do you handle email and file-sharing? – tomjedrz May 27 '09 at 16:09
  • Email is beeing handled with a hosted email solution (also our web server is hosted) POP and SMTP and access with Outlook Express. File-sharing is handled with a shared folder on the backup server (it's a hot backup, users just change the IP address of the server and then they connect to the backup system) – s.mihai May 27 '09 at 16:23
  • As mentioned below, does it really payup to have another 2 servers as DC with the adiacent costs - hardware, licences, power ??? – s.mihai May 27 '09 at 17:00
  • How do you handle user permissions with file sharing? you have 30 user accounts on the box? – Nick Kavadias May 28 '09 at 07:28
  • yes. i have 30 accounts (the same one used for terminal server) and they all have the same rights on the folder. – s.mihai May 28 '09 at 08:14
  • 6
    So if a new person starts or someone quits, you need to go through all those machines manually and fix accounts? Or at least more than in one place? – Oskar Duveborn Aug 23 '09 at 09:13
  • You _can_ run your environment without a Domain, just as you _can_ flavor your coffee with Clorox. Neither are a good idea. More than a handful or two of computers without a Domain is what we like to call "The Hard Way", or as some may put it "Doing it wrong." You could use another directory protocol other than AD/LDAP, but AD/LDAP are powerful and by far the most common. – gWaldo Sep 13 '10 at 20:03

13 Answers13

32

Using Active Directory brings a number of advantages to your network, a few I can think of off the top of my head:

  • Centralised user account management
  • Centralised policy management (group policy)
  • Better security management
  • Replication of information between DC's

Obviously these benefits also bring some overhead, and a good deal of work and time is needed to setup an AD environment, especially if you have an existing setup, however the benefits of the centralise management that AD brings are well worth it, in my opinion.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
20

Some "drive-by" responses ...

1- If you are using Exchange for email, then AD is required. You likely are not using Exchange or you would know that, but I include it for those who may be considering this.

2- AD manages a "centralized authentication" system. You control users, groups, and passwords in a single place. If you don't have AD, you will likely have to setup your users separately on each terminal server, or have a generic user on each for access and use security in the application.

3- If you have other Windows servers, AD allows for straight-forward securing of resources on those servers in a single place (AD).

4- AD includes some other services (DNS, DHCP) which otherwise have to be managed separately. I suspect you may not be using them if the only Windows servers you have are the terminal servers.

5- Although not required, there is benefit to having the workstations in the domain. This allows for some (not comprehensive) single sign-on capabilities as well as significant control and management of the workstations through "group policies".
--> For instance, through GP you can control the screen saver settings, requiring that the screen saver lock the workstation after x minutes and requiring the password to unlock.

6- You might be a good candidate for Microsoft Small Business Server if you need email, file sharing, remote access and web serving.

I second the note about having two domain controllers. If you only have one DC and it fails, you are in for real pain getting access to things. It is (I believe) possible to have the terminal servers also be domain controllers, although I suspect many will not recommend it. In a small network like yours the DC workload will be insignificant, so it might work.


EDIT: in a comment s.mihai asked: "it's their interest to make us buy all we can. but can i be OK without AD ? local accounts, no exchange.... ?!"

Were I in your shoes, I would use the TS project as an excuse to add AD for the benefits, particularly on the workstations. But it sounds like your mind is made up and you want cover, so here it is.

ABSOLUTELY you can be OK without AD.

tomjedrz
  • 5,964
  • 1
  • 15
  • 26
  • Just on the spot. Having and maintaining AD would need another 2 servers, since runing DC on our TS is out of the questions, last time i checked setting a DC would mean that pc would run rather slower, because of the disable of caching, slow down disk access and some other stuff i did not understood (i've talked about this with the makers of our corporate app running on TS) – s.mihai May 27 '09 at 16:57
  • I am skeptical, unless the TS hardware is underpowered already. I am going to ask! – tomjedrz May 27 '09 at 17:29
  • no, no need for cover, i was just wondering if it was really worth the cost and i'm making a balance. i didn't wanted to go with the idea: "if it works, why change it" – s.mihai May 27 '09 at 18:15
  • 2
    Upvoted for the final BOLD ASSERTION. – Joseph Kern Aug 26 '09 at 13:03
  • +1 to Joseph Kern - Thanks! It is not my recommendation, but it will work. – tomjedrz Aug 26 '09 at 19:59
16

off the top of my head:

  1. centralized user & security management and auditing
  2. computer group policies centralized
  3. software deployment (via GPO)

AD is also required for applications such as exchange.

