4

My company is considering implementing Active Directory and Windows Server to manage our local network and workstations. The main benefits sought are central management of machines, security policies, and roaming profiles.

When using Windows Server for these purposes, does it ever make sense to run Windows Server from the cloud (i.e. Rackspace), or must it always be run locally?

Eric
  • 169
  • 9

3 Answers3

12

Roaming user profiles are going to be painful to use via the Internet. Any significant number of files in folders (which the AppData folder is notorious for having) is going to cause painful delays in profile synchronization during logon and logoff. Due to the way profiles are copied (file for file) latency will impact this, though as long as you're using SMBv2 the latency won't have as large an effect as it would on SMBv1 clients.

You're also going to see potentially long boot and logon times relating to the application of Group Policy if the latency between your computers and your domain controller is significant. There are a lot of round-trips during the Group Policy application process. Latency is going to be the killer on this, not bandwidth.

The last few users who logged-on recently will be able to logon to a client computer even w/o Internet connectivity (provided you leave the default cached credentials settings in clients alone). If you have users moving around between machines or attempting to logon to computers they've never used before (a "hot desk" environment, more users than computers, etc) then you might see problems with logon in times when the Domain Controller computer isn't reachable.

I've gotten a number of requests recently from people on the 'net to have me help them with this kind of thing and, frankly, I don't understand the payoff, considering that you already have PCs attached to a LAN. (I could, potentially, see a payoff in a company that is "born" in a totally geographically distributed fashion, but that's a whole different rant.)

The amortized cost of a small server computer and Windows licenses over, say, a 3 year lifetime should be vastly less than the sum of the aggregate expense for hosting a server in the "cloud" over the same time period. You'd either need to pay the "cloud" provider, a contractor, or an employee for Active Directory and server administration in any situation, so "the cloud" doesn't magically make that expense go away.

There's also backup and disaster recovery to worry about. Just because the server is in "the cloud" doesn't mean it's backed up and, if it is, that doesn't mean those backups are geographically distributed and stored offline. Finally, there's the whole security concern associated with having your Active Directory sitting outside your firewall where you may not have as granular control of network filtering policies, and certainly a much higher chance for denial of service attacks.

Personally, I'd rather have a low cost server computer sitting on my LAN and a VPN (DirectAccess, preferrably) for clients to use while off-site than having the server off-site. I'd feel a lot more comfortable storing a reasonable quantity of data locally than in "the cloud" (using "the cloud" for backup, versus primary storage, isn't what I'm talking about here).

For comparison's sake: I'd expect a low-end Dell 1U rack mountable server w/ a pair or small (250 - 500GB) SATA or nearline SAS drives in a RAID-1 configuration and with a 3 year next-business-day warranty, running Windows Small Business Server Essentials 2011, to cost somewhere in the vicinity of $2,250.00 to $2,500.00.

At $3,000.00 (building in a little "fudge factor") that gives a monthly amortized expense of $83.33 to purchase the machine and the software and run it for the life of its warranty.

Edit:

Using a simple word like "cloud" as a kind of "magic pixie dust" seems to make people forget the complexity associated with hosting server computers. When you outsource your reasonably simple small office server to a "cloud provider" you're causing your simple small office server to become a much more complex offering (assuming the hosting provider is taking advantage of an economy of scale and leveraging their hardware and network connectivity across their entire Customer base). Your needs stay the same when you outsource that server to "the cloud", but the provider shoulders the burden of making a much more complex system than a small office server work to keep your needs met. You get all the advantages of a small office server combined with all the risks of a large distributed system!

Whenever I read "the cloud" in marketing literature I substitute a phrase for those words. When I read "Hosting our email in the cloud", for example, I really see "Hosting our email in servers reachable over a network with unpredictable latency and bandwidth and no guarantee on connectivity, in a physical environment I don't control, on hardware of unknown quality or maintenance, that could potentially become inaccessible at any time based on the whims of others."