MS has a whitepaper just for you on this topic.

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
  • +1, exact duplicate of what my answer was going to be. – squillman May 27 '09 at 15:45
  • 2
    we've all been indoctrinated by ms training! good to see – Nick Kavadias May 27 '09 at 15:50
  • it's their interest to make us buy all we can. but can i be OK without AD ? local accounts, no exchange.... ?! – s.mihai May 27 '09 at 16:39
  • 1
    You can live with out it, but do you want to? Not having it means more management work for you. At a minimum you'd require another windows server license (your TS backup could also become an AD server for redundancy?) Small businesses tend to forget that labor is more expensive than software – Nick Kavadias May 28 '09 at 03:55
10

AD has many features that you may find very useful. The first of which is Centralized Authentication. All user accounts are managed in a single location. This means that you can use your credentials among any of the machines in the environment.

Another item this allows is better security for sharing resources. Security groups are very useful for targeting access to resources such as file shares.

Group policy allows to you enforce settings across a number of machines or users. This would allow you to set different policies for users logging into the Terminal servers vs users logging into their workstations.

If you setup your terminal servers properly and depending on the applications, the centralized authentication, access rights via Security Groups and GPO policies would allow you to utilize both Terminal servers in more of a clustered style than in your current setup where one is idle all of the time this will allow you to scale up to more terminal servers (N+1 style) as the need for resources increases.

The downside is that you are only thinking about 1 Domain Controller. I strongly recommend 2. This ensures that you do not have a single point of failure for your Active Directory Domain.

As mentioned in several comments. Cost is likely to be a significant factor here. If the original questioner has a fully working setup, it may be out of his budget to bring in the hardware and software required to stand up an Active Directory domain environment without an overwhelming case to justify the costs. If everything is working, AD is certainly not a required for an environment to work. Those of us who have used it in corporate environments in the past however are very strong proponents. This is largely due to the fact that it makes the Administrators job much easier in the long run.

Kevin Colby
  • 1,760
  • 10
  • 14
  • as mentioned in another comment, setting 2 DC and another 2 servers would not justify the money required for licences and hardware and power needed to run those 34/7 – s.mihai May 27 '09 at 16:59
  • 1
    I am skeptical that additional hardware is required. – tomjedrz May 27 '09 at 17:24
  • 1
    Hardware and software cost is certainly an issue. However he cannot have his terminal servers act as Domain Controllers due to the fact that users not in the Domain Admins group do not have rights to log into a Domain Controller. This would be a major security issue if it were not so. It is possible to grant login rights on the DC to other users but is Not Supported by Microsoft in my experience. – Kevin Colby May 27 '09 at 17:59
  • Even a Small Business Server makes use of AD, and for Terminal Services since SBS2008 it will now require 2 servers total. Microsofts take on this is that even a single server with 5 users benefits from AD. I'd say, you'd benefit from any global directory even in your own private home actually - it just doesn't HAVE to be AD, but I'd say you should use SOME global directory to be able to manage users and have a working audit trail around. And if you're already running Windows, then AD seems logical. – Oskar Duveborn May 28 '09 at 09:34
  • Even the Foundation Server which is almost free, 15 user "starter edition" of Windows Server uses AD - and that is meant for people who think SBS is too much. – Oskar Duveborn Aug 23 '09 at 09:14
6

I recently moved into a (relatively large / successful) shop without MS AD. Sure, you miss out on Microsoft/Windows Single Sign On but there are other solutions for that such as Authentication Proxies (SiteMinder, webseal etc) As for Centralized user management any LDAP (or SiteMinder) could be an option as well.

So yes, you can be a successful shop without (MS) AD, you just need to find the alternative.

kolonell
  • 207
  • 1
  • 4
  • 3
    The only realistic alternative to MS AD is probably Samba with OpenLDAP. I still don't think you can beat MS on ROI even if the opensource alternative is free. A blind monkey can setup AD! – Nick Kavadias May 28 '09 at 07:32
  • 6
    Could you define "large shop"? Are we talking 100-1000 systems? Without GPO (through AD) you must have a ton of entropy (ie systems with different configurations). Do you currently use anything to replace AD(other than elbow grease)? Honestly, while running a windows network, I am too lazy NOT to run AD ... – Joseph Kern Aug 26 '09 at 13:02
  • To me sounds like re-inventing a bycyle. What real alternative to Ad are you using? – Taras Chuhay Nov 17 '09 at 13:57
  • 1
    Seems to me like the OP was just looking for someone to back his idea that AD isn't as useful as everyone makes it sound. There really isn't a mature replacement for a "large shop" though I guess large is subjective. – MDMarra Jul 13 '10 at 18:55
  • I won't go so far as to downvote this, but this doesn't answer the body of the question. He asked what benefits there are to AD, and there are many when properly used. Just because you can exist without XYZ Technology doesn't mean it's good business sense to do so. – Chris S Jul 13 '10 at 19:02
  • 1
    @Nick Kavadias: Who you callin' a blind monkey?? ;) – GregD Aug 15 '10 at 14:54
  • @Chris S - You wrote: "I won't go so far as to downvote this, but this doesn't answer the body of the question." At one point, this DID answer the body of the question, as did my earlier comments. However, the question was edited well AFTER those of us (which you've apparently been downvoting) answered his original question. – voltaire Sep 14 '10 at 23:16
  • @Voltaire: 1. I downvoted two "answers" in this question, and they weren't yours. 2. I can see all 8 edits to the question, and the body of the questions hasn't changed. 3. I stand by my earlier comment. 4. In my experience, most places "avoiding costly solutions" (like AD) spend more trying to replace it with something else. – Chris S Sep 15 '10 at 00:44
6

I think the bigger question is why not?

Are you leaving the User accounts separate for security? Do the users of each machine only use that machine?

If the same users need to use all the machines, AD will give them these benefits: If the login into the domain they are trusted in the all the places they and their groups are trusted. If they change their password, it is the same everywhere; they don't have to remember to change it on all 10 machines (or worse forget it and need you to reset it for them, every other week).

For you it gives the benefit of central/global control of permissions. If you have folders that have special permissions for groups and a new person is hired, you just add them to the group and done. you don't have to attach to each machine and create the same user over and over and set the permissions.

Also each user's machine will be in the domain, so can be controlled by the domain.

I think the biggest benefit, is GPO's When they log-in to the domain to can send policies to their PC that can protect the security of your entire network.

That being said my office is small (about 15), and we have no official IT department. So we (over)use MS Groove as our Infrastructure, and have no AD or any central servers really; We are Laptop based.

John Christman
  • 213
  • 1
  • 5
5

In my opinion one of the biggest is single-sign-on. While it sounds like your end users probably don't notice, it certainly is a nice thing from an admin standpoint. You only have one password to keep track of, and when it comes to changing it you only have to do it one one spot, not 32. There are loads of things you can do to manage your environment if you're not afraid of scripting.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • 3
    Especially if you want users to change their passwords every so often. This is the main reason we've changed to AD. – Peter Turner May 27 '09 at 16:44
  • Well... that's not good enough for us. We do not have any users that roam around our facility, and regarding new users... we have a steady personal (not many coming/going in or out of our company) – s.mihai May 27 '09 at 16:53
  • if you're only after single-signon, you might as well get a significantly cheaper LDAP solution instead. – gbjbaanb May 28 '09 at 11:00
  • Will anything but AD integrate with your C+A+D credentials? – JamesR Aug 26 '09 at 13:55
4

The benefit of foregoing AD is obviously cost.

AD benefits boil down to 2 factors, if you don't care about them, the answer is "No".

  • Centralized management: of users, computer accounts, lots, automatic updates, software deployment, group policy etc. (Lest I oversimplify this, be sure you understand the effects of "thinking small" in fundamental matters. A single example: 30 static IP addresses is maintainable. How about 100? 256?)
  • Expansion foundation: 2 AD controllers seems excessive (though still necessary) for a network of 30, but they're sufficient for 1000-1500 users, I believe? Set up properly, AD doesn't need to be altered until you get much larger.