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • "logon to clients w/o Internet connectivity " - only if the same small group of people use a given machine. If it's a big bank branch (example), where a teller might be on any of a dozen machines over the course of a day, that could become a problem. Call centers are another type of business that this would be a problem for. – mfinni Feb 06 '12 at 18:19
  • 1
    @mfinni: True. I'm making a big assumption that the same users are logging-on. In some environments, as you describe, that would be a faulty assumption (and a killer problem). – Evan Anderson Feb 06 '12 at 18:22
  • 1
    +1 "in the cloud" phrase substitution. Cloud computing is a fad driven by marketing people so they can sell their services to clueless managers who don't realize the drawbacks. – Bigbio2002 Feb 07 '12 at 17:28
5

You can do this. Were I you, I would only do this if :

  1. You had no need for local servers, at all.
  2. Your internet connection was rock-solid.
mfinni
  • 35,711
  • 3
  • 50
  • 86
  • 2
    And fast.. Roaming profiles + remote AD servers + slow links are terrible. – Tim Brigham Feb 06 '12 at 18:01
  • Are there any obvious limitations that would come with doing it in the cloud, other than losing computer access when the net goes down? We have a 25mbit link, fwiw. – Eric Feb 06 '12 at 18:02
  • 1
    Ooh, I missed "roaming profiles." That means "My Documents", "My Music", IE cache, downloaded Java apps, and every other piece of junk is going to have to go up and down that pipe, unless you restrict it so far as to be useless. That's a big reason not to put your AD servers in the cloud, if roaming profiles is one of your goals. – mfinni Feb 06 '12 at 18:17
  • normal AD site design would be to have a DC per site, but colocating the PDC in a datacenter should be fine. – Ablue Feb 07 '12 at 10:44
  • @Ablue: There are no "PDC" computers in Active Directory. There is a computer that holds a special "role", the "PDC Emulator", but all copies of the Active Directory in a given domain are equal copies (though some may be "read-only"). No domain controller's copy of Active Directory is somehow "primary". – Evan Anderson Feb 11 '12 at 00:24
-1

I don't see any problem with this, but you should have a peered DC at each site. Having the PDC on a VPS may actually make a lot of sense (better SLA than locally hosted servers). I think you will want to have everything over a secure channel, some sort of IPSEC VPN. Make sure you consider AD Site configuration.

Use DFS for roaming profiles and/or replication of common files.

Having done the above there is no need for a fast internet link.

Ablue
  • 1,140
  • 1
  • 12
  • 32
  • Disagree with your specifics. The holder of the PDCe FSMO role (which is not the PDC - please enter this century) would be the last thing you'd want to put in a DC, since it's also the SNTP server for the domain. – mfinni Feb 07 '12 at 12:52
  • SNTP? That is a pretty rubbish objection. NTP clients on the domain by default use the domain architecture to adjust time, this is according to AD SaS, so when this is configured correctly the site DC will provide NTP. Also FSMO roles don't really enter into the equation, PDC is a term universally identified as a primary domain controller. – Ablue Feb 07 '12 at 14:22
  • 1. Thanks for correcting my misassumption (or possibly old knowledge) about SNTP distribution within a domain. You're correct, client machines will get NTP from their login DC, which will get it from the PDCe role holder. I thought that all machines synced from the PDCe. – mfinni Feb 07 '12 at 14:29
  • 2. What do you mean "FSMO roles don't enter into the equation" ? PDCe *is* a FSMO role. Given that AD is a multi-master system, there is no longer an actual PDC, except for downlevel clients. I'm nitpicking a little, but it is an important distinction. – mfinni Feb 07 '12 at 14:30
  • 2: Yeah, PDC emulation is for legacy systems, but assuming the colocated DC holds all the FSMO roles (i commonly call that a PDC) it shouldn't matter. I would still place all FSMO role holding domain controllers in colocation and let the branches/sites have lower end servers. I guess it could cause some confusion calling the FSMO role holder a PDC, but I guess it is just habit. – Ablue Feb 07 '12 at 14:41
  • Yes, I am trying to correct your 11-years-out-of-date bad habit :-) Like I said, I'm being nitpicky, but when you make mistakes like that, you risk swamping the correct and important things in your statements. – mfinni Feb 07 '12 at 14:44