I think the best advice is to peruse the active directory tag here on SF as it fills out - to see if you can spot enough features (e.g. Hyper V with 2008 server) that'll benefit your shop to make the purchase worthwhile.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • 3
    I disagree that two DCs for any Domain-worthy network (more than 5-10 computers, IMHO) could ever be excessive. The second that it's worth having a DC, it's worth having two. – gWaldo Sep 13 '10 at 20:20
  • 1
    You're right - it's hard to believe that I ever used to feel safe with just one. ;) – Kara Marfia Sep 13 '10 at 22:00
2

All good answers here. I'll put my thumbs up for having two domain controllers as well. In a small environment even putting both of them as VM's on the same piece of hardware would be - OK. Someone can probably chime in on this more authoritatively, but if you use MS Hyper-V (server 2K8) as the host you may have some OS licensing benefits?

Having Single Sign On(SSO) / unified authentication will save you so much work creating accounts and setting folder permissions all over the place. Of course putting AD in place and adding the systems & users to the domain will take some effort.

Jeff

Jeff Hengesbach
  • 1,762
  • 10
  • 10
2

You need centralized authentication and management if you intend to grow this environment at all. Even if you don't intend to grow the environment, you'll see very real time savings in day to day operation by implementing centralized authentication and authorization now.

If it's a Windows environment, AD is the easy, but costly fix. If cost is the sticking point for AD, then implement Samba.

It will seem harder at first, but you'll get used to the tools and you'll look back and wonder how it wasn't completely obvious to you that you needed to do this.

Brian
  • 925
  • 2
  • 12
  • 20
1

You DO NOT need AD.*

Large law firm. We've ranged from ~103 to ~117 users, with 4 sites in 3 states for the last 2 years, with turnover of interns and clerks. We run the entire firm with 1 server box for domino/notes and accounting, a couple of dedicated w2k8 servers for specialty software, about 5 or 6 dedicated generic windows boxes for various apps and... 2 linux boxes for all file server needs and backup, plus a 3rd box for a firewall. It all runs like the energizer bunny, and we haven't had many issues with vendors or software.

  • but you may get it anyway. Microsoft intends that you WILL join the collective, and apart from migrating off Windows altogether, you're pretty much destined to end up with AD in the long run.
voltaire
  • 166
  • 2
  • Huh, what is it with law firms and Lotus Domino/Notes? Almost every one I've seen uses it... – SilentW Sep 13 '10 at 21:45
  • It was the "right solution" at the time, so it got widely adopted, became mainstream and then turned into a boat anchor that no one loved any more. It's pretty much how technology always goes... – voltaire Sep 14 '10 at 20:47
0

For 30 machines? It's entirely optional.

I manage several big locations (30~125 systems/workstations per location on average) running without AD using Samba and batch/autoit scripts. They work fine, and apart from the odd software update breaking things, have been trouble free.

voltaire
  • 166
  • 2
  • 3
    Wow, that answer has changed a lot over the revisions... – Chris S Sep 13 '10 at 19:29
  • @Chris S - heh, yup. I noticed that as well. – EEAA Sep 14 '10 at 00:11
  • 1
    If I could remove the comment, I would. I am not a big fan of AD, and use it only as needed. The wording of the original question was eventually changed, making my answer (and another's) off-topic and worse yet, worthy of big negative votes from people who see AD as the only solution; Hence I pulled the no-longer-applicable alternatives and rhetoric. I am not a troll; so if my answers are so useless as to warrant marking as wrong, they should simply be deleted. – voltaire Sep 14 '10 at 20:39
  • The original question was basically: Do I really need it? – voltaire Sep 14 '10 at 20:52
0

Reasons to use Active Directory

  1. Protected user security group
  2. Centralized user account management
  3. Centralized policy management through group policies objects
  4. Additional managed services
  5. Better security management
  6. Profile replication
  7. Authentication policies
  8. AD recycle bin
  9. CAL activation
  10. Patch distribution
  11. AD web services
  12. Password reset
  13. Single sign on
  14. Two factor authentication
  15. Directory consolidation
  16. Application directory partitions
  17. Universal group caching
  18. Hybrid profile login
  19. Scalability without complexity
  20. Powerful development environment
  21. Session duplications

I successfully ran a system without Active Directory; however, you need to compensate the demands through alternative tools. I switched over to AD at about 150 users in three different organizations.

LJones
  • 1
  • 1